CPANSA-DB
view release on metacpan or search on metacpan
GPG_README.md view on Meta::CPAN
## Import the keys
I have two keys, a personal one and a project one, on *keys.openpgp.org*.
At the end of this doc is a pic of me holding up these keys handwritten
on a notepad. If you need more trust than that, get in touch.
% gpg --keyserver keys.openpgp.org --recv-keys 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 867D53B08E433DF401A06EF49A9C0FE7F64876BF
If you trust these signatures, sign them with your own key. This way you
avoid a local warning about verifying files with untrusted keys. Likewise,
if you do not trust these keys and want to tolerate the warning, don't
sign them:
% gpg --sign-key 867D53B08E433DF401A06EF49A9C0FE7F64876BF
% gpg --sign-key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
## Verify the database
I've started to sign lib/CPAN/Audit/DB.pm with [a GPG key I made for
this module](https://keys.openpgp.org/vks/v1/by-fingerprint/75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041).
The file *lib/CPAN/Audit/DB.pm.gpg* is the detached signature for *lib/CPAN/Audit/DB.pm*.
% gpg --verify lib/CPAN/Audit/DB.pm.gpg lib/CPAN/Audit/DB.pm
You may get a warning like:
> gpg: WARNING: This key is not certified with a trusted signature!
That means you didn't sign the keys, so your local GPG is reminding
you that you don't trust them even if it can still verify the signatures.
## Help others trust CPAN::Audit
We can enhance this trust for *lib/CPAN/Audit/DB.pm* by including more
trust in the key that signs that data. You can do this by signing the
key to say that you trust it.
You can sign my personal and my CPAN::Audit key with your key:
% gpg --keyserver keys.openpgp.org --recv-keys 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 867D53B08E433DF401A06EF49A9C0FE7F64876BF
% gpg --sign-key 867D53B08E433DF401A06EF49A9C0FE7F64876BF
% gpg --sign-key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
% gpg --output ~/pobox.signed.gpg --export --armor 867D53B08E433DF401A06EF49A9C0FE7F64876BF
% gpg --output ~/bdfoy.signed.gpg --export --armor 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
Then send those output files back to me at *briandfoy@pobox.com*, or
some other channel that you'd like to use. I will import them into my
keyring and re-export my key to the keyserver so other people will see
that you signed the key.
## Github Actions
When I push to Github, the "gpg" workflow checks that the files signed
in the repo have the right signatures.
## The selfie
Here's a selfie with me holding up the two key fingerprints (google
images of me to see if you think this is the same person). For the
more cautious (not a bad thing here), we can arrange a way to verify
that these keys belong to me and you are sending them to the right
place.
Changes
cpan-security-advisory.json
cpan-security-advisory.json.gpg
GPG_README.md
images/bdfoycpanorg-gpg-key-selfie.jpeg.gpg
images/briandfoy-gpg-key-selfie.jpeg
images/briandfoypoboxcom-gpg-key-selfie.jpeg.gpg
INSTALL.SKIP
lib/CPAN/Audit/DB.pm
lib/CPAN/Audit/DB.pm.gpg
lib/CPAN/Audit/DB.pod
lib/CPANSA/DB.pm
lib/CPANSA/DB.pm.gpg
lib/CPANSA/DB.pod
LICENSE
Makefile.PL
MANIFEST This list of files
MANIFEST.SKIP
README.pod
SECURITY.md
t/load.t
t/pod.t
t/pod_coverage.t
# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
$ gh auth login
...follow instructions...
$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy
Additionally, each release codes with GPG signature that allows you to
verify that this. The key is the same one used when the database was
distributed with L<CPAN::Audit>:
$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
gpg: Signature made Mon Nov 18 11:00:10 2024 EST
gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]
=head2 Getting help
Although I'm happy to hear from module users in private email,
that's the best way for me to forget to do something.
Besides the issue trackers, you can find help at
L<Perlmonks|http://www.perlmonks.org> or
L<Stackoverflow|http://www.stackoverflow.com>, both of which have many
competent Perlers who can answer your question, almost in real time.
lib/CPAN/Audit/DB.pm view on Meta::CPAN
use CPAN::Audit::DB;
my $db = CPAN::Audit::DB->db;
=head1 DESCRIPTION
The C<db> subroutine returns the CPAN Security Advisory (CPANSA) reports
as a Perl data structure. However, anything can use this.
Each release also comes with a F<.gpg> file that has the signature
for the file. If you cannot confirm that the module file has the
right signature, it might have been corrupted or modified.
This module is available outside of CPAN as a release on GitHub:
L<https://github.com/briandfoy/cpan-security-advisory/releases>.
Each release on GitHub includes an attestation.
There is also a JSON file that provides the same datastructure.
=head2 Subroutines
lib/CPAN/Audit/DB.pm view on Meta::CPAN
# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
$ gh auth login
...follow instructions...
$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy
Additionally, each release codes with GPG signature that allows you to
verify that this. The key is the same one used when the database was
distributed with L<CPAN::Audit>:
$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
gpg: Signature made Mon Nov 18 11:00:10 2024 EST
gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]
=head1 SEE ALSO
Everything is managed in GitHub:
=over 4
=item * L<https://github.com/briandfoy/cpan-security-advisory/releases>
=back
lib/CPAN/Audit/DB.pod view on Meta::CPAN
use CPAN::Audit::DB;
my $db = CPAN::Audit::DB->db;
=head1 DESCRIPTION
The C<db> subroutine returns the CPAN Security Advisory (CPANSA) reports
as a Perl data structure. However, anything can use this.
Each release also comes with a F<.gpg> file that has the signature
for the file. If you cannot confirm that the module file has the
right signature, it might have been corrupted or modified.
This module is available outside of CPAN as a release on GitHub:
L<https://github.com/briandfoy/cpan-security-advisory/releases>.
Each release on GitHub includes an attestation.
There is also a JSON file that provides the same datastructure.
=head2 Subroutines
lib/CPAN/Audit/DB.pod view on Meta::CPAN
# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
$ gh auth login
...follow instructions...
$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy
Additionally, each release codes with GPG signature that allows you to
verify that this. The key is the same one used when the database was
distributed with L<CPAN::Audit>:
$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
gpg: Signature made Mon Nov 18 11:00:10 2024 EST
gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]
=head1 SEE ALSO
Everything is managed in GitHub:
=over 4
=item * L<https://github.com/briandfoy/cpan-security-advisory/releases>
=back
lib/CPANSA/DB.pm view on Meta::CPAN
use CPANSA::DB;
my $db = CPANSA::DB->db;
=head1 DESCRIPTION
The C<db> subroutine returns the CPAN Security Advisory (CPANSA) reports
as a Perl data structure. However, anything can use this.
Each release also comes with a F<.gpg> file that has the signature
for the file. If you cannot confirm that the module file has the
right signature, it might have been corrupted or modified.
This module is available outside of CPAN as a release on GitHub:
L<https://github.com/briandfoy/cpan-security-advisory/releases>.
Each release on GitHub includes an attestation.
There is also a JSON file that provides the same datastructure.
=head2 Subroutines
lib/CPANSA/DB.pm view on Meta::CPAN
# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
$ gh auth login
...follow instructions...
$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy
Additionally, each release codes with GPG signature that allows you to
verify that this. The key is the same one used when the database was
distributed with L<CPAN::Audit>:
$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
gpg: Signature made Mon Nov 18 11:00:10 2024 EST
gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]
=head1 SEE ALSO
Everything is managed in GitHub:
=over 4
=item * L<https://github.com/briandfoy/cpan-security-advisory/releases>
=back
lib/CPANSA/DB.pod view on Meta::CPAN
use CPANSA::DB;
my $db = CPANSA::DB->db;
=head1 DESCRIPTION
The C<db> subroutine returns the CPAN Security Advisory (CPANSA) reports
as a Perl data structure. However, anything can use this.
Each release also comes with a F<.gpg> file that has the signature
for the file. If you cannot confirm that the module file has the
right signature, it might have been corrupted or modified.
This module is available outside of CPAN as a release on GitHub:
L<https://github.com/briandfoy/cpan-security-advisory/releases>.
Each release on GitHub includes an attestation.
There is also a JSON file that provides the same datastructure.
=head2 Subroutines
lib/CPANSA/DB.pod view on Meta::CPAN
# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
$ gh auth login
...follow instructions...
$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy
Additionally, each release codes with GPG signature that allows you to
verify that this. The key is the same one used when the database was
distributed with L<CPAN::Audit>:
$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
gpg: Signature made Mon Nov 18 11:00:10 2024 EST
gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]
=head1 SEE ALSO
Everything is managed in GitHub:
=over 4
=item * L<https://github.com/briandfoy/cpan-security-advisory/releases>
=back
( run in 0.881 second using v1.01-cache-2.11-cpan-df04353d9ac )