1 PGP::Sign 1.03 2 (create and verify detached PGP signatures) 3 Maintained by Russ Allbery <rra@cpan.org> 4 5 Copyright 1997-2000, 2002, 2004, 2018, 2020 Russ Allbery <rra@cpan.org>. 6 This software is distributed under the same terms as Perl itself. 7 Please see the section LICENSE below for more information. 8 9BLURB 10 11 PGP::Sign is a Perl module for generating and verifying detached OpenPGP 12 signatures of textual data using GnuPG. It was written to support 13 Netnews article signatures for signed control messages and PGPMoose. 14 15DESCRIPTION 16 17 PGP::Sign is a Perl module that can generate and verify OpenPGP 18 signatures on some data. Currently, only textual data (data that can be 19 processed using GnuPG's --textmode option) is supported. It uses GnuPG 20 under the hood to do the work. 21 22 The original purpose of this module was to factor out common code in a 23 News::Article class written by Andrew Gierth that handled PGPMoose and 24 control message signatures. It is used to verify control message 25 signatures for the ftp.isc.org Netnews metadata archive, and to generate 26 signed control messages for the Big Eight Usenet hierarchies. 27 28 Data to be signed or verified can be passed into PGP::Sign in a wide 29 variety of formats: scalars, arrays, open files, even code references 30 that act as generators. Keys with passphrases are supported and the 31 passphrase is passed to GnuPG securely (although getting the passphrase 32 to the PGP::Sign module is a problem for the calling application). 33 34 This module supports both GnuPG v2 and GnuPG v1 and, when used with 35 GnuPG v1, supports using OpenPGP keys and generating and verifying 36 signatures that are backward-compatible with PGP 2.6.2. 37 38 PGP::Sign provides both a (recommended) object-oriented API and a 39 (legacy) function-based API that uses global variables for configuration 40 and is backward-compatible with earlier versions of PGP::Sign. 41 42REQUIREMENTS 43 44 Perl 5.20 or later and Module::Build are required to build this module, 45 and IPC::Run is required to use it. Either GnuPG v2 (version 2.1.23 or 46 later) or GnuPG v1 (version 1.4.20 or later) is also required. The 47 implementation of GnuPG can be selected at runtime. 48 49 PGP::Sign requires the ability to redirect higher-numbered file 50 descriptors via IPC::Run, and thus will not work on Windows unless Perl 51 is built with some UNIX emulation layer that supports this. It has also 52 never been tested with Gpg4win. 53 54BUILDING AND INSTALLATION 55 56 PGP::Sign uses Module::Build and can be installed using the same process 57 as any other Module::Build module: 58 59 perl Build.PL 60 ./Build 61 ./Build install 62 63 You will have to run the last command as root unless you're installing 64 into a local Perl module tree in your home directory. 65 66TESTING 67 68 PGP::Sign comes with a test suite, which you can run after building 69 with: 70 71 ./Build test 72 73 If a test fails, you can run a single test with verbose output via: 74 75 ./Build test --test_files <path-to-test> 76 77 If the gpg binary found first on the PATH is too old, the tests will be 78 skipped rather than fail. This may not always be desirable, since the 79 module is not usable on such a system without configuration, but the 80 module can still be configured to use a GnuPG binary found elsewhere and 81 therefore this doesn't represent an error in the module itself. 82 83 The following additional Perl modules will be used by the test suite if 84 present: 85 86 * Devel::Cover 87 * Perl::Critic::Freenode 88 * Test::MinimumVersion 89 * Test::Perl::Critic 90 * Test::Pod 91 * Test::Pod::Coverage 92 * Test::Spelling 93 * Test::Strict 94 * Test::Synopsis 95 96 All are available on CPAN. Those tests will be skipped if the modules 97 are not available. 98 99 To enable tests that don't detect functionality problems but are used to 100 sanity-check the release, set the environment variable RELEASE_TESTING 101 to a true value. To enable tests that may be sensitive to the local 102 environment or that produce a lot of false positives without uncovering 103 many problems, set the environment variable AUTHOR_TESTING to a true 104 value. 105 106SUPPORT 107 108 The PGP::Sign web page at: 109 110 https://www.eyrie.org/~eagle/software/pgp-sign/ 111 112 will always have the current version of this package, the current 113 documentation, and pointers to any additional resources. 114 115 For bug tracking, use the CPAN bug tracker at: 116 117 https://rt.cpan.org/Dist/Display.html?Name=PGP-Sign 118 119 However, please be aware that I tend to be extremely busy and work 120 projects often take priority. I'll save your report and get to it as 121 soon as I can, but it may take me a couple of months. 122 123SOURCE REPOSITORY 124 125 PGP::Sign is maintained using Git. You can access the current source on 126 GitHub at: 127 128 https://github.com/rra/pgp-sign 129 130 or by cloning the repository at: 131 132 https://git.eyrie.org/git/perl/pgp-sign.git 133 134 or view the repository via the web at: 135 136 https://git.eyrie.org/?p=perl/pgp-sign.git 137 138 The eyrie.org repository is the canonical one, maintained by the author, 139 but using GitHub is probably more convenient for most purposes. Pull 140 requests are gratefully reviewed and normally accepted. It's probably 141 better to use the CPAN bug tracker than GitHub issues, though, to keep 142 all Perl module issues in the same place. 143 144LICENSE 145 146 The PGP::Sign package as a whole is covered by the following copyright 147 statement and license: 148 149 Copyright 1997-2000, 2002, 2004, 2018, 2020 150 Russ Allbery <rra@cpan.org> 151 152 This program is free software; you may redistribute it and/or modify 153 it under the same terms as Perl itself. This means that you may 154 choose between the two licenses that Perl is released under: the GNU 155 GPL and the Artistic License. Please see your Perl distribution for 156 the details and copies of the licenses. 157 158 Some files in this distribution are individually released under 159 different licenses, all of which are compatible with the above general 160 package license but which may require preservation of additional 161 notices. All required notices, and detailed information about the 162 licensing of each file, are recorded in the LICENSE file. 163 164 Files covered by a license with an assigned SPDX License Identifier 165 include SPDX-License-Identifier tags to enable automated processing of 166 license information. See https://spdx.org/licenses/ for more 167 information. 168 169 For any copyright range specified by files in this package as YYYY-ZZZZ, 170 the range specifies every single year in that closed interval. 171