Bug#1022200: cpan: cannot check signatures

Vincent Lefevre vincent at vinc17.net
Fri Oct 21 21:28:14 BST 2022 

Package: perl
Version: 5.36.0-4
Severity: grave
Justification: renders package unusable

It is no longer possible to install modules from CPAN because
signatures can no longer be checked. There was no such issue
with 5.34. This is a major regression; in particular, the
locally installed modules need to be reinstalled after the
upgrade.

Example:

Fetching with HTTP::Tiny:
https://cpan.org/modules/03modlist.data.gz
Reading '/home/vinc17/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /home/vinc17/.cpan/Metadata
Running install for module 'ReadDir'
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/S/SA/SAMV/ReadDir-0.03.tar.gz
CPAN: Digest::SHA loaded ok (v6.02)
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/S/SA/SAMV/CHECKSUMS
CPAN: Module::Signature loaded ok (v0.88)
gpg: Signature made 2021-11-21T22:42:22 CET
gpg:                using RSA key B6A1739063760CCA
gpg: Can't check signature: No public key

Signature for file /home/vinc17/.cpan/sources/authors/id/S/SA/SAMV/CHECKSUMS could not be verified for an unknown reason. Distribution id = S/SA/SAMV/ReadDir-0.03.tar.gz
    CPAN_USERID  SAMV (Sam Vilain <sam at vilain.net>)
    CALLED_FOR   ReadDir
    CHECKSUM_STATUS 
    CONTAINSMODS ReadDir
    UPLOAD_DATE  2004-06-25
    incommandcolor 1
    localfile    /home/vinc17/.cpan/sources/authors/id/S/SA/SAMV/ReadDir-0.03.tar.gz
    mandatory    1
    negative_prefs_cache 0
    prefs        HASH(0x55c2dfe1e9f8)
    reqtype      c

Module::Signature verification returned value 0E0

The manual says for this case: Cannot verify the
OpenPGP signature, maybe due to the lack of a network connection to
the key server, or if neither gnupg nor Crypt::OpenPGP exists on the
system. You probably want to analyse the situation and if you cannot
fix it you will have to decide whether you want to stop this session
or you want to turn off signature verification. The latter would be
done with the command 'o conf init check_sigs'

Signature for S/SA/SAMV/CHECKSUMS could not be verified for an unknown reason. Distribution id = S/SA/SAMV/ReadDir-0.03.tar.gz

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages perl depends on:
ii  dpkg               1.21.9+b1
ii  libperl5.36        5.36.0-4
ii  perl-base          5.36.0-4
ii  perl-modules-5.36  5.36.0-4

Versions of packages perl recommends:
ii  netbase  6.4

Versions of packages perl suggests:
pn  libtap-harness-archive-perl  <none>
ii  libterm-readline-perl-perl   1.0303-2.1
ii  make                         4.3-4.1
ii  perl-doc                     5.36.0-4

-- no debconf information

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Perl-maintainers mailing list