Does 00-signature.t have ANY valid use?

Alias on 2007-12-12T00:17:14

Some time after Audrey got Module::Signature usable, mysterious 00-signature.t test scripts started appearing in distributions.

I noticed mostly because they were a major source of testing failures on Win32, because it generally doesn't have gpg support, and goes on to install a hideous dependency chain of the disgusting swamp of Perl's crypto modules, which almost inevitably fails to install.

It didn't occur to me until later that 00-signature.t isn't actually useful.

While CPAN's normal checksum mechanism protects against accidental file corruption, the purpose of Module::Signature is to cryptographically verify that a module was released by a specific author.

There's clearly some major problems this approach.

1) Trivially exploitable

Most glaringly, if a hostile entity does attempt to modify a distribution, the very first thing they will do is to delete the 00-signature.t file, or modify it to make it return success.

The very concept of using potentially exploited code to test whether that code has been exploited is utterly irrational.

2) Duplicated Functionality

The CORRECT place for verification testing is in the CPAN client, and indeed CPAN.pm (and I assume CPANPLUS as well) has Module::Signature support (although it doesn't install it by default any more due to the aforementioned buggyness).

So even if signature testing IS possible on that host, the use of 00-signature.t becomes superfluous.

3) Source of Waste

If 00-signature.t was only duplicating, but had perfect installability and was entirely bug free, it would merely be a design flaw with no major impact.

Unfortunately, signature testing is also a support of bugs and test fails in various places, generates spurious FAIL reports for modules, and is basically just a source of make-work.

4) False Sense of Security

Worse still, the existance of 00-signature.t files may lead users to believe they are being protected, when this is not the case.

It also lets authors tick off a box and move on incorrectly, when the REAL focus for improving security should be in the hideous dependency chain for Module::Signature.

To summarize, I think this practice is one we need to stamp out.

I'd like to see a kwalitee point docked if a signature test exists in a distribution, and some education work done to help educate authors about this misfeature.


makes sense to me.

markjugg on 2007-12-12T03:04:52

Adam,

I think you make a good case for getting rid of these files.

      Makr

Re:makes sense to me.

markjugg on 2007-12-12T03:05:57

Oops. It's just only too bad I didn't notice I spelled my own name wrong before I hit Submit...

You miss the point

LaPerla on 2007-12-12T05:06:49

Of course the real mechanism to verify signatures is out of band. The command that does it is cpansign -v. The 00-signature.t file simply does the equivalent of cpansign -v to verify that it actually works.

Just like tests generally just verify that something does what it intends to do.

Imagine that an author signs his work wrongly. During make disttest he will notice the bug and has a chance to fix the thing before releasing. Just like with any other test.

Re:You miss the point

Alias on 2007-12-12T05:40:31

In which case never, under any circumstances, should this test EVER run during installation.

It should be a compulsory skip, unless something like AUTOMATED_TESTING of AUTHOR_TESTING is enabled.

Re:You miss the point

audreyt on 2007-12-12T07:28:14

Correct. It was intended as a convenience measure for "make disttest", that's all.

The standard boilerplate 0-signature.t (as documented in Module::Signature's POD) has this opening:

if (!$ENV{TEST_SIGNATURE}) {
    print "ok 1 # skip set the environment variable TEST_SIGNATURE to enable this test\n";
}
Which satisfies the compulsory skip requirement via the environment variable TEST_SIGNATURE.

Re:You miss the point

Alias on 2007-12-12T23:41:07

Do you think it's necessary to have its own TEST_SIGNATURE flag?

If the contexts in which it should be used are clear, perhaps it would be better to flag in on AUTOMATED_TESTING or a context-appropriate flag.

Hallo Adam

sir_lichtkind on 2007-12-13T02:28:11

I write you this way because mail seems to fail and your post on my blog is to old that a reply would be noticed by you.

First thanks for attention. I really push it now for CPAN release but please notice that i have a little different viewpoint on some things.

I really admire you skills to carry out loads of modules in high quality but please trust me GUI-User apps are different territory. I impeled myself the last 2 month and did nearly every day a nightly release. i cleaned up shitloads of nasty details and bugs, updated docs, rounded up features, because i believe that without a real good 0.4 release we don't get much far.

Its also because i use it on daily and only if im satisfied with its progress i have motivation to work on. I have many many things to synchronize in my head. Even with name found (with help of a gifted girl driend of mine) and the new web site is online, there is even much pressure left: - the final switch to you install system, -cpan upload - the config dialog (last big important feature toward 0.4) - keep my user happy .. and so on all very important to me.

But I try to synch that with my other stuff and if you forgive me, i forst want to test how it is to release something on CPAN with a minor update of Perl6::Bible which i took over from audrey long time ago. i just managed to day come around some troubles and install Module::Signature from a older ppm (sorry could'nt use vanilla) to start this effort.

best
herbert

Re:Hallo Adam

Alias on 2007-12-13T23:12:27

Module::Signature is not necessary to release to CPAN.

Re:Hallo Adam

sir_lichtkind on 2007-12-14T13:39:48

im not that experienced but P6bible has a signature file. to generate the new sigs i thought i need Module::Sig.

Re:Hallo Adam

Alias on 2007-12-15T02:56:46

It's not strictly needed for you to release with a signature file, even if Audrey does.

This is especially so if you are in Windows, as the support for Module::Signature on Win32 is weak.