.\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.32) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .if !\nF .nr F 0 .if \nF>0 \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} .\} .\" ======================================================================== .\" .IX Title "Module::Signature 3pm" .TH Module::Signature 3pm "2016-10-27" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Module::Signature \- Module signature file manipulation .SH "SYNOPSIS" .IX Header "SYNOPSIS" As a shell command: .PP .Vb 2 \& % cpansign # verify an existing SIGNATURE, or \& # make a new one if none exists \& \& % cpansign sign # make signature; overwrites existing one \& % cpansign \-s # same thing \& \& % cpansign verify # verify a signature \& % cpansign \-v # same thing \& % cpansign \-v \-\-skip # ignore files in MANIFEST.SKIP \& \& % cpansign help # display this documentation \& % cpansign \-h # same thing .Ve .PP In programs: .PP .Vb 3 \& use Module::Signature qw(sign verify SIGNATURE_OK); \& sign(); \& sign(overwrite => 1); # overwrites without asking \& \& # see the CONSTANTS section below \& (verify() == SIGNATURE_OK) or die "failed!"; .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBModule::Signature\fR adds cryptographic authentications to \s-1CPAN\s0 distributions, via the special \fI\s-1SIGNATURE\s0\fR file. .PP If you are a module user, all you have to do is to remember to run \&\f(CW\*(C`cpansign \-v\*(C'\fR (or just \f(CW\*(C`cpansign\*(C'\fR) before issuing \f(CW\*(C`perl Makefile.PL\*(C'\fR or \f(CW\*(C`perl Build.PL\*(C'\fR; that will ensure the distribution has not been tampered with. .PP Module authors can easily add the \fI\s-1SIGNATURE\s0\fR file to the distribution tarball; see \*(L"\s-1NOTES\*(R"\s0 below for how to do it as part of \f(CW\*(C`make dist\*(C'\fR. .PP If you \fIreally\fR want to sign a distribution manually, simply add \&\f(CW\*(C`SIGNATURE\*(C'\fR to \fI\s-1MANIFEST\s0\fR, then type \f(CW\*(C`cpansign \-s\*(C'\fR immediately before \f(CW\*(C`make dist\*(C'\fR. Be sure to delete the \fI\s-1SIGNATURE\s0\fR file afterwards. .PP Please also see \*(L"\s-1NOTES\*(R"\s0 about \fI\s-1MANIFEST.SKIP\s0\fR issues, especially if you are using \fBModule::Build\fR or writing your own \fI\s-1MANIFEST.SKIP\s0\fR. .SH "VARIABLES" .IX Header "VARIABLES" No package variables are exported by default. .ie n .IP "$Verbose" 4 .el .IP "\f(CW$Verbose\fR" 4 .IX Item "$Verbose" If true, Module::Signature will give information during processing including gpg output. If false, Module::Signature will be as quiet as possible as long as everything is working ok. Defaults to false. .ie n .IP "$SIGNATURE" 4 .el .IP "\f(CW$SIGNATURE\fR" 4 .IX Item "$SIGNATURE" The filename for a distribution's signature file. Defaults to \&\f(CW\*(C`SIGNATURE\*(C'\fR. .ie n .IP "$AUTHOR" 4 .el .IP "\f(CW$AUTHOR\fR" 4 .IX Item "$AUTHOR" The key \s-1ID\s0 used for \f(CW\*(C`gpg\*(C'\fR signature. If empty/null/0, \f(CW\*(C`gpg\*(C'\fR's configured default \s-1ID\s0 will be used for the signature. \s-1NOTE:\s0 this is used \fBonly\fR if \&\f(CW\*(C`gpg\*(C'\fR is available to create the signature. .ie n .IP "$KeyServer" 4 .el .IP "\f(CW$KeyServer\fR" 4 .IX Item "$KeyServer" The OpenPGP key server for fetching the author's public key (currently only implemented on \f(CW\*(C`gpg\*(C'\fR, not \f(CW\*(C`Crypt::OpenPGP\*(C'\fR). May be set to a false value to prevent this module from fetching public keys. .ie n .IP "$KeyServerPort" 4 .el .IP "\f(CW$KeyServerPort\fR" 4 .IX Item "$KeyServerPort" The OpenPGP key server port, defaults to \f(CW11371\fR. .ie n .IP "$Timeout" 4 .el .IP "\f(CW$Timeout\fR" 4 .IX Item "$Timeout" Maximum time to wait to try to establish a link to the key server. Defaults to \f(CW3\fR. .ie n .IP "$AutoKeyRetrieve" 4 .el .IP "\f(CW$AutoKeyRetrieve\fR" 4 .IX Item "$AutoKeyRetrieve" Whether to automatically fetch unknown keys from the key server. Defaults to \f(CW1\fR. .ie n .IP "$Cipher" 4 .el .IP "\f(CW$Cipher\fR" 4 .IX Item "$Cipher" The default cipher used by the \f(CW\*(C`Digest\*(C'\fR module to make signature files. Defaults to \f(CW\*(C`SHA1\*(C'\fR, but may be changed to other ciphers via the \f(CW\*(C`MODULE_SIGNATURE_CIPHER\*(C'\fR environment variable if the \s-1SHA1\s0 cipher is undesirable for the user. .Sp The cipher specified in the \fI\s-1SIGNATURE\s0\fR file's first entry will be used to validate its integrity. For \f(CW\*(C`SHA1\*(C'\fR, the user needs to have any one of these four modules installed: \fBDigest::SHA\fR, \&\fBDigest::SHA1\fR, \fBDigest::SHA::PurePerl\fR, or (currently nonexistent) \&\fBDigest::SHA1::PurePerl\fR. .ie n .IP "$Preamble" 4 .el .IP "\f(CW$Preamble\fR" 4 .IX Item "$Preamble" The explanatory text written to newly generated \fI\s-1SIGNATURE\s0\fR files before the actual entries. .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" \&\fBModule::Signature\fR honors these environment variables: .IP "\s-1MODULE_SIGNATURE_AUTHOR\s0" 4 .IX Item "MODULE_SIGNATURE_AUTHOR" Works like \f(CW$AUTHOR\fR. .IP "\s-1MODULE_SIGNATURE_CIPHER\s0" 4 .IX Item "MODULE_SIGNATURE_CIPHER" Works like \f(CW$Cipher\fR. .IP "\s-1MODULE_SIGNATURE_VERBOSE\s0" 4 .IX Item "MODULE_SIGNATURE_VERBOSE" Works like \f(CW$Verbose\fR. .IP "\s-1MODULE_SIGNATURE_KEYSERVER\s0" 4 .IX Item "MODULE_SIGNATURE_KEYSERVER" Works like \f(CW$KeyServer\fR. .IP "\s-1MODULE_SIGNATURE_KEYSERVERPORT\s0" 4 .IX Item "MODULE_SIGNATURE_KEYSERVERPORT" Works like \f(CW$KeyServerPort\fR. .IP "\s-1MODULE_SIGNATURE_TIMEOUT\s0" 4 .IX Item "MODULE_SIGNATURE_TIMEOUT" Works like \f(CW$Timeout\fR. .SH "CONSTANTS" .IX Header "CONSTANTS" These constants are not exported by default. .ie n .IP "\s-1CANNOT_VERIFY \s0(0E0)" 4 .el .IP "\s-1CANNOT_VERIFY \s0(\f(CW0E0\fR)" 4 .IX Item "CANNOT_VERIFY (0E0)" Cannot verify the OpenPGP signature, maybe due to the lack of a network connection to the key server, or if neither gnupg nor Crypt::OpenPGP exists on the system. .ie n .IP "\s-1SIGNATURE_OK \s0(0)" 4 .el .IP "\s-1SIGNATURE_OK \s0(\f(CW0\fR)" 4 .IX Item "SIGNATURE_OK (0)" Signature successfully verified. .ie n .IP "\s-1SIGNATURE_MISSING \s0(""\-1"")" 4 .el .IP "\s-1SIGNATURE_MISSING \s0(\f(CW\-1\fR)" 4 .IX Item "SIGNATURE_MISSING (-1)" The \fI\s-1SIGNATURE\s0\fR file does not exist. .ie n .IP "\s-1SIGNATURE_MALFORMED \s0(""\-2"")" 4 .el .IP "\s-1SIGNATURE_MALFORMED \s0(\f(CW\-2\fR)" 4 .IX Item "SIGNATURE_MALFORMED (-2)" The signature file does not contains a valid OpenPGP message. .ie n .IP "\s-1SIGNATURE_BAD \s0(""\-3"")" 4 .el .IP "\s-1SIGNATURE_BAD \s0(\f(CW\-3\fR)" 4 .IX Item "SIGNATURE_BAD (-3)" Invalid signature detected \*(-- it might have been tampered with. .ie n .IP "\s-1SIGNATURE_MISMATCH \s0(""\-4"")" 4 .el .IP "\s-1SIGNATURE_MISMATCH \s0(\f(CW\-4\fR)" 4 .IX Item "SIGNATURE_MISMATCH (-4)" The signature is valid, but files in the distribution have changed since its creation. .ie n .IP "\s-1MANIFEST_MISMATCH \s0(""\-5"")" 4 .el .IP "\s-1MANIFEST_MISMATCH \s0(\f(CW\-5\fR)" 4 .IX Item "MANIFEST_MISMATCH (-5)" There are extra files in the current directory not specified by the \s-1MANIFEST\s0 file. .ie n .IP "\s-1CIPHER_UNKNOWN \s0(""\-6"")" 4 .el .IP "\s-1CIPHER_UNKNOWN \s0(\f(CW\-6\fR)" 4 .IX Item "CIPHER_UNKNOWN (-6)" The cipher used by the signature file is not recognized by the \&\f(CW\*(C`Digest\*(C'\fR and \f(CW\*(C`Digest::*\*(C'\fR modules. .SH "NOTES" .IX Header "NOTES" .ie n .SS "Signing your module as part of ""make dist""" .el .SS "Signing your module as part of \f(CWmake dist\fP" .IX Subsection "Signing your module as part of make dist" The easiest way is to use \fBModule::Install\fR: .PP .Vb 2 \& sign; # put this before "WriteAll" \& WriteAll; .Ve .PP For \fBExtUtils::MakeMaker\fR (version 6.18 or above), you may do this: .PP .Vb 4 \& WriteMakefile( \& (MM\->can(\*(Aqsignature_target\*(Aq) ? (SIGN => 1) : ()), \& # ... original arguments ... \& ); .Ve .PP Users of \fBModule::Build\fR may do this: .PP .Vb 4 \& Module::Build\->new( \& (sign => 1), \& # ... original arguments ... \& )\->create_build_script; .Ve .SS "\fI\s-1MANIFEST.SKIP\s0\fP Considerations" .IX Subsection "MANIFEST.SKIP Considerations" (The following section is lifted from Iain Truskett's \fBTest::Signature\fR module, under the Perl license. Thanks, Iain!) .PP It is \fBimperative\fR that your \fI\s-1MANIFEST\s0\fR and \fI\s-1MANIFEST.SKIP\s0\fR files be accurate and complete. If you are using \f(CW\*(C`ExtUtils::MakeMaker\*(C'\fR and you do not have a \fI\s-1MANIFEST.SKIP\s0\fR file, then don't worry about the rest of this. If you do have a \fI\s-1MANIFEST.SKIP\s0\fR file, or you use \&\f(CW\*(C`Module::Build\*(C'\fR, you must read this. .PP Since the test is run at \f(CW\*(C`make test\*(C'\fR time, the distribution has been made. Thus your \fI\s-1MANIFEST.SKIP\s0\fR file should have the entries listed below. .PP If you're using \f(CW\*(C`ExtUtils::MakeMaker\*(C'\fR, you should have, at least: .PP .Vb 5 \& #defaults \& ^Makefile$ \& ^blib/ \& ^pm_to_blib \& ^blibdirs .Ve .PP These entries are part of the default set provided by \&\f(CW\*(C`ExtUtils::Manifest\*(C'\fR, which is ignored if you provide your own \&\fI\s-1MANIFEST.SKIP\s0\fR file. .PP If you are using \f(CW\*(C`Module::Build\*(C'\fR, you should have two extra entries: .PP .Vb 2 \& ^Build$ \& ^_build/ .Ve .PP If you don't have the correct entries, \f(CW\*(C`Module::Signature\*(C'\fR will complain that you have: .PP .Vb 1 \& ==> MISMATCHED content between MANIFEST and distribution files! <== .Ve .PP You should note this during normal development testing anyway. .SS "Testing signatures" .IX Subsection "Testing signatures" You may add this code as \fIt/0\-signature.t\fR in your distribution tree: .PP .Vb 1 \& #!/usr/bin/perl \& \& use strict; \& print "1..1\en"; \& \& if (!$ENV{TEST_SIGNATURE}) { \& print "ok 1 # skip Set the environment variable", \& " TEST_SIGNATURE to enable this test\en"; \& } \& elsif (!\-s \*(AqSIGNATURE\*(Aq) { \& print "ok 1 # skip No signature file found\en"; \& } \& elsif (!eval { require Module::Signature; 1 }) { \& print "ok 1 # skip ", \& "Next time around, consider install Module::Signature, ", \& "so you can verify the integrity of this distribution.\en"; \& } \& elsif (!eval { require Socket; Socket::inet_aton(\*(Aqpool.sks\-keyservers.net\*(Aq) }) { \& print "ok 1 # skip ", \& "Cannot connect to the keyserver\en"; \& } \& else { \& (Module::Signature::verify() == Module::Signature::SIGNATURE_OK()) \& or print "not "; \& print "ok 1 # Valid signature\en"; \& } \& \& _\|_END_\|_ .Ve .PP If you are already using \fBTest::More\fR for testing, a more straightforward version of \fIt/0\-signature.t\fR can be found in the \&\fBModule::Signature\fR distribution. .PP Note that \f(CW\*(C`MANIFEST.SKIP\*(C'\fR is considered by default only when \&\f(CW$ENV{TEST_SIGNATURE}\fR is set to a true value. .PP Also, if you prefer a more full-fledged testing package, and are willing to inflict the dependency of \fBModule::Build\fR on your users, Iain Truskett's \fBTest::Signature\fR might be a better choice. .SH "SEE ALSO" .IX Header "SEE ALSO" Digest, Digest::SHA, Digest::SHA1, Digest::SHA::PurePerl .PP ExtUtils::Manifest, Crypt::OpenPGP, Test::Signature .PP Module::Install, ExtUtils::MakeMaker, Module::Build .PP Dist::Zilla::Plugin::Signature .SH "AUTHORS" .IX Header "AUTHORS" Audrey Tang .SH "LICENSE" .IX Header "LICENSE" This work is under a \fB\s-1CC0 1.0\s0 Universal\fR License, although a portion of the documentation (as detailed above) is under the Perl license. .PP To the extent possible under law, 唐鳳 has waived all copyright and related or neighboring rights to Module-Signature. .PP This work is published from Taiwan. .PP