php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #80711 Archives doesn't matches sha256sum nor GPG Signatures
Submitted: 2021-02-04 15:31 UTC Modified: 2021-02-05 15:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: franck dot lizaga at hardis-group dot com Assigned: pollita (profile)
Status: Closed Package: Systems problem
PHP Version: 8.0.2 OS: N/A
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: franck dot lizaga at hardis-group dot com
New email:
PHP Version: OS:

 

 [2021-02-04 15:31 UTC] franck dot lizaga at hardis-group dot com
Description:
------------
On https://www.php.net/downloads , the archives of 8.0.2 (i've tested on .tar.xz and .tar.gz doesn't not match the sha256sum and also doesn't verify the GPG signature.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-02-04 15:49 UTC] cmb@php.net
-Package: Website problem +Package: Systems problem
 [2021-02-04 15:49 UTC] cmb@php.net
For .gz and .xz the signature verification works for me, and the
SHA256 hash of .xz matches that on the Website.  However, the .gz
hash does not match; I get

    6A5C0FCCEE4D50712733BC3BE5097886B70DC229F6B933C5E2DDD35A1B66EAF3

When downloading the .gz from the distributions repo I get the
proper SHA256 hash; this might be a systems problem.

Thanks for reporting!  This ticket shouldn't be private, though.
 [2021-02-04 16:17 UTC] franck dot lizaga at hardis-group dot com
Here is what I get when I check archive of php-8.0.1.tar.gz : 

[franck@pi php8franck]$ gpg --verify php-8.0.1.tar.gz.asc
gpg: assuming signed data in 'php-8.0.1.tar.gz'
gpg: Signature made Tue Jan  5 14:01:37 2021 UTC
gpg:                using RSA key BFDDD28642824F8118EF77909B67A5C12229118F
gpg:                issuer "carusogabriel@php.net"
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-05-08
gpg: Good signature from "Gabriel Caruso (Release Manager) <carusogabriel@php.net>" [ultimate]

But on 8.0.2 : 
[franck@pi php8franck]$ gpg --verify php-8.0.2.tar.gz.asc
gpg: assuming signed data in 'php-8.0.2.tar.gz'
gpg: Signature made Tue Feb  2 22:06:00 2021 UTC
gpg:                using RSA key BFDDD28642824F8118EF77909B67A5C12229118F
gpg:                issuer "carusogabriel@php.net"
gpg: BAD signature from "Gabriel Caruso (Release Manager) <carusogabriel@php.net>" [ultimate]

[franck@pi php8franck]$ gpg --verify php-8.0.2.tar.xz.asc
gpg: assuming signed data in 'php-8.0.2.tar.xz'
gpg: Signature made Tue Feb  2 11:21:53 2021 UTC
gpg:                using RSA key BFDDD28642824F8118EF77909B67A5C12229118F
gpg:                issuer "carusogabriel@php.net"
gpg: BAD signature from "Gabriel Caruso (Release Manager) <carusogabriel@php.net>" [ultimate]

sha256sum of downloaded files : 
6a5c0fccee4d50712733bc3be5097886b70dc229f6b933c5e2ddd35a1b66eaf3  php-8.0.2.tar.gz
eb9422998fb876853698f41b33a7c0518b36fa5a62cb8ae70a250a60d09fd675  php-8.0.2.tar.gz.asc
84dd6e36f48c3a71ff5dceba375c1f6b34b71d4fa9e06b720780127176468ccc  php-8.0.2.tar.xz
b9f456030a9ad1a5bc64fdb3b79dcd41d28b2208bc24338af8795781fe3d5d31  php-8.0.2.tar.xz.asc
 [2021-02-04 16:38 UTC] pollita@php.net
It looks like Gabriel uploaded two sets of binaries. The second set addressing a last-minute bug fix.

Right now www appears to be delivering the first set and it's not clear why that would be the case since the web repo has been pointing at the later set for about four hours.

The good news is that these are not compromised libs from a third party.  The bad news is that they don't have that last-minute fix.

For reassurance, here's the GPG signature for the old .tar.gz bundle:

-----BEGIN PGP SIGNATURE-----

iQJKBAABCAA0FiEEv93ShkKCT4EY73eQm2elwSIpEY8FAmAZNc8WHGNhcnVzb2dh
YnJpZWxAcGhwLm5ldAAKCRCbZ6XBIikRj6vdEACA/Muc84eMMYLt+TjPd6Xg/fC0
eChqermnt+4OEUggidYgguQM3ZIpK5mkCD/gQUUaKjXrqXJpRdJlFmqUMxG/wXEt
Ft80KNUZIvItosPlZjkqlw3viodnQ8k43V+bU98jPCTx1CHRitcnjiiNXrS/Xh2Q
iaXVqUjO0ZT5FyVo3iC2w3xVWP1DaTEle3hhQBU83ZReKS/SF2yuebi5ig2Q2FLb
t9ZuqKxKVbdqwpkBDTSxrGqI23STfvZ4skSDOGF0AlA3oTKgZORTpQfizrqC7yVb
Xnmyjbls5F88TsAJfhc60Ch+1v+q3jM/e7YNU8sFzJ9cZLCPGpWzV+yusbCw2Hai
QxYu46Fy2p/lIkgVGyzzE5ZQcE3grqQl4BhwxIZpStMQEI3Rnn2vBI9jAJDDFcyc
VH9I3RQf93vmW+IVbvAZAswU9yzFuvhtILHNhE9UFC1B5514VSz8Ysm8yOvMOoNH
h9eJXjH8yWVlrzYnNNnBQx/+U5R9NfUo/7nVPxDyaImPAEyOG+kCXyLJsJ0eTt3b
b5CQFg5LVbc8lZFKwB+gHK5i4cRyE0ClA9Q2yogQNAG1DC74MYW6DsLVqf0S1pHZ
M2yZKB6bIVPrpvXeShZTlh7B+PHYFVkzLV8GAnDreS+Ii759BFJnRDLEP7qEip/C
QbfGcV2nh/dH4AoW3w==
=u3dZ
-----END PGP SIGNATURE-----
 [2021-02-04 16:42 UTC] pollita@php.net
Looks like a caching issue. If I add a query param to the download link, it busts the cache and gives me the right version: https://www.php.net/distributions/php-8.0.2.tar.gz?a=1
 [2021-02-04 16:51 UTC] pollita@php.net
Super-gross hack, but this should mask the issue while we figure out the underlyign cause (site rebuild may take up to half an hour): https://github.com/php/web-php/commit/2e0a93ef3f8cc0806553bd5ec1dcab467cf46ad9
 [2021-02-05 15:39 UTC] pollita@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita
 [2021-02-05 15:39 UTC] pollita@php.net
The caching issue has expired and I've removed the temporary hack.
All should be well now.
Thank you for the report!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Nov 26 22:01:33 2024 UTC