App-MechaCPAN
view release on metacpan or search on metacpan
lib/App/MechaCPAN.pm view on Meta::CPAN
{
my ( $file, $keyring ) = @_;
run_qvf( "sq", "verify", "--signer-file", "$keyring", "$file" );
};
},
sub
{
return
if !eval { run(qw/rnp --version/); 1 };
return sub
{
my ( $file, $keyring ) = @_;
run_qvf( "rnp", "--keyfile", "$keyring", "--verify", "$file" );
};
},
);
sub _resolve_verifier
{
state $verify_fn;
if ( !defined $verify_fn )
{
foreach my $verify (@verifier)
{
my $fn = $verify->();
if ( defined $fn )
{
$verify_fn = $fn;
last;
}
}
}
return $verify_fn;
}
sub get_cpan_checksums
{
my $url = shift;
my $key = shift;
# If verify is off, don't check any part of the CHECKSUMS
return
if defined $CHKSIGS && !$CHKSIGS;
die "CHECKSUMS URL must be HTTPS, not '$url'"
unless $url =~ m{\Ahttps://}xmsi;
die "CHECKSUMS URL must end with CHECKSUMS, not '$url'"
unless $url =~ m{CHECKSUMS\z}xmsi;
# Even if verification is optional, not downloading the CHECKSUMS is fatal
my $checksums = '';
fetch_file( $url, \$checksums );
$checksums = App::MechaCPAN::_verify_checksums_body($checksums);
# If $CHKSIGS is true, we must verify that CHECKSUMS has a valid signature
# If $CHKSIGS is undef, we will verify that CHECKSUMS has a valid signature
# if possible, but won't throw errors if can't.
# In both cases, the CHECKSUMS is used to validate the checksums of the
# downloaded file
# If $CHKSIGS is otherwise false, we already did an early return above
my $verify_fn = _resolve_verifier();
if ( !defined $verify_fn )
{
die "Could not find verification program and verification was required"
if $CHKSIGS;
logmsg "CHECKSUMS signature not checked: PGP verifier not found";
}
else
{
my $keyring = cpan_keyring();
my $chk_file = humane_tmpfile('CHECKSUMS');
$chk_file->print($checksums);
$chk_file->flush;
$verify_fn->( "$chk_file", $keyring );
logmsg "VALID: $url";
}
my $result = do
{
require Safe;
my $safe = Safe->new("App::MechaCPAN::reval");
local $@;
my $chksum = $safe->reval($checksums);
die "Failed to parse CHECKSUMS: $@"
if $@;
die "Failed to get HASH from CHECKSUMS"
if ref $chksum ne 'HASH';
$chksum;
};
# If a module name is passed ($key), then we check if it is listed in the
# CHECKSUMS file. If it is missing, it depends on $CHKSIGS. If it is true
# (strict verify), an error will be produced. If it is undef (best-effort)
# then a log entry will be added, and nothing will be returned, whcih will
# match the no-verify path above.
if ( defined $key && !exists $result->{$key} )
{
die "Could not find module '$key' in CHECKSUMS"
if $CHKSIGS;
logmsg "Could not find '$key' in CHECKSUMS, not attempting to verify";
return;
}
return $result;
}
my @inflate = (
# System tar
sub
{
( run in 2.735 seconds using v1.01-cache-2.11-cpan-6aa56a78535 )