Bug#1022200: CPAN should be more helpful on missing key when check_sigs is enabled (Was: Re: cpan: cannot check signatures)

Sat Oct 22 16:36:11 BST 2022

Hi,

Le 22/10/2022 à 15:59, Vincent Lefevre a écrit :
> Hi,
> 
> On 2022-10-22 14:31:24 +0200, Clément Hermann wrote:
>> I could reproduce your issue if I enable check_sigs option in CPAN
>> (which is _not_ the default).
> 
> OK, I forgot about that (though I think that it should be the default
> for security reasons, and IIRC, this was recommended for this reason
> in some other thread).

I do think it's a good idea to enable it.

>> Thing is, it's not a bug, really. Or not quite. It's a result of the
>> correction of a bug in CPAN < 2.29 who would succeed silently if there is no
>> signature/no way to check the key.
>>
>> You can find some context in
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015985 and
>> http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
> 
> I didn't know that. In particular, I had not got any announce,
> probably because it is still not fixed in Debian/stable. And
> AFAIK, http is also still used by default in Debian/stable, so
> that this makes the security even worse.

http or not won't change much, since CPAN uses a mirror network 
(arguably with only "safe" mirrors now). Checking the signature of the 
hashes is the right way to make sure a downloaded module is really the 
one a developer makes available.

>> I do agree that it's bad UX that CPAN isn't more helpful when the key isn't
>> available, e.g. asking for it or suggesting a way to get it, but the fact
>> that it fails if the key isn't available while the Checksums are signed is
>> the right behavior, and your workaround (getting the key) is the right
>> solution.
>>
>> CPAN doesn't have a way to centralize key themself, and probably shouldn't,
>> either. Not sure how such error can be avoided completely (the Debian method
>> of having a preconfigured keyring won't do for CPAN IMO), but it should at
>> least suggest a solution.
> 
> I agree. There should be at least sufficient documentation when the
> error occurs. If Debian could automatically provide the key and use
> it, this would be better, IMHO: less work for the user, and this
> would ensure (if correctly done) that the key is correct and still
> valid.

Thing is, Debian cannot anticipate what modules you want to install via 
CPAN (so outside of Debian), so which developer keys to get, and also 
cannot install keys from all CPAN contributors in the user keyring…

A way to fix this would be to make the message in CPAN more helpful and 
propose to get the key from a known source (e.g. keyserver), but I think 
that really ought to be done upstream.

Note that in my current installation, a more helpful message is 
displayed at the end (possibly because I installed 
libmodule-signature-perl):

```
Module::Signature verification returned value 0E0

The manual says for this case: Cannot verify the
OpenPGP signature, maybe due to the lack of a network connection to
the key server, or if neither gnupg nor Crypt::OpenPGP exists on the
system. You probably want to analyse the situation and if you cannot
fix it you will have to decide whether you want to stop this session
or you want to turn off signature verification. The latter would be
done with the command 'o conf init check_sigs'
```

I'm guessing the key would be donwloaded with Crypt::OpenPGP installed 
(unfortunately not in Debian yet), but I didn't test.

Please report if you test with Crypt::OpenPGP installed via CPAN: if 
that makes the behaviour better UX-wise, we should package it (there are 
a few deps but I don't see any issue at a glance).

Cheers,

-- 
nodens