audreyt · niklasholm · Aug 30, 2018 · Aug 30, 2018
diff --git a/SIGNATURE b/SIGNATURE
diff --git a/lib/Module/Signature.pm b/lib/Module/Signature.pm
@@ -17,6 +17,11 @@ use constant SIGNATURE_MISMATCH  => -4;
 use constant MANIFEST_MISMATCH   => -5;
 use constant CIPHER_UNKNOWN      => -6;
 
+# Enable workaround for RT#126994
+use constant RT126994 => 1;
+use vars qw($Signing);
+$Signing = 0;
+
 use ExtUtils::Manifest ();
 use Exporter;
 use File::Spec;
@@ -150,6 +155,20 @@ sub _verify {
     }
 }
 
+sub _vercmp {
+    my ($lhs, $rhs) = @_;
+    local $@;
+    my $res;
+    eval {
+        require version;
+        $res = version->parse($lhs) <=> version->parse($rhs);
+    };
+    if ($@) {
+        $res = $lhs <=> $rhs;
+    }
+    return $res;
+}
+
 sub _has_gpg {
     my $gpg = _which_gpg() or return;
     `$gpg --version` =~ /GnuPG.*?(\S+)\s*$/m or return;
@@ -232,9 +251,14 @@ sub _which_gpg {
     # Cache it so we don't need to keep checking.
     return $which_gpg if $which_gpg;
 
-    for my $gpg_bin ('gpg', 'gpg2', 'gnupg', 'gnupg2') {
+    for my $gpg_bin ('gpg', 'gnupg', 'gpg2', 'gnupg2', 'gpg1', 'gnupg1') {
         my $version = `$gpg_bin --version 2>&1`;
-        if( $version && $version =~ /GnuPG/ ) {
+        if( $version && $version =~ /GnuPG.*?(\S+)\s*$/m ) {
+            # This is a workaround for RT#126994 meant to be reverted when no longer
+            # needed. Run git blame on this line to find out which commit that is.
+            if (RT126994 and $Signing) {
+                _vercmp($1, "2.1.15") <= 0 or next;
+            }
             $which_gpg = $gpg_bin;
             return $which_gpg;
         }
@@ -344,7 +368,7 @@ sub _read_sigfile {
         if (1 .. ($_ eq $begin)) {
             if (!$found and /signed via the Module::Signature module, version ([0-9\.]+)\./) {
                 $found = 1;
-                if (eval { require version; version->parse($1) < version->parse("0.82") }) {
+                if (_vercmp($1,"0.82") < 0) {
                     $LegacySigFile = 1;
                     warn "Old $SIGNATURE detected. Please inform the module author to regenerate " .
                          "$SIGNATURE using Module::Signature version 0.82 or newer.\n";
@@ -410,6 +434,8 @@ sub sign {
         return unless <STDIN> =~ /[Yy]/;
     }
 
+    $Signing = 1;
+
     if (my $version = _has_gpg()) {
         _sign_gpg($SIGNATURE, $plaintext, $version);
     }
@@ -435,7 +461,7 @@ sub _sign_gpg {
     local *D;
     my $set_key = '';
     $set_key = qq{--default-key "$AUTHOR"} if($AUTHOR);
-    open D, "| $gpg $set_key --clearsign --openpgp --personal-digest-preferences RIPEMD160 >> $sigfile.tmp"
+    open D, "| $gpg $set_key --clearsign --openpgp --personal-digest-preferences SHA1 >> $sigfile.tmp"
         or die "Could not call $gpg: $!";
     print D $plaintext;
     close D;

diff --git a/t/wrapped-tests.bin b/t/wrapped-tests.bin
@@ -18,9 +18,9 @@ $VAR1 = {
           "t/test-datmix-signew/42.gz" => "\37\213\b\b\336\0343:\2\00342\00031\342\2\0001)\206\321\3\0\0\0",
           "t/test-datmix-signew/MANIFEST" => "MANIFEST\r\nREADME\nSIGNATURE\n42.gz\r\n",
           "t/test-datmix-signew/README" => "If this file in in a *datlf*/ directory it should be in Unix format.\nIn a *datcrlf*/ directory it should be in DOS format.\r\n",
-          "t/test-datmix-signew/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.84.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n    % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity.  If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: RIPEMD160\n\nSHA256 787e758a975d04560f6a9d4671646a48c4e9da4f40d4e102bc4562cd15c71ab5 42.gz\nSHA256 d8663a9b3fa46b2c4eab89c0a57e6b03089153bc9d5bfc5166642ea272d4da18 MANIFEST\nSHA256 7c2d6914637135b77ffd90242627efa905c2843e5fdcabe15612a2dd8d616521 README\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBAwAdFiEEMmeFaE5q31rFI7Zzx3wChANpBiQFAluG0OYACgkQx3wChANp\nBiSjBhAAodCH9AE81Xii9wy/Wid2vu9LwKAT2KVMR/6dZbVx5MIBQz5KrgjmOvtm\niaPm1nGYYQr0Cf/8D/vwfOlyW6CRDQ9J9NVY2wkKSm98H1vsw6QUFrBOUoEGqwhc\n6eurldfeA8KZIrGV3WTsrPa7uKiYeDUJfVjuLaMMyW4rqSqYB+Zv8PzA7Q/7V8pJ\njWXhVRiuc7Qlx1DXDQyxJdK5jtCtsZ7c37UyuFnTRWRpNylFY0eUbw+z4BEFGI/s\n3jJRDCWpBv17/rYMAXnXt5/F1VKP1tAVR43pHa59wEqCw4q2Q3pY4PG29I1FWHah\nvXaVVg5YTqd2TlAGgQYnYYeQ3B6d8W92ENnECNjUlQU0Gy6nlzxNkUSLhpKskNra\na6MbnyXk48bcYsnP9p2uSniWQFt0sVqFSgzfkr4c+gpR+jx6OqQoJqQCbucnwh1p\nVZsccMNs+pA3d2qwy0SrHO8VweWshZYp7HJgGSjKImCW4uWFXW6vYmVE58vYFHMb\nNytIJP/beklV53QmFcuVNJUrhh4L2G/KVVql1dgVEFPVtIDuMfiZgej8IQNLyv3T\ns4m8oaE4Rx5gsl+9tQFiInh45jT96gFUEmgN+u3Am8CgmZVUf1tq3gg7EyTiBUAO\nqjIe2fQ4p+bbjIQu1rNkReemL1AZEszBghUgjRmb9FASeQUSiC0=\n=p35e\n-----END PGP SIGNATURE-----\n",
+          "t/test-datmix-signew/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.84.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n    % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity.  If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSHA256 787e758a975d04560f6a9d4671646a48c4e9da4f40d4e102bc4562cd15c71ab5 42.gz\nSHA256 d8663a9b3fa46b2c4eab89c0a57e6b03089153bc9d5bfc5166642ea272d4da18 MANIFEST\nSHA256 7c2d6914637135b77ffd90242627efa905c2843e5fdcabe15612a2dd8d616521 README\n-----BEGIN PGP SIGNATURE-----\n\niQIcBAEBAgAGBQJbh94YAAoJEMd8AoQDaQYkf8IQAIkbMgoaCFl1QxvHjHu9jcH3\n1LZs4IjkpXVX1Xh/Ik2ca7j3RDpvpnewBI51o9oE3Z4WGIdaAlydhoD8Ez1MBMDX\nS61nzYaSiDzv9wVQapI6GiMe2z9v4XH5vGAm/VpA7FEVkY/DDTd2XfJZbPnQOjb7\npY8kBJZ653ps9j5CuodHYyYeCNoeey2sdtIX0Kle6Cd8xssUbDc8+irHnQ2qPLub\nshick6yTQk4Q7hlodMSQI1R6hMICob/MIy7fVjvRqNpm/seLSP0N7tcrom1gXT3T\nuB5ocKeKgmVXXpm+biJ2FXMxYg/VfXuUTJjQns5nRQgMUpRek484CUDejXw4BZR3\nfmBxCCpEKFb/ep2Fq20AlJVOIR3/XQgc6ICk7kY6OVxNQNG/tetV4Fm7V0UbspkV\nLggw1UzEMkmNJNUc09j3+vfxXeayleyMnmxCSHsdCbo0AFHjrN8AYDUS2kY10xJV\nPkbdJ2NB2w9nHNRwLHrVZPqC1uvXacF6VYL4GKLnB00+o9XH6D21UUZW23PuBCSL\nGm3TdXyRBaGc8sN7U/kWn0JboJmkuDcUKBMDFpvo1W9+88SCcHpzuuM8WEp1vdRq\ngu7Royr87tth5lCO4NZRwV3pkwMC6DyhaCInRJ5fD08xdI/W5ajfZ7ph49mgqTio\n0MNTYMjinpI1igHoEJFG\n=HKrs\n-----END PGP SIGNATURE-----\n",
           "t/test-datmix-sigold/42.gz" => "\37\213\b\b\336\0343:\2\00342\00031\342\2\0001)\206\321\3\0\0\0",
           "t/test-datmix-sigold/MANIFEST" => "MANIFEST\r\nREADME\nSIGNATURE\n42.gz\r\n",
           "t/test-datmix-sigold/README" => "If this file in in a *datlf*/ directory it should be in Unix format.\nIn a *datcrlf*/ directory it should be in DOS format.\r\n",
-          "t/test-datmix-sigold/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.81.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n    % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity.  If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSHA1 51e1c061bc02e9a38948a5d8e3ca7352830f0fac 42.gz\nSHA1 42df4f7b8e7b2969aa2acadb656566c6cafe2d0c MANIFEST\nSHA1 01df1a2d305b103ac9b81beac8332520877af6c8 README\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBAgAdFiEEMmeFaE5q31rFI7Zzx3wChANpBiQFAluG0KUACgkQx3wChANp\nBiSq1g//UmDkPeJYgq/V+VXLX7GBKGsOPbRhQkPPeb5utI10AHYzq4q0V/UGeKQN\nf4eXzjp9P7wfu9mrAfMKfvF8rmDSA45SKVWegeGIqREgKtrJTm5QsO6b87DjHwoI\nrBDLrtsZ6J42FSP2V4juUqZfMmtQ+dzCCeUxKm/t4M0tTdzj0DBee3z1kox3eEHZ\nX6m14gQCiB4GWgXuvkI0zKbTRnuxSy7i0iZBCEVeetTGCpT49woyHLggUuOvRyzy\nO+O0KyvfYCmm0CtPlo3KIE1wt0SokDUNGR6qvAwPN+2BnC/59g3xp3s9qn2OatDa\n1gQeFuulAa5UBvBBy6TKMIMUc8KCWI52K9xv0oKF7oRl3Pk39b1IXbfdXUPIY2M5\nhwBLNBubHGaPNF6Pdxr6iHsrtJy3WwasQUUOSw9T3aHJHgNphHrwkldzwvVPMeoR\nPOc1V9TLhqDd/K5MrThmc9rmR2tFSZZM0sQT1lFe0cq1fDL0z1ZdjFGLaqKUgeM9\nmeDqrKGdFlFbNqdfnR+uTgPK/8sqmsbLRX+mAO8TKAH8dgJ8gaOwR1mqexvx+HFW\npUREMfiCyFvYu+TnBwSa3aWd/LNIAKqIjVs8Ho6Ol0pP23+bct6lYuGiy3JFe+TQ\nuiOUpJZ2+w1NaTjNVDT8LMm3E4Fae3KynfyP4C1vvjg251JCCeI=\n=9Lmf\n-----END PGP SIGNATURE-----\n"
+          "t/test-datmix-sigold/SIGNATURE" => "This file contains message digests of all files listed in MANIFEST,\nsigned via the Module::Signature module, version 0.81.\n\nTo verify the content in this distribution, first make sure you have\nModule::Signature installed, then type:\n\n    % cpansign -v\n\nIt will check each file's integrity, as well as the signature's\nvalidity.  If \"==> Signature verified OK! <==\" is not displayed,\nthe distribution may already have been compromised, and you should\nnot run its Makefile.PL or Build.PL.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSHA1 51e1c061bc02e9a38948a5d8e3ca7352830f0fac 42.gz\nSHA1 42df4f7b8e7b2969aa2acadb656566c6cafe2d0c MANIFEST\nSHA1 01df1a2d305b103ac9b81beac8332520877af6c8 README\n-----BEGIN PGP SIGNATURE-----\n\niQIcBAEBAgAGBQJbh94AAAoJEMd8AoQDaQYkbPUP/jGf7Y75e+wNh06Voauypgbr\nOtH6iXqOvyLceFQuCqh54UUHZLzgc5wZ2rGdA1oLVn26GBIOREQBG9GEiOLV0UVY\nwCsAi2kCOokpvNVfLcBLM6YqVmXRwKCldJ5y4j/GfWKHLDndZTDQ28GbcnX8/dNR\naeDLEyUy/weH0mj6C9+faqEfCdXO2CiliHz1JOA3GOI0/c6JW/zcwUlq9K1APdY3\n0d1xLpLE1AKfWXXxn2LndaGw83/mojvMTWTSIdmYFYLU0IDCzrSk8XTZLh6rnxO2\nvWWQX8esNZEksryZrCZKyctH9SZKaipCaTv0DbfSXmqTAUSF7LmD6eIWmWW40VgP\nSMQrJrD1PG3EplqKDHD1MVL5UNnl1djilIH89lwhMH9eaU9TA3pIHrvOBIQGd/HG\nBzz97rTrqjZVWxxtUmp0Nnwq1bQ2PfPIlyhvtab1ys5nVWH5c7iC0a5TPFQAAjEU\nwcTUw0WpxTUFxe68iMSo08MRjJBYbYEoiaet686Lembo+yaZDT7tvbY7bJbDbfAV\nPZWMZw80FuiSRJf6kixlJHkz1I/Wi4fJdQHu71QY3QqazOyN+O2+tBlKWNBSUus9\niuSQaa+w1v8a4NKDlwQ3Vs1+1Gd9UdXgpo3xzULGrNkUc+1/291YsJdJchHzTtfQ\nVurcufI94EL4vB4CKmXQ\n=4+Xn\n-----END PGP SIGNATURE-----\n"
         };