Skip Menu |
 

This queue is for tickets about the Perl-Dist-Strawberry CPAN distribution.

Report information
The Basics
Id: 99703
Status: resolved
Priority: 0/
Queue: Perl-Dist-Strawberry

People
Owner: Nobody in particular
Requestors: spioch7 [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 19:29:02 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: Michał Goleń <spioch7 [...] gmail.com>
Download (untitled) / with headers
text/plain 435b
Hello, I tried to update my Perl installation, but it looks like certificate used to sign installation file was revoked. File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com I still use Perl in my build scripts under Unix and Windows, but I cannot install untrusted package due to company's security policies. Is this issue known to You ? Will there be fixed, new package any time soon ? Your sincerely, Michael Golen
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 20:00:35 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: kmx <kmx [...] volny.cz>
Download (untitled) / with headers
text/plain 916b
Show quoted text
> Hello, > > I tried to update my Perl installation, but it looks like certificate used > to sign installation file was revoked. > > File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com > > I still use Perl in my build scripts under Unix and Windows, but I cannot > install untrusted package due to company's security policies. > > Is this issue known to You ? > Will there be fixed, new package any time soon ?
Hi, I know about this issue (both 32/64bit MSI for 5.20.1.1 are invalid). The trouble is that somebody at Certum CA lost scanned copy of my passport which I have sent them approx. a year ago. Unfortunately the reminder they sent me was "swallowed" by cpan.org's spam filter and they simply revoked my certificate. I am trying to get a new certificate but I am seriously considering to start distributing unsigned MSI files as I am really fed up with dealing with Certum CA. -- kmx
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 21:14:21 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: Michał Goleń <spioch7 [...] gmail.com>
Download (untitled) / with headers
text/plain 1.4k
I think that distributing unsigned MSI is better solution, so system would't complain about invalid signature. Provided SHA-1 is good enough IMHO. GnuPG asc file would be nice(some Linux distros do that), but I don't think that It's necessary. For time being i have manually extracted files, and updated links. It works fine :-) Thanks for your time (and quick answer). -- Michael 2014-10-21 20:00 GMT+02:00 kmx via RT <bug-Perl-Dist-Strawberry@rt.cpan.org> : Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=99703 > > >
> > Hello, > > > > I tried to update my Perl installation, but it looks like certificate
> used
> > to sign installation file was revoked. > > > > File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com > > > > I still use Perl in my build scripts under Unix and Windows, but I cannot > > install untrusted package due to company's security policies. > > > > Is this issue known to You ? > > Will there be fixed, new package any time soon ?
> > Hi, > > I know about this issue (both 32/64bit MSI for 5.20.1.1 are invalid). > > The trouble is that somebody at Certum CA lost scanned copy of my passport > which I have sent them approx. a year ago. Unfortunately the reminder they > sent me was "swallowed" by cpan.org's spam filter and they simply revoked > my certificate. > > I am trying to get a new certificate but I am seriously considering to > start distributing unsigned MSI files as I am really fed up with dealing > with Certum CA. > > -- > kmx > >
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 21:21:09 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: kmx <kmx [...] volny.cz>
Download (untitled) / with headers
text/plain 234b
Show quoted text
> I think that distributing unsigned MSI is better solution, so system > would't complain about invalid signature.
In fact I can/should replace those MSIs with revoked signature with unsigned MSIs (+update SHA1 checksums). -- kmx
The obstacles are too high. I am giving up, all the future MSi packages will be released unsigned.

--
kmx


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.