BAD/TAMPERED signature detected!

[briandfoy]

While diagnosing #189, I ran into this test issue:

t/00signature.t ............... gpg: Signature made Sun Nov 17 14:46:46 2024 EST
gpg:                using RSA key C40BA553F730173DA63AA20F7EFCE8AC421EE20A
gpg: requesting key 7EFCE8AC421EE20A from hkp://keyserver.ubuntu.com:11371
gpg: Can't check signature: No public key
==> BAD/TAMPERED signature detected! <==

[stigtsp]

I'm guessing this happens because C40BA553F730173DA63AA20F7EFCE8AC421EE20A was unavailable on keyserver.ubuntu.com at that time.

$ gpg --batch -i --keyserver hkp://keyserver.ubuntu.com --recv 7EFCE8AC421EE20A                                                                                                         

pub  dsa1024/EC8039F0A317C15D  created: 2002-02-28  expires: 2025-07-12
      Key fingerprint = 50A0 ED26 8AA2 95BD 2CA0  411E EC80 39F0 A317 C15D
[..]

Some thoughts:

• The error message "BAD/TAMPERED" is likely incorrect, as it is the missing key retrieval that is failing.
• Module::Signature likely uses gpg with auto-key-retrieve during the test phase to get the missing key that signed SIGNATURE
• The key can instead be bundled with the distribution and imported via gpg --import, but that will modify the users keyring and could be considered unexpected.
• Signature checks should be performed before the distribution tarball has been extracted. Doing verification with untrusted code as a part of the check phase would have no security benefits.

Generally, Module::Signature is considered to have a set of design issues that make it unsuitable for package signature verification.

I'd recommend removing the test, M::S dependency and SIGNATURE file.

Cc: @timlegge