What happens is, If Crypt::OpenPGP is installed, Module::Signature::_verify($chksum) will try to verify the empty string digest and always fail. If Crypt::OpenPGP is not installed, Module::Signature will always succeed, by comparing empty strings.
This is because cpanminus (and CPAN.pm) is using Module::Signature's private API, _verify, and Module::Signature doesn't always read the signature from its argument, depending on the backend it uses.
cpanm's
--verifydoesn't work, if:gpgis not available in the systemWhat happens is, If Crypt::OpenPGP is installed,
Module::Signature::_verify($chksum)will try to verify the empty string digest and always fail. If Crypt::OpenPGP is not installed, Module::Signature will always succeed, by comparing empty strings.This is because cpanminus (and CPAN.pm) is using Module::Signature's private API,
_verify, and Module::Signature doesn't always read the signature from its argument, depending on the backend it uses.cc @audreyt @andk