PGP::Sign

This above all: to thine own self be true,
And it must follow, as the night the day,
Thou canst not then be false to any man.

William Shakespeare, Hamlet

Blurb

PGP::Sign is a Perl module for generating and verifying detached OpenPGP signatures of textual data using GnuPG. It was written to support Netnews article signatures for signed control messages and PGPMoose.

Description

PGP::Sign is a Perl module that can generate and verify OpenPGP signatures on some data. Currently, only textual data (data that can be processed using GnuPG's --textmode option) is supported. It uses GnuPG under the hood to do the work.

The original purpose of this module was to factor out common code in a News::Article class written by Andrew Gierth that handled PGPMoose and control message signatures. It is used to verify control message signatures for the ftp.isc.org Netnews metadata archive, and to generate signed control messages for the Big Eight Usenet hierarchies.

Data to be signed or verified can be passed into PGP::Sign in a wide variety of formats: scalars, arrays, open files, even code references that act as generators. Keys with passphrases are supported and the passphrase is passed to GnuPG securely (although getting the passphrase to the PGP::Sign module is a problem for the calling application).

This module supports both GnuPG v2 and GnuPG v1 and, when used with GnuPG v1, supports using OpenPGP keys and generating and verifying signatures that are backward-compatible with PGP 2.6.2.

PGP::Sign provides both a (recommended) object-oriented API and a (legacy) function-based API that uses global variables for configuration and is backward-compatible with earlier versions of PGP::Sign.

Requirements

Perl 5.20 or later and Module::Build are required to build this module, and IPC::Run is required to use it. Either GnuPG v2 (version 2.1.23 or later) or GnuPG v1 (version 1.4.20 or later) is also required. The implementation of GnuPG can be selected at runtime.

PGP::Sign requires the ability to redirect higher-numbered file descriptors via IPC::Run, and thus will not work on Windows unless Perl is built with some UNIX emulation layer that supports this. It has also never been tested with Gpg4win.

Download

The distribution:

PGP::Sign 1.04 2020-11-14 tar.gz (PGP signature) tar.xz (PGP signature)

An archive of older releases is also available.

PGP::Sign is packaged for Debian as libpgp-sign-perl. See the Debian package tracker for more information.

PGP::Sign is available from CPAN as the PGP-Sign distribution.

PGP::Sign is maintained using the Git version control system. To check out the current development tree, see GitHub or clone:

    https://git.eyrie.org/git/perl/pgp-sign.git

Pull requests on GitHub are welcome. You can also browse the current development source.

Documentation

User documentation:

Developer documentation:

License

The PGP::Sign package as a whole is covered by the following copyright and license:

Copyright 1997-2000, 2002, 2004, 2018, 2020 Russ Allbery <rra@cpan.org>

This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself. This means that you may choose between the two licenses that Perl is released under: the GNU GPL and the Artistic License. Please see your Perl distribution for the details and copies of the licenses.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the PGP::Sign source distribution.

Last spun 2020-11-15 from thread modified 2020-09-13