2003 Grant Report - Autrijus Tang
As of release 1.75, CPAN.pm can correctly check the validity of PAUSE-signed CHECKSUM files, and display the fingerprint ("2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC" for 2003) for the user to double-check. Because CPAN.pm itself ships the PAUSE public key, it makes tampering in the CPAN mirror level extremely likely to be detected. It also uses Module::Signature to check for author-created embedded SIGNATURE files inside the distributions, and refuses to install if it does not match. As the successor to CPAN.pm, CPANPLUS.pm now also supports all features listed above, as well as checking detached ".sig" PGP signatures.
As of release 0.19, Module::Build can correctly handle the "distsign" action, as shown below:
% perl Build.PL Creating new 'Build' script for 'Module-Build' version '0.19' % perl Build distsign ...some interaction with the user... ==> SIGNATURE file created successfully. <==
The "distsign" action can also be performed automatically during "Build dist", if the user passes a true value as the "sign" argument to Module::Build->new(). For example:
# Build.PL use Module::Build; Module::Build->new( module_name => 'Foo::Bar', license => 'perl', sign => 1 )->create_build_script;
Most of the implementation was carried out by Dave Rolsky and Ken Williams, with input, support, and testing from me. There is also a similar "make distsign" action provided by my Module::Install framework for ExtUtils::MakeMaker users, and Michael Schwern has agreed to take a patch in a future version of ExtUtils::MakeMaker to support it natively.
As of release 0.70, PAR can generate, sign, verify, install and uninstall files containing SIGNATURE files.
% pp --sign --par --output=foo.par foo.pl # produces signed PAR file % pp --sign --output=foo.exe foo.pl # signed standalone executable % tar zxf DBI-1.37.tar.gz % par.pl -p DBI-1.37/ # convert CPAN dist to PAR dist Successfully created binary distribution 'DBI-1.37-i386-freebsd-5.8.0.par'. % par.pl -s DBI-1.37-i386-freebsd-5.8.0.par # sign an existing PAR file % par.pl -v DBI-1.37-i386-freebsd-5.8.0.par # verify the signature % par.pl -i DBI-1.37-i386-freebsd-5.8.0.par # install it directly % par.pl -u DBI-1.37-i386-freebsd-5.8.0.par # uninstall it % par.pl -v http://foo.com/DBI-1.37-i386-freebsd-5.8.0.par # works % par.pl -i http://foo.com/DBI-1.37-i386-freebsd-5.8.0.par # this too
It can also be used programatically with PAR::Dist, or like this:
use PAR; use lib 'http://foo.com/DBI-1.37-i386-freebsd-5.8.0.par'; use DBI; print DBI->VERSION; # prints "1.37"
The "cpansign" utility in Module::Signature has also been improved to verify and sign PAR files, as well as verifying the digital signature of pp-generated standalone executables.