Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: Key Not Certified in CPAN

by hippo (Bishop)
on Feb 24, 2022 at 22:13 UTC ( #11141626=note: print w/replies, xml ) Need Help??


in reply to SOLVED: Key Not Certified in CPAN

I upgraded CPAN from 2.28 to 2.29

I refer you to the section on CPAN 2.29 is this summary of the fixes for last year's vulnerabilities.


🦛

Replies are listed 'Best First'.
Re^2: Key Not Certified in CPAN
by dorko (Prior) on Feb 24, 2022 at 22:45 UTC
    hippo,

    Spot on. Thank you very much. I set check_sigs to 0 (ie false) in MyConfig.pm and modules are back to being installable again.

    But... That doesn't feel like the most secure thing in the world to be doing. Anyone with suggestions I can try to get the CHECKSUMS working?

    Cheers,

    Brent

    -- Yup, I'm a Delt.
      Anyone with suggestions I can try to get the CHECKSUMS working

      I don't use the default CPAN client. But the two suggestions I have:

      1. Don't override the mirror; per my understanding of the blog post, an extra layer of security can be added by the main cpan.org site that isn't available on the mirrors. (I am not a security expert; this is just what I've gathered.)
        Back in the 90s, with the much slower network backbone speeds available, and not many resources behind any individual machine name, it made sense to have a mirroring system and pick a nearby mirror. But in today's load-balanced systems, where the same machine name (www.cpan.org) can point to any number of physical machines that are serving out those results, possibly in geographically separate locations, there isn't as much need for the mirror. (I am not a networking expert; this is just what I've gathered.)
      2. The warning said that your system didn't trust the PAUSE key; that is a GPG-related topic. If you believe me when I say that I believe PAUSE publishes their public key at https://pause.perl.org/pause/query?ACTION=pause_04about#pubkeybat and that the fingerprint that your warning printed out was the same as the fingerprint published there, and if you believe that the key shown there really is the PAUSE Batch Signing Key, then you might want to import that public key into your keyring -- I believe this will eliminate that error.

      However, I don't know that I'm convinced either of those will solve your problem: the message you quoted originally says that the actual CHECKSUMS file signature was okay; the problem it seemed to have was with opening a temporary CHECKSUMS.77905 file that wasn't there; I do not know what that file is, as compared to the CHECKSUMS file that was downloaded when you tried to get the package. I don't know whether doing the two above things will allow that temporary file to be correctly generated/extracted and thus allow the process to move forward. But since you were asking for any suggestions for things to try, I think this qualifies, fruitful or not ;-).

        Let me say I'm very happy with where I'm at. I can get work done and that's a good thing.

        I did spend a little time with it this morning. I imported two keys thusly:

        bshawadmin@NET3862:~/.cpan/CPAN$ sudo /bin/gpg --import /home/ad/bshaw +admin/publickey01.key gpg: key 450F89EC: "PAUSE Batch Signing Key 2022 <pause@pause.perl.org +>" 8 new signatures gpg: Total number processed: 1 gpg: new signatures: 8 gpg: no ultimately trusted keys found bshawadmin@NET3862:~/.cpan/CPAN$ sudo /bin/gpg --import /home/ad/bshaw +admin/publickey02.key gpg: key A317C15D: "Andreas J. Koenig <andreas.koenig.7os6VVqR@franz.a +k.mind.de>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
        The keys are from https://pause.perl.org/pause/query?ACTION=pause_04about#pubkeybat as suggested by pryrt. I also did rm -rf /root/.cpan/CPAN/* to force new downloads of things (thank you Ken). Lastly I pointed my urllist to https://www.cpan.org/. (I previously had urllist pointed to an internal CPAN mirror on our network suggested to me by our networking / admin staff.)

        Despite those changes, I'm still seeing the "key not certified with a trusted signature" problem:

        cpan> get Data::Dumper Running get for module 'Data::Dumper' WARNING: This key is not certified with a trusted signature! Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F + 89EC Signature for /root/.cpan/sources/authors/id/N/NW/NWCLARK/CHECKSUMS ok Could not open /tmp/CHECKSUMS-3F6L/CHECKSUMS.64163: No such file or di +rectory
        And I agree the "could not open" error is problematic as well.

        I'm more than happy to switch check_sigs back to 0 and declare victory. If anyone has any other suggestions, I'm willing to tinker to see if I can get things working as we all know they could be.

        Thanks again.

        Cheers,

        Brent

        -- Yup, I'm a Delt.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11141626]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (2)
As of 2022-09-28 20:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    I prefer my indexes to start at:




    Results (124 votes). Check out past polls.

    Notices?