Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Alias (5735)

Alias
  (email not shown publicly)
http://ali.as/

Journal of Alias (5735)

Tuesday December 11, 2007
07:17 PM

Does 00-signature.t have ANY valid use?

[ #35088 ]

Some time after Audrey got Module::Signature usable, mysterious 00-signature.t test scripts started appearing in distributions.

I noticed mostly because they were a major source of testing failures on Win32, because it generally doesn't have gpg support, and goes on to install a hideous dependency chain of the disgusting swamp of Perl's crypto modules, which almost inevitably fails to install.

It didn't occur to me until later that 00-signature.t isn't actually useful.

While CPAN's normal checksum mechanism protects against accidental file corruption, the purpose of Module::Signature is to cryptographically verify that a module was released by a specific author.

There's clearly some major problems this approach.

1) Trivially exploitable

Most glaringly, if a hostile entity does attempt to modify a distribution, the very first thing they will do is to delete the 00-signature.t file, or modify it to make it return success.

The very concept of using potentially exploited code to test whether that code has been exploited is utterly irrational.

2) Duplicated Functionality

The CORRECT place for verification testing is in the CPAN client, and indeed CPAN.pm (and I assume CPANPLUS as well) has Module::Signature support (although it doesn't install it by default any more due to the aforementioned buggyness).

So even if signature testing IS possible on that host, the use of 00-signature.t becomes superfluous.

3) Source of Waste

If 00-signature.t was only duplicating, but had perfect installability and was entirely bug free, it would merely be a design flaw with no major impact.

Unfortunately, signature testing is also a support of bugs and test fails in various places, generates spurious FAIL reports for modules, and is basically just a source of make-work.

4) False Sense of Security

Worse still, the existance of 00-signature.t files may lead users to believe they are being protected, when this is not the case.

It also lets authors tick off a box and move on incorrectly, when the REAL focus for improving security should be in the hideous dependency chain for Module::Signature.

To summarize, I think this practice is one we need to stamp out.

I'd like to see a kwalitee point docked if a signature test exists in a distribution, and some education work done to help educate authors about this misfeature.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Adam,

    I think you make a good case for getting rid of these files.

          Makr
    • Oops. It's just only too bad I didn't notice I spelled my own name wrong before I hit Submit...
  • Of course the real mechanism to verify signatures is out of band. The command that does it is cpansign -v. The 00-signature.t file simply does the equivalent of cpansign -v to verify that it actually works.

    Just like tests generally just verify that something does what it intends to do.

    Imagine that an author signs his work wrongly. During make disttest he will notice the bug and has a chance to fix the thing before releasing. Just like with any other test.

    • In which case never, under any circumstances, should this test EVER run during installation.

      It should be a compulsory skip, unless something like AUTOMATED_TESTING of AUTHOR_TESTING is enabled.
      • Correct. It was intended as a convenience measure for "make disttest", that's all.

        The standard boilerplate 0-signature.t (as documented in Module::Signature's POD) has this opening:

        if (!$ENV{TEST_SIGNATURE}) {
            print "ok 1 # skip set the environment variable TEST_SIGNATURE to enable this test\n";
        }
        Which satisfies the compulsory skip requirement via the environment variable TEST_SIGNATURE.
        • Do you think it's necessary to have its own TEST_SIGNATURE flag?

          If the contexts in which it should be used are clear, perhaps it would be better to flag in on AUTOMATED_TESTING or a context-appropriate flag.
  • I write you this way because mail seems to fail and your post on my blog is to old that a reply would be noticed by you.

    First thanks for attention. I really push it now for CPAN release but please notice that i have a little different viewpoint on some things.

    I really admire you skills to carry out loads of modules in high quality but please trust me GUI-User apps are different territory. I impeled myself the last 2 month and did nearly every day a nightly release. i cleaned up shitloads of nasty details an
    • Module::Signature is not necessary to release to CPAN.
      • im not that experienced but P6bible has a signature file. to generate the new sigs i thought i need Module::Sig.
        • It's not strictly needed for you to release with a signature file, even if Audrey does.

          This is especially so if you are in Windows, as the support for Module::Signature on Win32 is weak.