2 changes in verify_checksums/verify_checksums_signature

[skaji]

This PR does 2 things in verify_checksums/verify_checksums_signature:

• Module::Signature::_verify may return SIGNATURE_OK (0), and also CANNOT_VERIFY ('0E0'). So we should use "eq" to test the return values. See https://metacpan.org/release/AUDREYT/Module-Signature-0.87/source/lib/Module/Signature.pm#L11-12
• check cpan_path in CHECKSUMS file too; this makes sure CHECKSUMS file is actually for the "AUTHOR" in question.

In addition, we import PAUSE2022.pub by ourselves in tests; this workaround will be safely deleted once Module::Signature itself bundles the key. See https://github.com/audreyt/module-signature/pull/31

[miyagawa]

Thanks!

[perlpunk]

Hi,

is this a fix for the vulnerability mentioned here: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ ?

Can you estimate when you will release this? Currently there is a request to remove cpanm from openSUSE until this is fixed, and we would like to avoid that of course.

[miyagawa]

While this PR is a bug fix for the signature verification, the correct way forward is to stop relying on the signature verification, and use the trusted source such as www.cpan.org over TLS.

There's some fallacy where cpanm is determined vulnerable because it offers a signature verification option (which is off by default) while cpm is not vulnerable because it doesn't perform a verification at all. Either way, this CVE doesn't apply to most users of cpanm who doesn't use the --verify option.

I am considering another PR to remove/deprecate the signature verification from --verify with a documentation that you should not rely upon the signature verification.