Discussion:
Using the --verify option on cpanm
(too old to reply)
Abhijith Chandrashekar
2014-07-18 00:17:59 UTC
Permalink
Hello,

I intend to use cpanm to download perl modules into a secure environment that is guarded by firewalls and have a couple of questions on how to do that.


a. I want to be able to verify the perl module that has been downloaded by its signature. Cpanm provides an option for this called -verify, but the description for the option is a little ambiguous -

--verify
Verify the integrity of distribution files retrieved from PAUSE using CHECKSUMS and SIGNATURES (if found). Defaults to false.
It sounds like it means that the signature will be checked only if it is present. If the --verify option is used and the signature is missing, will the package be downloaded and installed nonetheless?


b. How does one obtain the public key that is used to check these signatures? Is it installed along with cpanm?

Please let me know if this is not the appropriate mailing list to pose these questions. Appreciate any help.

Thanks,
Abhi
Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
2014-07-18 01:00:55 UTC
Permalink
Post by Abhijith Chandrashekar
It sounds
like it means that the signature will be checked only if it is
present. If the --verify option is used and the signature is missing,
will the package be downloaded and installed nonetheless?
Yes, and it works the same as the traditional CPAN client with signature
support enabled. Most distributions are not signed because it's an
optional feature. All distributions are checksummed by PAUSE.
Post by Abhijith Chandrashekar
How does one obtain the public key that is used to check
these signatures? Is it installed along with cpanm?
cpanminus just delegates to Module::Signature::_verify. This fetches the
public key via [HKP](http://enwp.org/OpenPGP_HTTP_Keyserver_Protocol).
Abhijith Chandrashekar
2014-07-18 17:19:57 UTC
Permalink
Thanks for the response Lars.

You said -
Post by Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
Post by Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
cpanminus just delegates to Module::Signature::_verify. This fetches the
public key via [HKP](http://enwp.org/OpenPGP_HTTP_Keyserver_Protocol)

Can you tell me where it fetches the public key from? Do you know if this
key server supports secured key requests over TLS?
Post by Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
http://enwp.org/OpenPGP_HTTP_Keyserver_Protoc
Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
2014-07-19 23:53:53 UTC
Permalink
Post by Abhijith Chandrashekar
where it fetches the public key from?
From the configured
[SKS](http://enwp.org/Key_server_%28cryptographic%29#External_links):

$ ack ^keyserver ~/.gnupg/gpg.conf
keyserver hkp://keys.gnupg.net
keyserver-options auto-key-retrieve verbose no-include-revoked

It does not really matter. The servers sync their databases regularly.
The hostname keys.gnupg.net is a DNS round-robin pool.
Post by Abhijith Chandrashekar
key server supports secured key requests over TLS?
No, that's pointless.
Abhijith Chandrashekar
2014-07-20 23:58:11 UTC
Permalink
Thanks once again. This might be a tangential discussion but can you tell
me why key requests over TLS are pointless? In building a secure
environment ground-up, ensuring that the basic infrastructure (public keys
et al) was pristine to begin with is a very important requirement. If the
key is served over http, it is possible that the base copy was mangled
with when it was first downloaded. Any perl modules that are later
verified with this potentially mangled public key become questionable
since we don’t know that the key was pristine to begin with. Please tell
me if I’m understanding this incorrectly.

Abhijith
Post by Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
Post by Abhijith Chandrashekar
where it fetches the public key from?
From the configured
$ ack ^keyserver ~/.gnupg/gpg.conf
keyserver hkp://keys.gnupg.net
keyserver-options auto-key-retrieve verbose no-include-revoked
It does not really matter. The servers sync their databases regularly.
The hostname keys.gnupg.net is a DNS round-robin pool.
Post by Abhijith Chandrashekar
key server supports secured key requests over
Abhijith Chandrashekar
2014-07-29 21:57:06 UTC
Permalink
Hello,

I haven’t heard any response regarding this.. Just wanted to bring it back
to the forefront and check if anyone knew about the reason why secured key
requests aren’t provisioned?

Thanks,
Abhijith

On 7/20/14, 4:58 PM, "Abhijith Chandrashekar"
Post by Abhijith Chandrashekar
Thanks once again. This might be a tangential discussion but can you tell
me why key requests over TLS are pointless? In building a secure
environment ground-up, ensuring that the basic infrastructure (public keys
et al) was pristine to begin with is a very important requirement. If the
key is served over http, it is possible that the base copy was mangled
with when it was first downloaded. Any perl modules that are later
verified with this potentially mangled public key become questionable
since we don’t know that the key was pristine to begin with. Please tell
me if I’m understanding this incorrectly.
Abhijith
Post by Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
Post by Abhijith Chandrashekar
where it fetches the public key from?
From the configured
$ ack ^keyserver ~/.gnupg/gpg.conf
keyserver hkp://keys.gnupg.net
keyserver-options auto-key-retrieve verbose no-include-revoked
It does not really matter. The servers sync their databases regularly.
The hostname keys.gnupg.net is a DNS round-robin pool.
Post by Abhijith Chandrashekar
key server supports secured key requests over TLS
Loading...