Workaround for RT#126994 #25
Conversation
|
#23 should be fixed with this as long as the package SIGNATURE is signed using SHA1 and gpg1. |
|
Thanks for the quick patch ! I'm inclined to hold off this for a few days until we can hear back from |
This part of the patch is not directly related to the workaround and should not be reverted in the future. - Resign test signatures - Fallback to string comparison if version module unavailable
|
I wouldn't hold my breath, the latest commit was 3 years ago, simple bugs reported last year hasn't been fixed. Imo, since the current release fails self-tests it should either be pulled from cpan or updated asap. I've force-pushed the patch into two commits, the latter of which should be reverted when no longer needed. |
|
I'll get around to it this weekend, but as we cannot (and indeed should not) prevent module authors from signing with GPG2 and stronger algorithms, I'm inclining toward dropping support for Crypt::OpenPGP altogether. |
|
That is also a perfectly valid option but might break some setups on platforms that usually don't have GnuPG installed, like Windows. |
|
GnuPG used to be quite cumbersome to install on Windows, but now with efforts like gpg4win https://gpg4win.org/ that may be surmountable... |
niklasholm
force-pushed
the
patch-3
branch
2 times, most recently
from
43f5971 to
5edee3a
Compare
This commit should be reverted when no longer needed. Also change RIPEMD-160 to (at least) SHA-256 when that happens. - Set gpg digest preference to SHA1 - Only sign with gpg <= v2.1.15
Until RT#126994 is fixed we are limited to GnuPG v1.4 and SHA-1 as the signature digest.