Some time after Audrey got Module::Signature usable, mysterious 00-signature.t test scripts started appearing in distributions.
I noticed mostly because they were a major source of testing failures on Win32, because it generally doesn't have gpg support, and goes on to install a hideous dependency chain of the disgusting swamp of Perl's crypto modules, which almost inevitably fails to install.
It didn't occur to me until later that 00-signature.t isn't actually useful.
While CPAN's normal checksum mechanism protects against accidental file corruption, the purpose of Module::Signature is to cryptographically verify that a module was released by a specific author.
There's clearly some major problems this approach.
1) Trivially exploitable
Most glaringly, if a hostile entity does attempt to modify a distribution, the very first thing they will do is to delete the 00-signature.t file, or modify it to make it return success.
The very concept of using potentially exploited code to test whether that code has been exploited is utterly irrational.
2) Duplicated Functionality
The CORRECT place for verification testing is in the CPAN client, and indeed CPAN.pm (and I assume CPANPLUS as well) has Module::Signature support (although it doesn't install it by default any more due to the aforementioned buggyness).
So even if signature testing IS possible on that host, the use of 00-signature.t becomes superfluous.
3) Source of Waste
If 00-signature.t was only duplicating, but had perfect installability and was entirely bug free, it would merely be a design flaw with no major impact.
Unfortunately, signature testing is also a support of bugs and test fails in various places, generates spurious FAIL reports for modules, and is basically just a source of make-work.
4) False Sense of Security
Worse still, the existance of 00-signature.t files may lead users to believe they are being protected, when this is not the case.
It also lets authors tick off a box and move on incorrectly, when the REAL focus for improving security should be in the hideous dependency chain for Module::Signature.
To summarize, I think this practice is one we need to stamp out.
I'd like to see a kwalitee point docked if a signature test exists in a distribution, and some education work done to help educate authors about this misfeature.