The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.
 / 
Module-Signature-0.25
River stage three • 23 direct dependents • 519 total dependents
5 ++
/ Module::Signature

NAME

Module::Signature - Module signature file manipulation

VERSION

This document describes version 0.25 of Module::Signature, released July 16, 2003.

SYNOPSIS

As a shell command:

    % cpansign              # verify an existing SIGNATURE, or
                              make a new one if none exists 

    % cpansign sign         # make signature; overwrites existing one
    % cpansign -s           # same thing

    % cpansign verify       # verify a signature
    % cpansign -v           # same thing
    % cpansign -v --skip    # ignore files in MANIFEST.SKIP

    % cpansign help         # display this documentation
    % cpansign -h           # same thing

In programs:

    use Module::Signature qw(sign verify SIGNATURE_OK);
    sign();
    sign(overwrite => 1);       # overwrites without asking

    # see the CONSTANTS section below
    (verify() == SIGNATURE_OK) or die "failed!";

DESCRIPTION

Module::Signature adds cryptographic authentications to CPAN distributions, via the special SIGNATURE file.

If you are a module user, all you have to do is to remember running cpansign -v (or just cpansign) before issuing perl Makefile.PL or perl Build.PL; that will ensure the distribution has not been tampered with.

For module authors, you'd want to add the SIGNATURE file to your MANIFEST, then type cpansign -s before making a distribution. You may also want to consider adding this code as t/0-signature.t:

    #!/usr/bin/perl
    use strict;
    print "1..1\n";

    if (!eval { require Socket; Socket::inet_aton('pgp.mit.edu') }) {
        print "ok 1 # skip - Cannot connect to the keyserver";
    }
    elsif (!eval { require Module::Signature; 1 }) {
        warn "# Next time around, consider install Module::Signature,\n".
             "# so you can verify the integrity of this distribution.\n";
        print "ok 1 # skip - Module::Signature not installed\n";
    }
    else {
        (Module::Signature::verify() == Module::Signature::SIGNATURE_OK())
            or print "not ";
        print "ok 1 # Valid signature\n";
    }

If you are already using Test::More for testing, a more straightforward version of t/0-signature.t can be found in the Module::Signature distribution.

Also, if you prefer a more full-fledged testing package, and are willing to inflict the dependency of Module::Build on your users, Iain Truskett's Test::Signature might be a better choice.

Please also see "NOTES" about MANIFEST.SKIP issues, especially if you are using Module::Build or writing your own MANIFEST.SKIP.

VARIABLES

No package variables are exported by default.

$SIGNATURE

The filename for a distribution's signature file. Defaults to SIGNATURE.

$KeyServer

The OpenPGP key server for fetching the author's public key (currently only implemented on gpg, not Crypt::OpenPGP). May be set to a false value to prevent this module from fetching public keys.

$Cipher

The default cipher used by the Digest module to make signature files. Defaults to SHA1, but may be changed to other ciphers if the SHA1 cipher is undesirable for the user.

Module::Signature version 0.09 and above will use the cipher specified in the SIGNATURE file's first entry to validate its integrity.

$Preamble

The explanatory text written to newly generated SIGNATURE files before the actual entries.

CONSTANTS

These constants are not exported by default.

SIGNATURE_OK

Signature successfully verified.

SIGNATURE_MALFORMED

The signature file does not contains a valid OpenPGP message.

SIGNATURE_BAD

Invalid signature detected -- it might have been tampered.

SIGNATURE_MISMATCH

The signature is valid, but files in the distribution have changed since its creation.

MANIFEST_MISMATCH

There are extra files in the current directory not specified by the MANIFEST file.

CIPHER_UNKNOWN

The cipher used by the signature file is not recognized by the Digest module.

NOTES

(The following section is lifted from Iain Truskett's Test::Signature module, under the Perl license. Thanks, Iain!)

It is imperative that your MANIFEST and MANIFEST.SKIP files be accurate and complete. If you are using ExtUtils::MakeMaker and you do not have a MANIFEST.SKIP file, then don't worry about the rest of this. If you do have a MANIFEST.SKIP file, or you use Module::Build, you must read this.

Since the test is run at make test time, the distribution has been made. Thus your MANIFEST.SKIP file should have the entries listed below.

If you're using ExtUtils::MakeMaker, you should have, at least:

    ^Makefile$
    ^blib/
    ^pm_to_blib$

These entries are part of the default set provided by ExtUtils::Manifest, which is ignored if you provide your own MANIFEST.SKIP file.

If you are using Module::Build, there is no default MANIFEST.SKIP so you must provide your own. It must, minimally, contain:

    ^Build$
    ^Makefile$
    ^_build/
    ^blib/

If you don't have the correct entries, Module::Signature will complain that you have:

    ==> MISMATCHED content between MANIFEST and distribution files! <==

You should note this during normal development testing anyway.

SEE ALSO

ExtUtils::Manifest, Crypt::OpenPGP, Test::Signature

AUTHORS

Autrijus Tang <autrijus@autrijus.org>

COPYRIGHT

Copyright 2002, 2003 by Autrijus Tang <autrijus@autrijus.org>.

Parts of the documentation are copyrighted by Iain Truskett, 2002.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See http://www.perl.com/perl/misc/Artistic.html