Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Perl-Dist-Strawberry CPAN distribution.

Report information
The Basics
Id:
99703
Status:
resolved
Priority:
Low/Low

People
Owner:
Nobody in particular
Requestors:
spioch7 [...] gmail.com
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 19:29:02 +0200
To: bug-Perl-Dist-Strawberry@rt.cpan.org
From: Michał Goleń <spioch7@gmail.com>
Hello,

I tried to update my Perl installation, but it looks like certificate used to sign installation file was revoked.

File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com

I still use Perl in my build scripts under Unix and Windows, but I cannot install untrusted package due to company's security policies.

Is this issue known to You ?
Will there be fixed, new package any time soon ?

Your sincerely,
Michael Golen
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 20:00:35 +0200
To: bug-Perl-Dist-Strawberry@rt.cpan.org
From: kmx <kmx@volny.cz>
Show quoted text
> Hello, > > I tried to update my Perl installation, but it looks like certificate used > to sign installation file was revoked. > > File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com > > I still use Perl in my build scripts under Unix and Windows, but I cannot > install untrusted package due to company's security policies. > > Is this issue known to You ? > Will there be fixed, new package any time soon ?
Hi, I know about this issue (both 32/64bit MSI for 5.20.1.1 are invalid). The trouble is that somebody at Certum CA lost scanned copy of my passport which I have sent them approx. a year ago. Unfortunately the reminder they sent me was "swallowed" by cpan.org's spam filter and they simply revoked my certificate. I am trying to get a new certificate but I am seriously considering to start distributing unsigned MSI files as I am really fed up with dealing with Certum CA. -- kmx
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 21:14:21 +0200
To: bug-Perl-Dist-Strawberry@rt.cpan.org
From: Michał Goleń <spioch7@gmail.com>
I think that distributing unsigned MSI is better solution, so system would't complain about invalid signature.
Provided SHA-1 is good enough IMHO.
GnuPG asc file would be nice(some Linux distros do that), but I don't think that It's necessary.

For time being i have manually extracted files, and updated links. It works fine :-)

Thanks for your time (and quick answer).

--
Michael


2014-10-21 20:00 GMT+02:00 kmx via RT <bug-Perl-Dist-Strawberry@rt.cpan.org>:
Show quoted text
<URL: https://rt.cpan.org/Ticket/Display.html?id=99703 >


> Hello,
>
> I tried to update my Perl installation, but it looks like certificate used
> to sign installation file was revoked.
>
> File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com
>
> I still use Perl in my build scripts under Unix and Windows, but I cannot
> install untrusted package due to company's security policies.
>
> Is this issue known to You ?
> Will there be fixed, new package any time soon ?

Hi,

I know about this issue (both 32/64bit MSI for 5.20.1.1 are invalid).

The trouble is that somebody at Certum CA lost scanned copy of my passport
which I have sent them approx. a year ago. Unfortunately the reminder they
sent me was "swallowed" by cpan.org's spam filter and they simply revoked
my certificate.

I am trying to get a new certificate but I am seriously considering to
start distributing unsigned MSI files as I am really fed up with dealing
with Certum CA.

--
kmx


Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 21:21:09 +0200
To: bug-Perl-Dist-Strawberry@rt.cpan.org
From: kmx <kmx@volny.cz>
Show quoted text
> I think that distributing unsigned MSI is better solution, so system > would't complain about invalid signature.
In fact I can/should replace those MSIs with revoked signature with unsigned MSIs (+update SHA1 checksums). -- kmx
The obstacles are too high. I am giving up, all the future MSi packages will be released unsigned.

--
kmx


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.