dorko has asked for the wisdom of the Perl Monks concerning the following question:


I'm having some problems with CPAN. I haven't used CPAN in 3-4 months on the Linux server in question. Previously things were working fine, now when I tried to add a module CPAN is failing.

There might have been a tweak or two made to the server. (I'm not the server administrator, I just have sudo access to run CPAN and a few other things.) But the maintainers are pretty good about notifying me of changes.

And to further confuse things, I upgraded CPAN from 2.28 to 2.29 when CPAN let me know there was a new version available. I really don't think that's the problem - I'm just throwing that out there for completeness. It's something that has changed since the last time it was working correctly.

This is a pretty good example of what I'm experiencing.

I execute CPAN like so: sudo /opt/canvas/perl/bin/cpan. It runs as root as it always has. I'm using as my mirror.

Upgrading a simple and straight forward module like Data::Dumper:

cpan> m Data::Dumper Reading '/root/.cpan/Metadata' Database was generated on Thu, 24 Feb 2022 08:55:45 GMT Module id = Data::Dumper CPAN_USERID XSAWYERX (Sawyer X <xsawyerx [AT] cpan [DOT] org>) CPAN_VERSION 2.183 CPAN_FILE N/NW/NWCLARK/Data-Dumper-2.183.tar.gz MANPAGE Data::Dumper - stringified perl data structures, suit +able for both printing and C<eval> INST_FILE /opt/perl/lib/5.32.0/x86_64-linux/Data/ INST_VERSION 2.174
I've got installed, so let's move on to a GET.

cpan> get Data::Dumper Running get for module 'Data::Dumper' WARNING: This key is not certified with a trusted signature! Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F + 89EC Signature for /root/.cpan/sources/authors/id/N/NW/NWCLARK/CHECKSUMS ok Could not open /tmp/CHECKSUMS-m5aV/CHECKSUMS.77905: No such file or di +rectory
The file for Data::Dumper correctly is downloaded were it should be (with a fresh timestamp): /root/.cpan/sources/authors/id/N/NW/NWCLARK/Data-Dumper-2.183.tar.gz.

The permissions on /tmp are correct, and I'm running as root via sudo.

That feels like a PGP/GPG error to me, but I'm guessing on that point.

Thoughts? Questions? Suggestions? Any help would be greatly appreciated.



-- Yup, I'm a Delt.

Replies are listed 'Best First'.
Re: Key Not Certified in CPAN
by hippo (Bishop) on Feb 24, 2022 at 22:13 UTC

      Spot on. Thank you very much. I set check_sigs to 0 (ie false) in and modules are back to being installable again.

      But... That doesn't feel like the most secure thing in the world to be doing. Anyone with suggestions I can try to get the CHECKSUMS working?



      -- Yup, I'm a Delt.
        Anyone with suggestions I can try to get the CHECKSUMS working

        I don't use the default CPAN client. But the two suggestions I have:

        1. Don't override the mirror; per my understanding of the blog post, an extra layer of security can be added by the main site that isn't available on the mirrors. (I am not a security expert; this is just what I've gathered.)
          Back in the 90s, with the much slower network backbone speeds available, and not many resources behind any individual machine name, it made sense to have a mirroring system and pick a nearby mirror. But in today's load-balanced systems, where the same machine name ( can point to any number of physical machines that are serving out those results, possibly in geographically separate locations, there isn't as much need for the mirror. (I am not a networking expert; this is just what I've gathered.)
        2. The warning said that your system didn't trust the PAUSE key; that is a GPG-related topic. If you believe me when I say that I believe PAUSE publishes their public key at and that the fingerprint that your warning printed out was the same as the fingerprint published there, and if you believe that the key shown there really is the PAUSE Batch Signing Key, then you might want to import that public key into your keyring -- I believe this will eliminate that error.

        However, I don't know that I'm convinced either of those will solve your problem: the message you quoted originally says that the actual CHECKSUMS file signature was okay; the problem it seemed to have was with opening a temporary CHECKSUMS.77905 file that wasn't there; I do not know what that file is, as compared to the CHECKSUMS file that was downloaded when you tried to get the package. I don't know whether doing the two above things will allow that temporary file to be correctly generated/extracted and thus allow the process to move forward. But since you were asking for any suggestions for things to try, I think this qualifies, fruitful or not ;-).

Re: Key Not Certified in CPAN
by kcott (Archbishop) on Feb 25, 2022 at 08:49 UTC