missing option to set/override $KeyServer $scheme = hkps://, and MODULE_SIGNATURE_KEYSERVER points to discontinued sks-keyservers pool #32
Description
with Module::Signature installed & in use, cpan{,m,p} ignores 'keyserver' settings from ~/.gnupg/gpg.conf, where explicit keyserver URI schemes can be set/defined.
Module::Signature keyserver host & port can be overridden by exporting env vars,
MODULE_SIGNATURE_KEYSERVER
MODULE_SIGNATURE_KEYSERVERPORT
in src,
./lib/Module/Signature.pm
291 sub _keyserver {
my $version = shift;
my $scheme = 'x-hkp';
$scheme = 'hkp' if $version ge '1.2.0';
return "$scheme://$KeyServer:$KeyServerPort";
}
, regardless of keyserver, scheme is set to "hkp://"
so on exec, "--keyserver=hkp://" is generated/sent,
cpansign -v
Executing gpg --verify --batch --no-tty --keyserver=hkp://keyserver.ubuntu.com:443 --keyserver-options=auto-key-retrieve /tmp/IOcdbIdJMt
also, NOTE that the default in src,
$KeyServer = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'pool.sks-keyservers.net';
points to 'pool.sks-keyservers.net' which have been DISCONTINUED,
sks-keyservers.net pool DNS records disabled effective immediately
https://sks-keyservers.net/ announced
This service is deprecated. This means it is no longer maintained, and new HKPS certificates will not be issued. Service reliability should not be expected.
Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.
To support newer servers, and differing schemes can "$KeyServerScheme" be added as ENV VAR; perhaps,
$KeyServerScheme = $ENV{MODULE_SIGNATURE_KEYSERVER_SCHEME} || 'hkps';
, and used in the 'sub _keyserver {' ?
and,
some other, supported server def'd as default,
- $KeyServer = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'pool.sks-keyservers.net';
+ $KeyServer = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'keyserver.ubuntu.com';
, or similar?