Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

missing option to set/override $KeyServer $scheme = hkps://, and MODULE_SIGNATURE_KEYSERVER points to discontinued sks-keyservers pool #32

Closed
pgnd opened this issue May 31, 2022 · 2 comments
Closed

missing option to set/override $KeyServer $scheme = hkps://, and MODULE_SIGNATURE_KEYSERVER points to discontinued sks-keyservers pool #32

pgnd opened this issue May 31, 2022 · 2 comments

Comments

@pgnd
Copy link

pgnd commented May 31, 2022

with Module::Signature installed & in use, cpan{,m,p} ignores 'keyserver' settings from ~/.gnupg/gpg.conf, where explicit keyserver URI schemes can be set/defined.

Module::Signature keyserver host & port can be overridden by exporting env vars,

MODULE_SIGNATURE_KEYSERVER
MODULE_SIGNATURE_KEYSERVERPORT

in src,

./lib/Module/Signature.pm

291		sub _keyserver {
		    my $version = shift;
		    my $scheme = 'x-hkp';
		    $scheme = 'hkp' if $version ge '1.2.0';

		    return "$scheme://$KeyServer:$KeyServerPort";
		}

, regardless of keyserver, scheme is set to "hkp://"

so on exec, "--keyserver=hkp://" is generated/sent,

cpansign -v
	Executing gpg --verify --batch --no-tty --keyserver=hkp://keyserver.ubuntu.com:443 --keyserver-options=auto-key-retrieve /tmp/IOcdbIdJMt

also, NOTE that the default in src,

$KeyServer      = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'pool.sks-keyservers.net';

points to 'pool.sks-keyservers.net' which have been DISCONTINUED,

sks-keyservers.net pool DNS records disabled effective immediately

https://sks-keyservers.net/ announced

This service is deprecated. This means it is no longer maintained, and new HKPS certificates will not be issued. Service reliability should not be expected.

    Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.

To support newer servers, and differing schemes can "$KeyServerScheme" be added as ENV VAR; perhaps,

$KeyServerScheme = $ENV{MODULE_SIGNATURE_KEYSERVER_SCHEME} || 'hkps';

, and used in the 'sub _keyserver {' ?

and,
some other, supported server def'd as default,

-	$KeyServer      = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'pool.sks-keyservers.net';
+	$KeyServer      = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'keyserver.ubuntu.com';

, or similar?
@haarg
Copy link
Contributor

haarg commented Jun 3, 2022

I've created PR #34 to at least fix the key server.

@timlegge timlegge mentioned this issue Sep 2, 2024
Open
@timlegge
Copy link
Collaborator

timlegge commented Sep 2, 2024

Logged #37 to address the remaining item. Closing

@timlegge timlegge closed this as completed Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@haarg @timlegge @pgnd