Re: Perl module installation via CPAN and signature error

Vincent Lefevre Thu, 11 Jan 2024 16:04:25 -0800

With strace, I could see the command that was executed:

  gpg --verify --batch --no-tty -q --logger-fd=1 
--keyserver=hkp://pool.sks-keyservers.net:11371


on a temporary file, but almost equivalent to the CHECKSUMS file.

Now, I can try that directly:

qaa:~> gpg --verify --batch --no-tty -q --logger-fd=1 
--keyserver=hkp://pool.sks-keyservers.net:11371 
/home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS
gpg: Signature made 2023-12-17T16:29:09 CET
gpg:                using RSA key 77576125A905F1BA
gpg: Good signature from "PAUSE Batch Signing Key 2024 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>" 
[unknown]
gpg:                 aka "PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>" 
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2E66 557A B97C 19C7 91AF  8E20 328D A867 450F 89EC
     Subkey fingerprint: D785 7544 389C 919D 8E6D  ABBA 7757 6125 A905 F1BA

but

zira:~> gpg --verify --batch --no-tty -q --logger-fd=1 
--keyserver=hkp://pool.sks-keyservers.net:11371 
/home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS
gpg: Signature made 2023-12-17T16:29:09 CET
gpg:                using RSA key 77576125A905F1BA
gpg: Can't check signature: No public key

I can notice a difference between these two machines:

qaa:~> gpg --with-subkey-fingerprint -k 2E66557AB97C19C791AF8E20328DA867450F89EC
pub   dsa1024 2003-02-03 [SC] [expires: 2024-07-01]
      2E66557AB97C19C791AF8E20328DA867450F89EC
uid           [ unknown] PAUSE Batch Signing Key 2024 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>
uid           [ unknown] PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>
sub   elg2048 2023-07-01 [E] [expires: 2024-07-01]
      4CA09107D9A3E6E61960A61C41C01F6387982F09
sub   rsa4096 2023-07-01 [S] [expires: 2024-07-01]
      D7857544389C919D8E6DABBA77576125A905F1BA

zira:~> gpg --with-subkey-fingerprint -k 
2E66557AB97C19C791AF8E20328DA867450F89EC
pub   dsa1024 2003-02-03 [SC] [expired: 2023-07-01]
      2E66557AB97C19C791AF8E20328DA867450F89EC
uid           [ expired] PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>
uid           [ expired] PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>

i.e. the subkeys are missing. Why?

Note that on zira, doing

  gpg --recv-keys 2E66557AB97C19C791AF8E20328DA867450F89EC

again doesn't change anything.

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Perl module installation via CPAN and signature error

Reply via email to