You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happens is, If Crypt::OpenPGP is installed, Module::Signature::_verify($chksum) will try to verify the empty string digest and always fail. If Crypt::OpenPGP is not installed, Module::Signature will always succeed, by comparing empty strings.
This is because cpanminus (and CPAN.pm) is using Module::Signature's private API, _verify, and Module::Signature doesn't always read the signature from its argument, depending on the backend it uses.
cpanm's
--verifydoesn't work, if:gpgis not available in the systemWhat happens is, If Crypt::OpenPGP is installed,
Module::Signature::_verify($chksum)will try to verify the empty string digest and always fail. If Crypt::OpenPGP is not installed, Module::Signature will always succeed, by comparing empty strings.This is because cpanminus (and CPAN.pm) is using Module::Signature's private API,
_verify, and Module::Signature doesn't always read the signature from its argument, depending on the backend it uses.cc @audreyt @andk
The text was updated successfully, but these errors were encountered: