diff --git a/SIGNATURE b/SIGNATURE deleted file mode 100644 index 15b1787..0000000 --- a/SIGNATURE +++ /dev/null @@ -1,59 +0,0 @@ -This file contains message digests of all files listed in MANIFEST, -signed via the Module::Signature module, version 0.84. - -To verify the content in this distribution, first make sure you have -Module::Signature installed, then type: - - % cpansign -v - -It will check each file's integrity, as well as the signature's -validity. If "==> Signature verified OK! <==" is not displayed, -the distribution may already have been compromised, and you should -not run its Makefile.PL or Build.PL. - ------BEGIN PGP SIGNED MESSAGE----- -Hash: RIPEMD160 - -SHA256 9cec751fbdaa4ec3257dd2cabf19dfd23f989ffd682de3eafa9f6020b0099a79 ANDK2018.pub -SHA256 1847f802a331b202eae02729e828d6b59ef4c6129020660ecd6865b67ec4dfb5 AUDREYT2018.pub -SHA256 7de2bf0898f4a1e79d92f9e8ae68e7578eeaaff74211cddc0dfdc7996887cdc1 AUTHORS -SHA256 106e1d686c98264672227b324b19e905325a3b8e30b62e2e8622a4d0a09e2a28 Changes -SHA256 c0767212c05209c84a1cbd804dc3fb9a05b8ee4ed9770d11bd029348dab032c9 MANIFEST -SHA256 093c47e35166ca8f4d6cb4a1d51b436809a4fca4bdb43221bd8fb67adac2e425 MANIFEST.SKIP -SHA256 0fac3c54cc361c8a0c543893f801bc4ce1314d86eaca1c0d4ffc9495f1adb24f META.yml -SHA256 506100751f91446bce973090403c88aa81762a4880cc57797a10ecbcfb0e22ff Makefile.PL -SHA256 c9b4cc9f924857b93a081066bdc7f120e537469c1b605e19c1f07296ac07cfdd NIKLASHOLM2018.pub -SHA256 7c368bf650e83fc80cf9a851565d77a5cd71f243ef8c277a60adfa12253aaef3 PAUSE2019.pub -SHA256 7cb2f8aba39724e74d4f4018cee110123dfcce3085b619ca5b163fb7ca3d7219 README -SHA256 8cd77b6a6f370ecdec102298273d50094c515a5f23c5b02b3a31beaa6e799468 inc/Module/Install.pm -SHA256 cfb98bad08ee4472484697b171e43e750ac29e4759389b4d09f4c3a3ac661a91 inc/Module/Install/Base.pm -SHA256 6d3cd1903eb6210b0cd001e5baaad2113fc536eede5de5f9c1419237036a27ec inc/Module/Install/Can.pm -SHA256 d5bbe82c94efc00222d74923f4a1d62889c6673a7d44b0e12e8266c9ca336d2a inc/Module/Install/External.pm -SHA256 bba66b641eb4d25a67df16bc8b1fd34a4ee9fbdab956081a27d242af69a0847c inc/Module/Install/Fetch.pm -SHA256 317c01e9ee71e5c3fa61563d82a0c9e22958b68cafd2ce0a70b516f22d4829df inc/Module/Install/Makefile.pm -SHA256 6eaa52282b49bbb2fc54b137be6ce4f9eda80619a0c14571f4718a37a8aba065 inc/Module/Install/Metadata.pm -SHA256 a10f0f4ebb579bae28ec5a372c5b7bcdc07df89aa24c04b502e0d0442230f200 inc/Module/Install/Scripts.pm -SHA256 9cf3940ab15fd196c7b147aea3ab3c18d9ec3fdb3eadb238dc50120185cf81e7 inc/Module/Install/Win32.pm -SHA256 c6cee30b2053ca28654b3216340169ca97ff2b2bcbb5a1ef7e3b7e3cf593419b inc/Module/Install/WriteAll.pm -SHA256 bf22b3297ae39975c979e1921aaa2ef77b116a58c5026d8a772ccfceefc22d94 lib/Module/Signature.pm -SHA256 51aa9c445c6f54c26fc37d5ec2e42535461eb3a78911ca2516dd1c97e7aa7185 script/cpansign -SHA256 286fda83531d99b34e214b0058ba806a38bdb6317fc3c6ca2f7c5a9840f1c092 t/0-signature.t -SHA256 9be1e82eed0cb08514d2e3654b1396a23e5dd89ca8a5e67788ac6492697a5ce3 t/1-basic.t -SHA256 ae0a2706d9dbe8cb3d0c3b948af76c42a9e6138bc21a45a5c82e655a412daf8a t/2-cygwin.t -SHA256 abdaa7cf0869bf6a08c0c80da3176145243d6989b9522ecff8881a939cba5530 t/3-verify.t -SHA256 2b17f99fccb7172b580ecde8839860f5db05292ea25391d9ea60839b45d5ac9a t/wrap.pl -SHA256 1e55d31ce050bd8250d7f5e74afdbb050fdf34834e0925f6992400e6a35ee87a t/wrapped-tests.bin ------BEGIN PGP SIGNATURE----- - -iQGzBAEBAwAdFiEE8/4umVyeYRTFU5r09ePPSwnTf6gFAluHc7gACgkQ9ePPSwnT -f6h8MAv/U4IYwPNC56L+eokvNXBUqk6knYF77vSMDi/TuY6/zR6CFNzlrnZH38hB -f9fKXsmsWT0xuO+awQ/NPYwAo4cfF0pzUF+BpZW1qhaGjRsrSz5QPED9g6YLZlMm -MiF/jJNfUGVfCy0HLz6jd9rvhoO3xgDgGhcWiWMDH/qyG1skPgpp/rZYZevmOshk -IiXmykMlqzDdG56MqZpPnCNn3oIhJIJj+LpGQJVr3U38H0pYzUBUKJBxWivs7Npo -gx3QdYxSvuxDIbYMF0u23mIMMIXL8YPauH8YCJh1J+r8OJ9LZ1Svbrd3AKXIDj57 -WU9k+Jfhq82rrmFR+rnpCWkRQVDrhaX//UPeNNQTdKIcFbCX/h3As7dRTWeNW3Xh -1KOUtMC6cpaf6KznCCoClY7V01Nyd7pCqhaxAi2iJl0ROLwqQE1ZpV3Kwgy7z/e4 -U1OMkAFCOwXRPyP5nFVQej5se9zZHcIciteuCReJKkAy7nE7ArpysX8Nv+RDrDUt -wHYNnsNK -=bpBL ------END PGP SIGNATURE----- diff --git a/lib/Module/Signature.pm b/lib/Module/Signature.pm index bbed364..5efdf2e 100644 --- a/lib/Module/Signature.pm +++ b/lib/Module/Signature.pm @@ -17,6 +17,11 @@ use constant SIGNATURE_MISMATCH => -4; use constant MANIFEST_MISMATCH => -5; use constant CIPHER_UNKNOWN => -6; +# Enable workaround for RT#126994 +use constant RT126994 => 1; +use vars qw($Signing); +$Signing = 0; + use ExtUtils::Manifest (); use Exporter; use File::Spec; @@ -150,6 +155,20 @@ sub _verify { } } +sub _vercmp { + my ($lhs, $rhs) = @_; + local $@; + my $res; + eval { + require version; + $res = version->parse($lhs) <=> version->parse($rhs); + }; + if ($@) { + $res = $lhs <=> $rhs; + } + return $res; +} + sub _has_gpg { my $gpg = _which_gpg() or return; `$gpg --version` =~ /GnuPG.*?(\S+)\s*$/m or return; @@ -232,9 +251,14 @@ sub _which_gpg { # Cache it so we don't need to keep checking. return $which_gpg if $which_gpg; - for my $gpg_bin ('gpg', 'gpg2', 'gnupg', 'gnupg2') { + for my $gpg_bin ('gpg', 'gnupg', 'gpg2', 'gnupg2', 'gpg1', 'gnupg1') { my $version = `$gpg_bin --version 2>&1`; - if( $version && $version =~ /GnuPG/ ) { + if( $version && $version =~ /GnuPG.*?(\S+)\s*$/m ) { + # This is a workaround for RT#126994 meant to be reverted when no longer + # needed. Run git blame on this line to find out which commit that is. + if (RT126994 and $Signing) { + _vercmp($1, "2.1.15") <= 0 or next; + } $which_gpg = $gpg_bin; return $which_gpg; } @@ -344,7 +368,7 @@ sub _read_sigfile { if (1 .. ($_ eq $begin)) { if (!$found and /signed via the Module::Signature module, version ([0-9\.]+)\./) { $found = 1; - if (eval { require version; version->parse($1) < version->parse("0.82") }) { + if (_vercmp($1,"0.82") < 0) { $LegacySigFile = 1; warn "Old $SIGNATURE detected. Please inform the module author to regenerate " . "$SIGNATURE using Module::Signature version 0.82 or newer.\n"; @@ -410,6 +434,8 @@ sub sign { return unless =~ /[Yy]/; } + $Signing = 1; + if (my $version = _has_gpg()) { _sign_gpg($SIGNATURE, $plaintext, $version); } @@ -435,7 +461,7 @@ sub _sign_gpg { local *D; my $set_key = ''; $set_key = qq{--default-key "$AUTHOR"} if($AUTHOR); - open D, "| $gpg $set_key --clearsign --openpgp --personal-digest-preferences RIPEMD160 >> $sigfile.tmp" + open D, "| $gpg $set_key --clearsign --openpgp --personal-digest-preferences SHA1 >> $sigfile.tmp" or die "Could not call $gpg: $!"; print D $plaintext; close D; diff --git a/t/wrapped-tests.bin b/t/wrapped-tests.bin index 3d104ac..12f7339 100644 --- a/t/wrapped-tests.bin +++ b/t/wrapped-tests.bin @@ -18,9 +18,9 @@ $VAR1 = { "t/test-datmix-signew/42.gz" => "\37\213\b\b\336\0343:\2\00342\00031\342\2\0001)\206\321\3\0\0\0", "t/test-datmix-signew/MANIFEST" => "MANIFEST\r\nREADME\nSIGNATURE\n42.gz\r\n", "t/test-datmix-signew/README" => "If this file in in a *datlf*/ directory it should be in Unix format.\nIn a *datcrlf*/ directory it should be in DOS format.\r\n", - "t/test-datmix-signew/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.84.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity. If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: RIPEMD160\n\nSHA256 787e758a975d04560f6a9d4671646a48c4e9da4f40d4e102bc4562cd15c71ab5 42.gz\nSHA256 d8663a9b3fa46b2c4eab89c0a57e6b03089153bc9d5bfc5166642ea272d4da18 MANIFEST\nSHA256 7c2d6914637135b77ffd90242627efa905c2843e5fdcabe15612a2dd8d616521 README\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBAwAdFiEEMmeFaE5q31rFI7Zzx3wChANpBiQFAluG0OYACgkQx3wChANp\nBiSjBhAAodCH9AE81Xii9wy/Wid2vu9LwKAT2KVMR/6dZbVx5MIBQz5KrgjmOvtm\niaPm1nGYYQr0Cf/8D/vwfOlyW6CRDQ9J9NVY2wkKSm98H1vsw6QUFrBOUoEGqwhc\n6eurldfeA8KZIrGV3WTsrPa7uKiYeDUJfVjuLaMMyW4rqSqYB+Zv8PzA7Q/7V8pJ\njWXhVRiuc7Qlx1DXDQyxJdK5jtCtsZ7c37UyuFnTRWRpNylFY0eUbw+z4BEFGI/s\n3jJRDCWpBv17/rYMAXnXt5/F1VKP1tAVR43pHa59wEqCw4q2Q3pY4PG29I1FWHah\nvXaVVg5YTqd2TlAGgQYnYYeQ3B6d8W92ENnECNjUlQU0Gy6nlzxNkUSLhpKskNra\na6MbnyXk48bcYsnP9p2uSniWQFt0sVqFSgzfkr4c+gpR+jx6OqQoJqQCbucnwh1p\nVZsccMNs+pA3d2qwy0SrHO8VweWshZYp7HJgGSjKImCW4uWFXW6vYmVE58vYFHMb\nNytIJP/beklV53QmFcuVNJUrhh4L2G/KVVql1dgVEFPVtIDuMfiZgej8IQNLyv3T\ns4m8oaE4Rx5gsl+9tQFiInh45jT96gFUEmgN+u3Am8CgmZVUf1tq3gg7EyTiBUAO\nqjIe2fQ4p+bbjIQu1rNkReemL1AZEszBghUgjRmb9FASeQUSiC0=\n=p35e\n-----END PGP SIGNATURE-----\n", + "t/test-datmix-signew/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.84.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity. If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSHA256 787e758a975d04560f6a9d4671646a48c4e9da4f40d4e102bc4562cd15c71ab5 42.gz\nSHA256 d8663a9b3fa46b2c4eab89c0a57e6b03089153bc9d5bfc5166642ea272d4da18 MANIFEST\nSHA256 7c2d6914637135b77ffd90242627efa905c2843e5fdcabe15612a2dd8d616521 README\n-----BEGIN PGP SIGNATURE-----\n\niQIcBAEBAgAGBQJbh94YAAoJEMd8AoQDaQYkf8IQAIkbMgoaCFl1QxvHjHu9jcH3\n1LZs4IjkpXVX1Xh/Ik2ca7j3RDpvpnewBI51o9oE3Z4WGIdaAlydhoD8Ez1MBMDX\nS61nzYaSiDzv9wVQapI6GiMe2z9v4XH5vGAm/VpA7FEVkY/DDTd2XfJZbPnQOjb7\npY8kBJZ653ps9j5CuodHYyYeCNoeey2sdtIX0Kle6Cd8xssUbDc8+irHnQ2qPLub\nshick6yTQk4Q7hlodMSQI1R6hMICob/MIy7fVjvRqNpm/seLSP0N7tcrom1gXT3T\nuB5ocKeKgmVXXpm+biJ2FXMxYg/VfXuUTJjQns5nRQgMUpRek484CUDejXw4BZR3\nfmBxCCpEKFb/ep2Fq20AlJVOIR3/XQgc6ICk7kY6OVxNQNG/tetV4Fm7V0UbspkV\nLggw1UzEMkmNJNUc09j3+vfxXeayleyMnmxCSHsdCbo0AFHjrN8AYDUS2kY10xJV\nPkbdJ2NB2w9nHNRwLHrVZPqC1uvXacF6VYL4GKLnB00+o9XH6D21UUZW23PuBCSL\nGm3TdXyRBaGc8sN7U/kWn0JboJmkuDcUKBMDFpvo1W9+88SCcHpzuuM8WEp1vdRq\ngu7Royr87tth5lCO4NZRwV3pkwMC6DyhaCInRJ5fD08xdI/W5ajfZ7ph49mgqTio\n0MNTYMjinpI1igHoEJFG\n=HKrs\n-----END PGP SIGNATURE-----\n", "t/test-datmix-sigold/42.gz" => "\37\213\b\b\336\0343:\2\00342\00031\342\2\0001)\206\321\3\0\0\0", "t/test-datmix-sigold/MANIFEST" => "MANIFEST\r\nREADME\nSIGNATURE\n42.gz\r\n", "t/test-datmix-sigold/README" => "If this file in in a *datlf*/ directory it should be in Unix format.\nIn a *datcrlf*/ directory it should be in DOS format.\r\n", - "t/test-datmix-sigold/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.81.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity. If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSHA1 51e1c061bc02e9a38948a5d8e3ca7352830f0fac 42.gz\nSHA1 42df4f7b8e7b2969aa2acadb656566c6cafe2d0c MANIFEST\nSHA1 01df1a2d305b103ac9b81beac8332520877af6c8 README\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBAgAdFiEEMmeFaE5q31rFI7Zzx3wChANpBiQFAluG0KUACgkQx3wChANp\nBiSq1g//UmDkPeJYgq/V+VXLX7GBKGsOPbRhQkPPeb5utI10AHYzq4q0V/UGeKQN\nf4eXzjp9P7wfu9mrAfMKfvF8rmDSA45SKVWegeGIqREgKtrJTm5QsO6b87DjHwoI\nrBDLrtsZ6J42FSP2V4juUqZfMmtQ+dzCCeUxKm/t4M0tTdzj0DBee3z1kox3eEHZ\nX6m14gQCiB4GWgXuvkI0zKbTRnuxSy7i0iZBCEVeetTGCpT49woyHLggUuOvRyzy\nO+O0KyvfYCmm0CtPlo3KIE1wt0SokDUNGR6qvAwPN+2BnC/59g3xp3s9qn2OatDa\n1gQeFuulAa5UBvBBy6TKMIMUc8KCWI52K9xv0oKF7oRl3Pk39b1IXbfdXUPIY2M5\nhwBLNBubHGaPNF6Pdxr6iHsrtJy3WwasQUUOSw9T3aHJHgNphHrwkldzwvVPMeoR\nPOc1V9TLhqDd/K5MrThmc9rmR2tFSZZM0sQT1lFe0cq1fDL0z1ZdjFGLaqKUgeM9\nmeDqrKGdFlFbNqdfnR+uTgPK/8sqmsbLRX+mAO8TKAH8dgJ8gaOwR1mqexvx+HFW\npUREMfiCyFvYu+TnBwSa3aWd/LNIAKqIjVs8Ho6Ol0pP23+bct6lYuGiy3JFe+TQ\nuiOUpJZ2+w1NaTjNVDT8LMm3E4Fae3KynfyP4C1vvjg251JCCeI=\n=9Lmf\n-----END PGP SIGNATURE-----\n" + "t/test-datmix-sigold/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.81.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity. If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSHA1 51e1c061bc02e9a38948a5d8e3ca7352830f0fac 42.gz\nSHA1 42df4f7b8e7b2969aa2acadb656566c6cafe2d0c MANIFEST\nSHA1 01df1a2d305b103ac9b81beac8332520877af6c8 README\n-----BEGIN PGP SIGNATURE-----\n\niQIcBAEBAgAGBQJbh94AAAoJEMd8AoQDaQYkbPUP/jGf7Y75e+wNh06Voauypgbr\nOtH6iXqOvyLceFQuCqh54UUHZLzgc5wZ2rGdA1oLVn26GBIOREQBG9GEiOLV0UVY\nwCsAi2kCOokpvNVfLcBLM6YqVmXRwKCldJ5y4j/GfWKHLDndZTDQ28GbcnX8/dNR\naeDLEyUy/weH0mj6C9+faqEfCdXO2CiliHz1JOA3GOI0/c6JW/zcwUlq9K1APdY3\n0d1xLpLE1AKfWXXxn2LndaGw83/mojvMTWTSIdmYFYLU0IDCzrSk8XTZLh6rnxO2\nvWWQX8esNZEksryZrCZKyctH9SZKaipCaTv0DbfSXmqTAUSF7LmD6eIWmWW40VgP\nSMQrJrD1PG3EplqKDHD1MVL5UNnl1djilIH89lwhMH9eaU9TA3pIHrvOBIQGd/HG\nBzz97rTrqjZVWxxtUmp0Nnwq1bQ2PfPIlyhvtab1ys5nVWH5c7iC0a5TPFQAAjEU\nwcTUw0WpxTUFxe68iMSo08MRjJBYbYEoiaet686Lembo+yaZDT7tvbY7bJbDbfAV\nPZWMZw80FuiSRJf6kixlJHkz1I/Wi4fJdQHu71QY3QqazOyN+O2+tBlKWNBSUus9\niuSQaa+w1v8a4NKDlwQ3Vs1+1Gd9UdXgpo3xzULGrNkUc+1/291YsJdJchHzTtfQ\nVurcufI94EL4vB4CKmXQ\n=4+Xn\n-----END PGP SIGNATURE-----\n" };