search

audreyt / module-signature

Module signature file manipulation
http://github.com/audreyt/module-signature
16 stars 29 forks source link

missing option to set/override $KeyServer $scheme = hkps://, and MODULE_SIGNATURE_KEYSERVER points to discontinued sks-keyservers pool #32

Closed pgnd closed 2 weeks ago

pgnd commented 2 years ago

with Module::Signature installed & in use, cpan{,m,p} ignores 'keyserver' settings from ~/.gnupg/gpg.conf, where explicit keyserver URI schemes can be set/defined.

Module::Signature keyserver host & port can be overridden by exporting env vars,

MODULE_SIGNATURE_KEYSERVER
MODULE_SIGNATURE_KEYSERVERPORT

in src,

./lib/Module/Signature.pm

291     sub _keyserver {
            my $version = shift;
            my $scheme = 'x-hkp';
            $scheme = 'hkp' if $version ge '1.2.0';

            return "$scheme://$KeyServer:$KeyServerPort";
        }

, regardless of keyserver, scheme is set to "hkp://"

so on exec, "--keyserver=hkp://" is generated/sent,

cpansign -v
    Executing gpg --verify --batch --no-tty --keyserver=hkp://keyserver.ubuntu.com:443 --keyserver-options=auto-key-retrieve /tmp/IOcdbIdJMt

also, NOTE that the default in src,

$KeyServer      = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'pool.sks-keyservers.net';

points to 'pool.sks-keyservers.net' which have been DISCONTINUED,

sks-keyservers.net pool DNS records disabled effective immediately

https://sks-keyservers.net/ announced

This service is deprecated. This means it is no longer maintained, and new HKPS certificates will not be issued. Service reliability should not be expected.

    Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.

To support newer servers, and differing schemes can "$KeyServerScheme" be added as ENV VAR; perhaps,

$KeyServerScheme = $ENV{MODULE_SIGNATURE_KEYSERVER_SCHEME} || 'hkps';

, and used in the 'sub _keyserver {' ?

and, some other, supported server def'd as default,

-   $KeyServer      = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'pool.sks-keyservers.net';
+   $KeyServer      = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'keyserver.ubuntu.com';

, or similar?

haarg commented 2 years ago

I've created PR #34 to at least fix the key server.

timlegge commented 2 weeks ago

Logged #37 to address the remaining item. Closing