Invalid signature errors, CPAN, gpg

When I try to install some packages (most notably Bundle::CPAN) using CPAN, I
get the following errors:

gpg: Signature made Mon Feb 27 01:57:02 2006 EST using DSA key ID A317C15D
gpg: requesting key A317C15D from x-hkp://pgp.mit.edu:11371 ...
gpg: no valid OpenPGP data found.
gpg: Can't check signature: public key not found
==> BAD/TAMPERED signature detected! <==

What's wrong, how can I fix it, and can I run the install without checking
signatures? Thanks.
Ian

Re: Invalid signature errors, CPAN, gpg

"Ian" wrote in message
news:PqSdnZHSvJW5tHbZnZ2dnUVZ_qKdnZ2d@giganews.com...
> When I try to install some packages (most notably Bundle::CPAN) using
CPAN, I
> get the following errors:
>
> gpg: Signature made Mon Feb 27 01:57:02 2006 EST using DSA key ID A317C15D
> gpg: requesting key A317C15D from x-hkp://pgp.mit.edu:11371 ...
> gpg: no valid OpenPGP data found.
> gpg: Can't check signature: public key not found
> ==> BAD/TAMPERED signature detected! <==
>

Does that terminate the process ?

> What's wrong, how can I fix it, and can I run the install without checking
> signatures? Thanks.

I don't know the answer as I never use CPAN.pm to install modules. I just
manually download the source, extract to some location, 'cd' to that
location and run (in succession) 'perl Makefile.PL', 'make test', and 'make
install'. That way, the problem of verifying gpg signatures is avoided.

Cheers,
Rob

Re: Invalid signature errors, CPAN, gpg

Thanks Rob,

Yes it does terminate the process, otherwise I wouldn't care. The error seems to
occur in two places: before it compiles, I think, which is fatal, and later when
it runs the tests, which I can turn off.

I used CPAN because it did all the interdependencies for me so I wouldn't have
to manually install every module. It was good while it still worked. Oh well.

Ian

Sisyphus wrote:
> "Ian" wrote in message
> news:PqSdnZHSvJW5tHbZnZ2dnUVZ_qKdnZ2d@giganews.com...
>> When I try to install some packages (most notably Bundle::CPAN) using
> CPAN, I
>> get the following errors:
>>
>> gpg: Signature made Mon Feb 27 01:57:02 2006 EST using DSA key ID A317C15D
>> gpg: requesting key A317C15D from x-hkp://pgp.mit.edu:11371 ...
>> gpg: no valid OpenPGP data found.
>> gpg: Can't check signature: public key not found
>> ==> BAD/TAMPERED signature detected! <==
>>
>
> Does that terminate the process ?
>
>> What's wrong, how can I fix it, and can I run the install without checking
>> signatures? Thanks.
>
> I don't know the answer as I never use CPAN.pm to install modules. I just
> manually download the source, extract to some location, 'cd' to that
> location and run (in succession) 'perl Makefile.PL', 'make test', and 'make
> install'. That way, the problem of verifying gpg signatures is avoided.
>
> Cheers,
> Rob
>
>

Re: Invalid signature errors, CPAN, gpg

"Ian" wrote in message
news:r5mdnWoaWPbCVXHZnZ2dnUVZ_oednZ2d@giganews.com...
> Thanks Rob,
>
> Yes it does terminate the process, otherwise I wouldn't care.

I expect that there's a way of avoiding that termination - but, like I said,
I can't really help.

>
> I used CPAN because it did all the interdependencies for me so I wouldn't
have
> to manually install every module.

Yes - that's the temptation it offers. The drawback is that you might have
to spend the time and energy you saved (and more) working out how to get
CPAN.pm to behave as you wish.

Mostly the depenedencies aren't too extensive - but there are exceptions,
and those exceptions will probably increase over time as authors assume that
CPAN.pm is being used, and it therefore doesn't matter if their module needs
20 other obscure modules, because the whole process is automated.

For some reason CPAN.pm really irritates me - to the extent that I just
cannot bring myself to use it. (That's mainly just me, however :-)

Cheers,
Rob