In the modern world, it's nice to know that your kit is as the author built it. So, in theory we have signed distributions (e.g. Module::Signature).
But I don't see many of them. I wondered why. I made an effort: I got a PGP key for my cpan.org identity and signed a distribution. Took about 15 minutes to get setup. But no one can easily verify it. The keyservers will retrieve my public key, and confirm that the distribution is OK. Except that my key won't be trusted by anyone that a package installer knows. So the installer gets a WARNING, which is more confusing than helpful: | cpansign -v|| ||Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-keyservers.net:11371 --keyserver-options=auto-key-retrieve SIGNATURE|| ||gpg: Signature made Sat 23 Jan 2016 03:14:33 PM EST using RSA key ID DE15D763|| ||gpg: Good signature from "Timothe Litt <tlhack...@cpan.org>"|| ||gpg: WARNING: This key is not certified with a trusted signature!|| ||gpg:         There is no indication that the signature belongs to the owner.|| ||Primary key fingerprint: 08F6 5D21 0196 5DBA 0BE4 C81A B593 C736 DE15 D763|| ||==> Signature verified OK! <==|| | It seems to me that PAUSE should have a mechanism for me to have my key signed by it. PAUSE knows who I am (account password + cpan address). If that were the case, all an installer would have to do is trust the CPAN key, and all authors would be covered. I looked for a discussion of this in the PAUSE FAQ and elsewhere, but came up dry. I expected that I could submit my public key to my PAUSE "Edit account info" page, and get an automated signed copy of my public key back... Am I missing something? Are authors encouraged to sign their distributions? Or is this an incomplete mechanism? This isn't earth-shattering for me - just curious...
signature.asc
Description: OpenPGP digital signature
