Skip Menu |

This queue is for tickets about the Module-Signature CPAN distribution.

Report information
The Basics
Id: 100016
Status: new
Priority: 0/
Queue: Module-Signature

Owner: Nobody in particular
Requestors: CLOOS [...]

Bug Information
Severity: Wishlist
Broken in: 0.73
Fixed in: (no value)

Subject: better (more secure) gpg module signing
Download (untitled) / with headers
text/plain 774b
Hi, regarding "OpenPGP Best Practices" [1] the hkps protocol should be used to retrieve keys. As the protocol (scheme) is hard coded in Module::Signature [2] you can't use a secured connection to retrieve keys. Is there any reason why Module::Signature at all pass a --keyserver option to gpg instead of using the keyserver from the gpg.conf? Also, Module::Signature use SHA1 as the default cipher [3] which is considered insecure for years. You should really switch to a more secure default cipher. Chris [1] [2] [3]

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to