Workaround for RT#126994

niklasholm · niklasholm · commit a620670c58ad · 2018-08-30T17:06:01.000+02:00
This commit should be reverted when no longer needed. Also change
RIPEMD-160 to (at least) SHA-256 when that happens.

- Set gpg digest preference to SHA1
- Only sign with gpg &lt; v1.9
diff --git a/lib/Module/Signature.pm b/lib/Module/Signature.pm
@@ -165,8 +165,12 @@ sub _vercmp {
 }
 
 sub _has_gpg {
-    my $gpg = _which_gpg() or return;
+    my %args = (@_);
+    my $gpg = _which_gpg(%args) or return;
     `$gpg --version` =~ /GnuPG.*?(\S+)\s*$/m or return;
+    if ($args{gpg1}) {
+        _vercmp($1, "1.9.0") < 0 or return;
+    }
     return $1;
 }
 
@@ -245,8 +249,15 @@ my $which_gpg;
 sub _which_gpg {
     # Cache it so we don't need to keep checking.
     return $which_gpg if $which_gpg;
+    my %args = (@_);
+    my @cands;
+    if ($args{gpg1}) {
+        @cands = ('gpg1', 'gpg', 'gnupg1', 'gnupg');
+    } else {
+        @cands = ('gpg', 'gpg2', 'gnupg', 'gnupg2');
+    }
 
-    for my $gpg_bin ('gpg', 'gpg2', 'gnupg', 'gnupg2') {
+    foreach my $gpg_bin (@cands) {
         my $version = `$gpg_bin --version 2>&1`;
         if( $version && $version =~ /GnuPG/ ) {
             $which_gpg = $gpg_bin;
@@ -424,7 +435,7 @@ sub sign {
         return unless <STDIN> =~ /[Yy]/;
     }
 
-    if (my $version = _has_gpg()) {
+    if (my $version = _has_gpg(gpg1 => 1)) {
         _sign_gpg($SIGNATURE, $plaintext, $version);
     }
     elsif (eval {require Crypt::OpenPGP; 1}) {
@@ -449,7 +460,7 @@ sub _sign_gpg {
     local *D;
     my $set_key = '';
     $set_key = qq{--default-key "$AUTHOR"} if($AUTHOR);
-    open D, "| $gpg $set_key --clearsign --openpgp --personal-digest-preferences RIPEMD160 >> $sigfile.tmp"
+    open D, "| $gpg $set_key --clearsign --openpgp --personal-digest-preferences SHA1 >> $sigfile.tmp"
         or die "Could not call $gpg: $!";
     print D $plaintext;
     close D;
