Changes for version 0.91 - 2025-06-24
- Add SECURITY.md policy
- move to three-arg open
- Remove spaces from eol
- Change build process to Dist::Zilla
- Changes for 0.90 - Wed Jun 11 21:51:22 ADT 2025
- Fixes RT#166901: Suspicious fail on signature file with an unexpected empty line
- Changes for 0.89 - Fri Sep 13 21:56:06 ADT 2024
- Replace keyserver with keyserver.ubuntu.com (haarg)
- Changes for 0.88 - Sat Dec 18 11:34:44 CST 2021
- Update PAUSE keys to 2022. (@skaji)
- Changes for 0.87 - Sat Jul 4 15:04:41 CST 2020
- Skip 3-verify.t on Crypt::OpenPGP installations. (@pyramation)
- Changes for 0.86 - Thu Jun 25 21:06:24 CST 2020
- Update PAUSE and ANDK keys to 2020. (@dweekly)
- Update documentation pertaining to SHA1. (@dweekly)
- Fix compatibility with Crypt::OpenPGP. (@niklasholm)
- Changes for 0.83 - Wed Aug 29 17:33:12 JST 2018
- Update META.yml.
- Changes for 0.82 - Sun Aug 26 23:00:04 CST 2018
- Fix CRLF handling on Win32. (@niklasholm)
- Default to SHA256 on new hashes as SHA1 is deprecated. (@niklasholm)
- Changes for 0.79 - Mon May 18 23:02:11 CST 2015
- Restore "cpansign --skip" functionality.
- Contributed by: CLOOS
- Restore "cpansign --skip" functionality.
- Changes for 0.78 - Thu Apr 9 16:58:27 CST 2015
- Fix verify() use from cpanm and CPAN.pm.
- Contributed by: ANDK
- Fix verify() use from cpanm and CPAN.pm.
- Changes for 0.77 - Wed Apr 8 19:36:50 CST 2015
- Include the latest public keys of PAUSE, ANDK and AUDREYT.
- Clarify scripts/cpansign copyright to CC0.
- Reported by: @pghmcfc
- Changes for 0.76 - Wed Apr 8 18:05:48 CST 2015
- Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true.
- Reported by: @pghmcfc
- Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true.
- Changes for 0.75 - Tue Apr 7 04:56:09 CST 2015
- Two more issues reported by John Lightsey:
- Update ChangeLog.
- More protection of @INC from relative paths.
- Fix various issues reported by John Lightsey:
- Changes for 0.74 - Tue Apr 7 02:39:14 CST 2015
- Fix various issues reported by John Lightsey:
- Fix GPG signature parsing logic.
- MANIFEST.SKIP is no longer consulted unless --skip is given.
- Properly use open() modes to avoid injection attacks.
- Changes for 0.73 - Wed Jun 5 23:44:57 CST 2013
- Properly redo the previous fix using File::Spec->file_name_is_absolute.
- Changes for 0.72 - Wed Jun 5 23:19:02 CST 2013
- Only allow loading Digest::* from absolute paths in @INC, by ensuring they begin with \ or / characters.
- Contributed by: Florian Weimer (CVE-2013-2145)
- Only allow loading Digest::* from absolute paths in @INC, by ensuring they begin with \ or / characters.
- Changes for 0.71 - Tue Jun 4 18:24:10 CST 2013
- Constrain the user-specified digest name to /^\w+\d+$/.
- Avoid loading Digest::* from relative paths in @INC.
- Contributed by: Florian Weimer (CVE-2013-2145)
- Changes for 0.70 - Thu Nov 29 01:45:54 CST 2012
- Don't check gpg version if gpg does not exist.
- This avoids unnecessary warnings during installation when gpg executable is not installed.
- Contributed by: Kenichi Ishigaki
- Don't check gpg version if gpg does not exist.
- Changes for 0.69 - Fri Nov 2 23:04:19 CST 2012
- Support for gpg under these alternate names:
- gpg gpg2 gnupg gnupg2
- Contributed by: Michael Schwern
- Support for gpg under these alternate names:
- Changes for 0.68 - Fri, 13 May 2011 11:51:50 +0200
- Fix breakage introduced by 0.67 (Andreas König).
- Changes for 0.67 - Sun, 17 Apr 2011 16:29:23 +0200
- Better handling of \r (Andreas König, Zefram) (Closes RT#46339).
- Changes for 0.66 - Fri, 6 Sep 2010 22:51:37 +0200
- Fix incompatibility with EU::Manifest 1.54 to 1.57 (Paul Howarth) (Closes RT#61124).
- Changes for 0.65 - Fri, 3 Sep 2010 21:38:02 +0200
- Skip MYMETA (Alexandr Ciornii)
- Changes for 0.64 - Sun, 9 May 2010 00:50:11 +0200
- Changes for 0.63 - Sun, 28 Mar 2010 04:46:27 +0100
- Fix diagnostic message from Makefile.PL when the user dosn't have gnupg or Crypt::OpenPGP (miyagawa).
- Changes for 0.62 - Tue, 23 Mar 2010 22:17:39 +0100
- Change the default keyserver from the outdated pgp.mit.edu to pool.sks-keyservers.net.
- Changes for 0.61 - 2009年11月19日 周四 00時56分41秒 CST
- Added "=encoding utf8" to POD to fix author name display. No functional changes.
- Changes for 0.60 - 2009年11月16日 周一 22時48分54秒 CST
- LICENSING CHANGE: This compilation and all individual files in it are now under the nullary CC0 1.0 Universal terms:
- To the extent possible under law, 唐鳳 has waived all copyright and related or neighboring rights to Module-Signature.
- Updated Module::Install to 0.91, prompted by Florian Ragwitz.
- LICENSING CHANGE: This compilation and all individual files in it are now under the nullary CC0 1.0 Universal terms:
- Changes for 0.55 - 2006-07-29
- ANDK submitted a patch to fix versioning problem when the user elects to install Crypt::OpenPGP.
- Major refactoring of the Makefile.PL to ease the installation process.
- Changes for 0.54 - 2006-05-12
- Fixed a long-standing bug where differing end-of-line conventions could cause bogus comparisons in signature checks.
- Fixed another long-standing bug where CRLF text files were hashed into different digests under Unix and Dosish platforms. Now it's consistently hashed as if it's been normalized to LF.
- Optional dependencies are no longer installed-by-default.
- Changes for 0.53 - 2006-01-31
- The explicit call to "readline(D)" didn't compile on earlier perls which demanded either "readline(*D)" or "<D>" -- I elected the latter form. Reported by: Matthew Persic
- Update my author key to reflect revoked past uids.
- Changes for 0.52 - 2006-01-19
- POD and source code cleanup; no functional changes.
- Updated my author key to reflect my new name and identity.
- Upgrade to the latest Module::Install to fix Cygwin installation problems. Reported by: Lyle Ziegelmiller
- Changes for 0.51 - 2006-01-02
- Even more flexible CRLF handling for SIGNATURE files, Contributed by: Andreas Koenig.
- Changes for 0.50 - 2005-08-21
- Add support for to SHA-256, requested by Mark Shelor in light of the recent SHA1 attacks. SHA1 is still the default, but you can now override this by settings MODULE_SIGNATURE_CIPHER environment variable to SHA256.
- Changes for 0.45 - 2005-08-09
- Andreas Koenig ported out that "Import GPG keys?" was asked far too many times during autoinstall.
- Changes for 0.44 - 2004-12-16
- Add "pmfiles.dat" to legacy manifest_skip routine to accomodate early Win32 hacks. Reported by Steve Hay via Michael Schwern.
- Changes for 0.43 - 2004-12-16
- Updated t/0-signature.t to be more friendly with Test::More; contributed by Michael Schwern.
- Add $Timeout (default 3 seconds) to control the timeout for probing connections to the key server.
- Take account of the .ts files produced by newer MakeMakers in the suggested MANIFEST.SKIP list.
- Changes for 0.42 - 2004-11-20
- Move under SVK version control management; ditch keyword tags.
- Michael Schwern pointed out that during development, the "signature.t" file would keep failing.
- Documented how to generate SIGNATURE files as part of "make dist", for Module::Install, ExtUtils::MakeMaker and Module::Build users .
- Changes for 0.41 - 2004-07-04
- Mark Shelor points out that support for Digest::SHA was broken.
- Changes for 0.40 - 2004-07-01
- Dave Rolsky points out that GPG version detection always returns '1'. (bug #6810)
- Changes for 0.39 - 2004-06-17
- Supports Digest::SHA (now preferred) and Digest::SHA1::PurePerl, in addition to the original Digest::SHA1 backend.
- We now asks before importing the default keys, also suggested by Tels.
- Unknown cipher is made fatal, thanks to suggestion by Tels.
- Apply Dave Rolsky's patch to verify that author's pubkey is available on a keyserver. may need more work.
- Changes for 0.38 - 2004-01-01
- Update to the newest Module::Install.
- Not using inc/SCRIPT/ anymore.
- Add "#defaults" and "^blibdirs$" to recommended MANIFEST.SKIP to pacify newer ExtUtil::MakeMaker.
- Starting to think about how to make "disttest" + "dist" not signing twice.
- Changes for 0.37 - 2003-11-06
- Move bin/cpansign to script/cpansign.
- Make cpansign exit upon failure.
- Changes for 0.36 - 2003-10-28
- Use sign(1) to autosign ourselves.
- Soren A pointed out that hkp:// didn't work with GnuPG.
- Changes for 0.25 - 2003-08-28
- Now ships with my pubkey and PAUSE's.
- Interactive Makefile.PL, suggested by Jarkko.
- Changes for 0.34 - 2003-08-18
- Don't ask user to install Crypt::OpenPGP if she does not have a C compiler anyway.
- ExtUtils::Manifest 1.38 does not support good enough skips even for Makefile.PL, sigh.
- Changes for 0.33 - 2003-08-12
- William Wentworth-Sheilds points out that META.yml is dynamic, which makes SIGNATURE incorrect for people without either "diff" or "gpg". Fixed.
- Changes for 0.32 - 2003-08-11
- Take Schwern's patch to only set _maniskip for legacy EU::Manifest.
- Remove ::TieOut since we are not using it anymore.
- Reduce noise for untrusted signatures to two lines.
- Changes for 0.31 - 2003-08-10
- Scott R. Godin pointed out 0.30 had bad signature. whoops.
- Changes for 0.30 - 2003-08-10
- Add JHI to authors.
- Patch from Michael Schwern: only let GnuPG display anything if we're handling suspicious keys, not when you have added the signer into the trustdb.
- New global config variable, $Verbose.
- MODULE_SIGNATURE_VERBOSE, MODULE_SIGNATURE_KEYSERVER and MODULE_SIGNATURE_KEYSERVERPORT env variables are now respected.
- Only supply _default_skip if our ExtUtils::MakeMaker is too old.
- Changes for 0.29 - 2003-08-08
- Now fails gracefully all the time, including when incapable of connecting to the keyserver.
- Also, SHA1 sum is still checked even if the user does not have GnuPg/Crypt::OpenPGP.
- Hence, Crypt::OpenPGP is no longer a mandatory prerequisite even for users without gnupg.
- "0E0" is now made into a constant, CANNOT_VERIFY.
- Do not die() when we absolutely can't verify.
- BZAJAC pointed out that we should add .svn to _default_skip.
- Changes for 0.28 - 2003-07-29
- Remove Digest.pm dependency.
- Don't test for "diff -version" anymore -- not all diffs have -version, thanks again to Alan Burlison.
- Changes for 0.27 - 2003-07-28
- More punctuation cleanups in POD.
- Michael Schwern pointed out that successful tests shouldn't be noisy.
- Changes for 0.26 - 2003-07-17
- New internal function, _verify(), that takes $sigfile as its first argument, eliminating the "local $Module::Signautre::SIGNATURE" approach.
- sign() now also takes a skip=> parameter (defaults to true) about whether to respect MANIFEST.SKIP. This needs to be set to 0 to sign blib/ archives.
- Officially supporting signing and verification of PAR files, using PAR::Dist.
- Let's ignore warnings when performing on exe files
- Changes for 0.24 - 2003-07-08
- Preliminary PAR support.
- Changes for 0.23 - 2003-07-07
- Ken Williams noted that M::B now works on 5.005.
- Changes for 0.22 - 2003-05-15
- Move Signature.pm to lib/Module/Signature.pm.
- Switch to the Module::Install framework.
- Updates TODO to reflect correspondence with andk.
- Matt Southall mentioned that, if somebody has never run gpg before, we need to initialize it once before running test.
- Warn about potential 'Makefile' exploit as pointed out by Tels. Document pending.
- Bugfix for incorrect 'MALFORMED' response to signatures made from older versions of GnuPG, as reported by Tels.
- Changes for 0.18 - 2002-11-04
- Binary files handling on win32 was broken. (Jos Boumans)
- Changes for 0.17 - 2002-10-30
- Resolve bug report by Iain Truskett: cpansign -s should not complain manifest mismatch if SIGNATURE is lacking.
- Also, bail out gracefully when signing fails, instead of crippling the old SIGNATURE.
- MANIFEST.SKIP doc lifted from Test::Signature.
- Minor POD fixups.
- Changes for 0.16 - 2002-10-28
- Adds AUTHORS file.
- Added connectivity probing for testing.
- Print a helpful success message after signing.
- Don't cripple old SIGNATURE file.
- Suggestion from Tels: skip the ambiguous 'optional' probing for Crypt::OpenPGP if gnupg is there.
- Changes for 0.15 - 2002-10-17
- Fixed compatibility with old MakeMaker versions, thanks to chromatic.
- Fixed "no /dev/tty" bug during smoke testing, as reported by the excellent CPAN Smokers.
- Changes for 0.12 - 2002-10-12
- Supports automatic key retrieval, implemented in Crypt::OpenPGP.
- Changes for 1.02 - 2002-10-12
- Fixed the default cipher from MD5 back to SHA1.
- Changes for 0.10 - 2002-10-12
- Fixed a problem that prevents earlier versions of GnuPG from fetching public keys via --keyserver-option=auto-key-retrieve.
- Changes for 0.09 - 2002-10-12
- Documented the package variables so they become part of APIs.
- Alternative (non-SHA1) ciphers in SIGNATUREs are now recognized.
- Added a new return value, CIPHER_UNKNOWN.
- Mention Test::Signature.
- Ditch Test::More from the sample script.
- Label tests.
- Changes for 0.09 - 2002-10-11
- We're no longer alpha status; reflect in README.
- Incoporated a suggestion from Tels: undefining the $KeyServer package variable should disable automatic key-fetching.
- Include the tests from Iain.
- Tels: disable KeyServer fetching if it's undef'ed.
- Changes for 0.07 - 2002-10-11
- Fixed our own signatures.
- Changes for 0.06 - 2002-10-10
- Use many-arg system() instead of the one-arg form to prevent security breach.
- Iain Truskett: fixed export bug so SIGNATURE_OK is properly exported.
- Introduced global $KeyServer variable, default at 'pgp.mit.edu'.
- Suggestion from Aurthur Bergman: cpansign without arg should DWIM.
- Set a default keyserver for cpansign -v.
- Use by-name params for functions. sign(override => $bool).
- Changes for 0.05 - 2002-08-14
- Typo correction and safety checking.
- Changes for 0.04 - 2002-08-14
- Added boilerplate text before SIGNATURE to explain what's it about.
- Crypt::OpenPGP signature didn't work.
- Add keyword expansion tags.
Documentation
CPAN signature management utility
Modules
Module signature file manipulation