The PAUSE & ANDK public keys included with Module::Signature were expired, which caused CPAN installation to fail since it was signed with an unknown key. Adding current public keys enables CPAN 2.28 installation to succeed when check_sigs is set with this error:
gpg: Signature made Fri Jun 12 21:53:15 2020 PDT
gpg: using RSA key 54C60DE9F0600884AACAA321C52026AB9A4006BD
gpg: requesting key C52026AB9A4006BD from hkp server pool.sks-keyservers.net
gpg: Can't check signature: No public key
==> BAD/TAMPERED signature detected! <==
The PAUSE & ANDK public keys included with Module::Signature were expired, which caused CPAN installation to fail since it was signed with an unknown key. Adding current public keys enables CPAN 2.28 installation to succeed when check_sigs is set with this error:
gpg: Signature made Fri Jun 12 21:53:15 2020 PDT gpg: using RSA key 54C60DE9F0600884AACAA321C52026AB9A4006BD gpg: requesting key C52026AB9A4006BD from hkp server pool.sks-keyservers.net gpg: Can't check signature: No public key ==> BAD/TAMPERED signature detected! <==
I was able to verify successful CPAN 2.28 installation when the included public keys were imported. The keys in this PR were uploaded by ANDK to the PAUSE project and can be verified at https://raw.githubusercontent.com/andk/pause/master/htdocs/04pause.html
This is the beginning of a larger effort to "secure Perl" of which I've written some thoughts at https://docs.google.com/document/d/1DRkiCJhJu4RDI0u_JppBpFa0djouskxEyNHax912U_w/edit#heading=h.gt1h247ist3t and comments are welcome.