1 User-Visible PGP::Sign Changes 2 3PGP::Sign 1.04 (2020-11-14) 4 5 PGP::Sign 1.00 and later failed to sign input that's larger than can 6 be held by the operating system pipe buffer because IPC::Run set the 7 input pipe to non-blocking. Fix this by using a non-blocking write in 8 a select loop, and avoid a deadlock by using a pipe for the passphrase 9 as well instead of a scalar. 10 11PGP::Sign 1.03 (2020-09-12) 12 13 Document that GnuPG 2.1.23 or GnuPG 1.4.20 or later is required and 14 skip tests on platforms that do not meet those version requirements. 15 The alternative would be auto-discovery of which command-line flags to 16 use and these version requirements are met by Debian stable (and 17 Debian oldstable with backports), so hopefully this restriction will 18 not cause too much hardship. 19 20PGP::Sign 1.02 (2020-08-29) 21 22 On systems where gpg is GnuPG v1, override the path to the gpg binary 23 in the test suite. Some tests were still incorrectly looking for a 24 gpg1 binary. 25 26 On systems where gpg as found on the PATH is GnuPG v2 but is older 27 than 2.1.12 and therefore doesn't support the command-line arguments 28 PGP::Sign uses, skip the relevant tests. Tests are skipped rather 29 than failed because this doesn't represent a problem with the module 30 and the module can still be used with explicit configuration pointing 31 to a different version of GnuPG. 32 33PGP::Sign 1.01 (2020-07-18) 34 35 Fix test suite to pass on systems where gpg is GnuPG v1. This is 36 apparently still common among many CPAN tester machines, and thus 37 probably other systems in the wild. This does not change the module's 38 default behavior; systems using GnuPG v1 still need to pass an 39 explicit style => 'GPG1' argument to the PGP::Sign constructor. 40 41 Update to rra-c-util 8.3: 42 43 * Fix style issues caught by Perl::Critic::Freenode. 44 * Ignore debian/changelog when checking for obsolete strings. 45 46PGP::Sign 1.00 (2020-06-27) 47 48 Drop support for all PGP implementations other than GnuPG. I haven't 49 seen a working copy of the old commercial PGP implementations in years 50 and no longer have any way to test PGP::Sign with them. 51 52 Require a minimum Perl version of 5.20 and stop attempting to support 53 versions of Perl back to 5.003, which are now impossible to test with 54 and are missing many modern Perl features. 55 56 Add a new object-oriented API. This avoids global variables and 57 global state, provides a simpler API that doesn't require or support 58 the now-obsolete version string, and calls croak on errors. The 59 legacy API of pgp_sign, pgp_verify, and pgp_error is still supported 60 but is now implemented in terms of the object-oriented API. The new 61 API should be used for all new code. 62 63 Add support for GnuPG v2. GnuPG v2 is chosen by setting the style 64 constructor parameter or $PGP::Sign::PGPSTYLE to "GPG", which is now 65 the default. Be aware that GnuPG v2 does not support creating 66 signatures that can be verified with PGP 2.6.2. To support older keys 67 and signatures, set the style constructor parameter or 68 $PGP::Sign::PGPSTYLE to "GPG1", which uses GnuPG v1 configured to be 69 backward-compatible with PGP 2.6.2. 70 71 Status output from GnuPG is now kept separate from human-readable log 72 and error output for more reliable parsing. This will change the 73 order of GnuPG output in reported error messages. The human-readable 74 output will always be first, followed by the status messages. 75 76 Pass --allow-weak-digest-algos to GnuPG so it can use old keys and 77 verify signatures from old keys, such as those created with PGP 2.6.2. 78 79 pgp_sign, when called in array context, now always returns "GnuPG" as 80 the version string, and the version passed into pgp_verify is always 81 ignored. Including the OpenPGP implementation version information in 82 signatures is obsolete; GnuPG no longer does it by default and it 83 serves no useful purpose. 84 85 When calling pgp_sign multiple times in the same process with 86 whitespace munging enabled, trailing whitespace without a newline 87 could have leaked into the next invocation of pgp_sign, resulting in 88 an invalid signature. Clear any remembered whitespace between 89 pgp_sign invocations. 90 91 PGP::Sign now depends on IPC::Run and uses it to talk to GnuPG instead 92 of hand-rolling equivalent functionality with IPC::Open3. 93 94 Use File::Temp to create temporary files. This should significantly 95 improve the safety of temporary file creation. The default directory 96 for temporary file creation is now whatever directory File::Temp 97 chooses by default. It can stll be overridden by setting the tmpdir 98 constructor parameter or $PGP::Sign::TMPDIR. 99 100 Rewrite the build system to use Module::Build. This eliminates the 101 spurious VERSION.pm "module" at the top level, which was a hack for 102 setting the distribution version in old versions of 103 ExtUtils::MakeMaker and should improve the indexing of the module. 104 Move the module into a lib structure and the test suite data into 105 t/data. Eliminate all of the prompting and command-line parameters to 106 set the PGP style and path to programs; instead, PGP::Sign will 107 default to using gpg1 from the user's PATH. 108 109 Rewrite ChangeLog into a more conventional Changes file. 110 111PGP::Sign 0.20 (2007-04-27) 112 113 Unbuffer output when building the module since there is an interactive 114 prompt. 115 116PGP::Sign 0.19 (2004-08-08) 117 118 Replace verification code for GnuPG with code that uses --status-fd, 119 so that it will work independent of locale. 120 121 Document limitations in the error reporting and recommended setting 122 TMPDIR. 123 124PGP::Sign 0.18 (2004-08-04) 125 126 Remove trustdb.gpg from the distribution and add it to the files 127 cleaned by make clean. 128 129PGP::Sign 0.17 (2002-06-28) 130 131 Skip the test for verification of data with trailing whitespace when 132 run under GnuPG, since the whitespace behavior changes fromr elease to 133 release. GnuPG 1.0.2 is back to the previous behavior of releases 134 before GnuPG 1.0.1. 135 136 Update CAVEATS to be slightly less optimistic about the chances of a 137 major overhaul. Add a URL for RFC 2440 and this module's web site. 138 Add a COPYRIGHT AND LICENSE section. Update the markup in the 139 documentation. 140 141PGP::Sign 0.16 (2000-02-12) 142 143 Add support for PGP 6.5, including a new PGPSTYLE setting. 144 145 Add a waitpid call to pgp_verify() to avoid leaving zombies behind. 146 147 Document the change in trailing whitespace handling in GnuPG 1.0.1. 148 149PGP::Sign 0.15 (1999-06-13) 150 151 Clear the close-on-exec flag on the passphrase pipe in pgp_sign(), 152 required for Perl 5.005_03. 153 154 Document that PGP may want to write randseed.bin to its keyring 155 directory when run. 156 157PGP::Sign 0.14 (1999-02-10) 158 159 Add support for GnuPG and PGP 5.0. This includes a new PGPSTYLE 160 global variable, support for separate programs for signing and 161 verification and lots of choosing between styles all over the code. 162 Document the incompatibilities between different versions with respect 163 to whitespace munging. 164 165 Add support for passing overrides for PGP paths and PGPSTYLE 166 configuration settings via a paths file in the top-level directory 167 instead of on the command line of makepm.PL. 168 169PGP::Sign 0.13 (1998-12-04) 170 171 Allow setting the path to PGP on the command line when running perl 172 Makefile.PL. 173 174PGP::Sign 0.12 (1998-12-02) 175 176 Ensure the path to PGP input by the user during the build process 177 overrides any other path to PGP found by the build system. 178 179PGP::Sign 0.11 (1998-11-27) 180 181 Prevent ExtUtils::MakeMaker from spuriously generating a 182 PGP::PGP::Sign man page. 183 184 Add ABSTRACT and AUTHOR to Makefile.PL for Perl versions 5.005 and 185 higher. 186 187PGP::Sign 0.10 (1998-11-26) 188 189 Fix a bug in finding the PGP version number of a signature. 190 191 Add support for the $PGP::Sign::PGPPATH configuration variable. 192 193 Clean up and reformat the documentation, add information about PGP 194 environment variables, and document the lack of support for PGP v5 and 195 GnuPG. 196 197 Add a test suite. 198 199PGP::Sign 0.9 (1998-07-05) 200 201 Fix the code for getting the exit status of PGP to call waitpid on a 202 specific PID, avoiding getting the status of some other child 203 process. 204 205 Explicitly set $/ in case the calling program had it set to something 206 odd. 207 208PGP::Sign 0.8 (1997-08-18) 209 210 Explicitly set a umask of 077 in pgp_verify() (and restore it on 211 completion) since we're creating temporary files. 212 213 Add a check to pgp_sign() to make sure we got a signature. 214 215PGP::Sign 0.7 (1997-08-15) 216 217 Use O_EXCL when opening files in /tmp to avoid symlink attacks. 218 219PGP::Sign 0.6 (1997-08-15) 220 221 Add support for $PGP::Sign::MUNGE, which says to remove trailing 222 whitespace from each line before passing it to PGP. 223 224PGP::Sign 0.5 (1997-07-28) 225 226 Fix some minor documentation nits. 227 228PGP::Sign 0.4 (1997-07-28) 229 230 Change signature verification code to verify detached signatures 231 instead of attached ones, and add a $PGP::Sign::TMPDIR variable to 232 specify where the temporary files should be created. 233 234 Remove support for $PGP::Sign::ORS, which was a hack that's no longer 235 necessary. Adding newlines before the signature can be done by the 236 caller of the module. 237 238 Add a pgp_error() function to retrieve the error message from the last 239 command. 240 241PGP::Sign 0.3 (1997-07-27) 242 243 Add pgp_verify(). 244 245PGP::Sign 0.2 (1997-07-27) 246 247 Use @PGP::Sign::ERROR correctly to store errors from pgp_sign(). 248 249 Add documentation. 250 251 Fix some minor bugs. 252 253PGP::Sign 0.1 (1997-07-27) 254 255 Initial version, only supporting signature creation. 256