PGP::Sign To-Do List Here's a list of things that have occurred to me that I'd like to see added to PGP::Sign at some point, in no particular order. As this is a module I can only work on in my free time, I won't get to implementing any of these things as quickly as I'd like. If you're interested in doing any of these, send me mail at rra@stanford.edu to let me know and then have at it! Patches gratefully accepted and will be noted in the README. Additions to this file are also welcome. * PGP::Sign currently hard-codes a bunch of flags to PGP to tell it to assume data is text. There should instead be a PGP::Sign::config() sub along the lines of Getopt::Long::config() where one can indicate what PGP options one wants to use. This would have the side effect of allowing PGP::Sign to work correctly with binary data. * The global variable interface to setting PGPSTYLE, PGPS, and PGPV should be replaced by that config mechanism as well. This means that configuration variables would have to take arguments, as in: PGP::Sign::config (style => 'PGP2'); so the interface to config should probably be hash-style. MUNGE should also be handled this way, and probably the other global variables as well while we're at it. * All of the information about a signature should be available, not just the key ID and whether or not it verified. It's a little tempting to make PGP::Sign return a queriable object here, but I'd rather stay away from the morass of turning this into OO.... * The second argument to pgp_verify() is utterly pointless, since no PGP implementation I'm aware of gives two hoots about the version header (nor should it). There *is*, however, need to supply PGP with user armor headers for the signature block, since I believe both Hash and Charset could change the operation of PGP. So pgp_verify() needs to be fixed so that you can pass it a hash of headers to add to the signature armor. * PGP::Sign should be extended to handle attached signatures as well, and to be able to hand back a signed document with an attached signature. This isn't even all that hard. * PGP::Sign currently does not deal correctly with tied arrays when processing input sources, due to using ref rather than UNIVERSAL::isa() to check the type of a source. This is tricky to fix without breaking Perl 5.003 compatibility, since 5.003 didn't have UNIVERSAL::isa(). I suppose one could check in the 5.004 branch where we look for IO::* stuff and have it be broken only for 5.003, or do a similar switch in several other places.... I don't think it works right with tied file handles right now either. * Information about why a signature verification failed isn't provided to the caller, and the additional parsable error tokens returned by GnuPG aren't taken advantage of. The caller should be able to get information about exactly why a signature verification failed (no public key found, bad signature, malformed data, etc.). And here's the really big one: * Despite all the disclaimers, there's really no reason why this couldn't be turned into a more general PGP module, at least to the extent of including support for encryption and decryption. Of course, the problem for me is that this then potentially puts it into export- controlled territories; the current implementation *only* does signing and verification and contains no hooks for encryption. I would be happy to work with someone else to tie this module into a larger framework, though, if someone wants to tackle the task of building a general Perl PGP module.