Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

SOLVED: Key Not Certified in CPAN

by dorko (Prior)
on Feb 24, 2022 at 22:01 UTC ( [id://11141625]=perlquestion: print w/replies, xml ) Need Help??

dorko has asked for the wisdom of the Perl Monks concerning the following question:

Hello,

I'm having some problems with CPAN. I haven't used CPAN in 3-4 months on the Linux server in question. Previously things were working fine, now when I tried to add a module CPAN is failing.

There might have been a tweak or two made to the server. (I'm not the server administrator, I just have sudo access to run CPAN and a few other things.) But the maintainers are pretty good about notifying me of changes.

And to further confuse things, I upgraded CPAN from 2.28 to 2.29 when CPAN let me know there was a new version available. I really don't think that's the problem - I'm just throwing that out there for completeness. It's something that has changed since the last time it was working correctly.

This is a pretty good example of what I'm experiencing.

I execute CPAN like so: sudo /opt/canvas/perl/bin/cpan. It runs as root as it always has. I'm using ftp://cpan.cs.utah.edu/CPAN/ as my mirror.

Upgrading a simple and straight forward module like Data::Dumper: 

cpan> m Data::Dumper
Reading '/root/.cpan/Metadata'
  Database was generated on Thu, 24 Feb 2022 08:55:45 GMT
Module id = Data::Dumper
    CPAN_USERID  XSAWYERX (Sawyer X <xsawyerx [AT] cpan [DOT] org>)
    CPAN_VERSION 2.183
    CPAN_FILE    N/NW/NWCLARK/Data-Dumper-2.183.tar.gz
    MANPAGE      Data::Dumper - stringified perl data structures, suit
+able for both printing and C<eval>
    INST_FILE    /opt/perl/lib/5.32.0/x86_64-linux/Data/Dumper.pm
    INST_VERSION 2.174

[download]
I've got installed, so let's move on to a GET.

cpan> get Data::Dumper
Running get for module 'Data::Dumper'
WARNING: This key is not certified with a trusted signature!
Primary key fingerprint: 2E66 557A B97C 19C7 91AF  8E20 328D A867 450F
+ 89EC
Signature for /root/.cpan/sources/authors/id/N/NW/NWCLARK/CHECKSUMS ok
Could not open /tmp/CHECKSUMS-m5aV/CHECKSUMS.77905: No such file or di
+rectory

[download]
The file for Data::Dumper correctly is downloaded were it should be (with a fresh timestamp): /root/.cpan/sources/authors/id/N/NW/NWCLARK/Data-Dumper-2.183.tar.gz.

The permissions on /tmp are correct, and I'm running as root via sudo.

That feels like a PGP/GPG error to me, but I'm guessing on that point.

Thoughts? Questions? Suggestions? Any help would be greatly appreciated.

Cheers,

Brent

-- Yup, I'm a Delt.

Replies are listed 'Best First'.
Re: Key Not Certified in CPAN
by hippo (Bishop) on Feb 24, 2022 at 22:13 UTC
[reply]
      hippo,

      Spot on. Thank you very much. I set check_sigs to 0 (ie false) in MyConfig.pm and modules are back to being installable again.

      But... That doesn't feel like the most secure thing in the world to be doing. Anyone with suggestions I can try to get the CHECKSUMS working?

      Cheers,

      Brent

      -- Yup, I'm a Delt.
[reply]
[d/l]
[select]
        Anyone with suggestions I can try to get the CHECKSUMS working

        I don't use the default CPAN client. But the two suggestions I have:

        1. Don't override the mirror; per my understanding of the blog post, an extra layer of security can be added by the main cpan.org site that isn't available on the mirrors. (I am not a security expert; this is just what I've gathered.)
          Back in the 90s, with the much slower network backbone speeds available, and not many resources behind any individual machine name, it made sense to have a mirroring system and pick a nearby mirror. But in today's load-balanced systems, where the same machine name (www.cpan.org) can point to any number of physical machines that are serving out those results, possibly in geographically separate locations, there isn't as much need for the mirror. (I am not a networking expert; this is just what I've gathered.)
        2. The warning said that your system didn't trust the PAUSE key; that is a GPG-related topic. If you believe me when I say that I believe PAUSE publishes their public key at https://pause.perl.org/pause/query?ACTION=pause_04about#pubkeybat and that the fingerprint that your warning printed out was the same as the fingerprint published there, and if you believe that the key shown there really is the PAUSE Batch Signing Key, then you might want to import that public key into your keyring -- I believe this will eliminate that error.

        However, I don't know that I'm convinced either of those will solve your problem: the message you quoted originally says that the actual CHECKSUMS file signature was okay; the problem it seemed to have was with opening a temporary CHECKSUMS.77905 file that wasn't there; I do not know what that file is, as compared to the CHECKSUMS file that was downloaded when you tried to get the package. I don't know whether doing the two above things will allow that temporary file to be correctly generated/extracted and thus allow the process to move forward. But since you were asking for any suggestions for things to try, I think this qualifies, fruitful or not ;-).

[reply]
[d/l]
Re: Key Not Certified in CPAN
by kcott (Archbishop) on Feb 25, 2022 at 08:49 UTC
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://11141625]
Front-paged by davies
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (3)
As of 2024-04-19 01:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found