Workaround for RT#126994

[niklasholm]

Until RT#126994 is fixed we are limited to GnuPG v1.4 and SHA-1 as the signature digest.

• Set gpg digest preference to SHA1
• Only sign with gpg < v1.9

[niklasholm]

23 should be fixed with this as long as the package SIGNATURE is signed using SHA1 and gpg1.

[audreyt]

Thanks for the quick patch ! I'm inclined to hold off this for a few days until we can hear back from Crypt::OpenPGP maintainership.

[niklasholm]

I wouldn't hold my breath, the latest commit was 3 years ago, simple bugs reported last year hasn't been fixed.

Imo, since the current release fails self-tests it should either be pulled from cpan or updated asap.

I've force-pushed the patch into two commits, the latter of which should be reverted when no longer needed.

[audreyt]

I'll get around to it this weekend, but as we cannot (and indeed should not) prevent module authors from signing with GPG2 and stronger algorithms, I'm inclining toward dropping support for Crypt::OpenPGP altogether.

[niklasholm]

That is also a perfectly valid option but might break some setups on platforms that usually don't have GnuPG installed, like Windows.

[audreyt]

GnuPG used to be quite cumbersome to install on Windows, but now with efforts like gpg4win https://gpg4win.org/ that may be surmountable...