PHP :: Bug #65840 :: Gpg key 90D90EC1 that signed git tag php-5.5.4 not listed on your Web site.

Bug #65840

Gpg key 90D90EC1 that signed git tag php-5.5.4 not listed on your Web site.

Submitted:

2013-10-06 05:18 UTC

Modified:

2013-10-14 20:22 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

deeelwy at gmail dot com

Assigned:

jpauli (profile)

Status:

Closed

Package:

Website problem

PHP Version:

5.5.4

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	deeelwy at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2013-10-06 05:18 UTC] deeelwy at gmail dot com

Description:
------------
On the page http://us1.php.net/downloads.php at the bottom gpg keys are listed for the developers who signed the git tags that correspond to each php release.
These tags can be verified with the verify-tag git command as shown below:

git verify-tag php-5.5.3
                                    
gpg: Signature made Tue 20 Aug 2013 12:50:57 AM EDT using DSA key ID 5DA04B5D
gpg: Good signature from "Stanislav Malyshev (PHP key) <smalyshev@gmail.com>"
gpg:                 aka "Stanislav Malyshev (PHP key) <stas@php.net>"
gpg:                 aka "Stanislav Malyshev (PHP key) <smalyshev@sugarcrm.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F382 5282 6ACD 957E F380  D39F 2F79 56BC 5DA0 4B5D

But the latest version of php, 5.5.4, is signed by someone mysterious whose gpg key is, 90D90EC1. This person's gpg key is not available on any gpg keyserver, and since it's not listed on the Web site either, I cannot import this developer's key into my keyring to verify php-5.5.4.

I also find it troubling that the key is not listed on a public keyserver, which makes me want to mistrust it, and wonder who really signed that version of php.

Below is my attempt to verify the latest version of php:
 
git verify-tag php-5.5.4
                                             
gpg: Signature made Wed 18 Sep 2013 09:40:37 AM EDT using RSA key ID 90D90EC1
gpg: Can't check signature: public key not found

The key is not listed on any public key server such as MIT's: pgp.mit.edu

You get an error message: http://pgp.mit.edu:11371/pks/lookup?search=90D90EC1&op=index Because the key is not listed.

Could you please figure out who released php 5.5.4, and ask them to add their public key to a public key server to make importing it possible? They can do it on a Web site: pgp.mit.edu, or use the gpg command 'gpg --keyserver pgp.mit.edu --send-key 90D90EC1' to have gpg upload it to a keyserver.

Perhaps also have whatever script you use to release php check for this during each release so others can verify the release, or even add it to the page if needed, or at least email a Webmaster to add it.

Also, could you please add this mysterious developer's key to the list of them on your Website on the page: http://us1.php.net/downloads.php

Thanks,
Dave.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-10-06 17:36 UTC] aharvey@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: jpauli

[2013-10-06 17:36 UTC] aharvey@php.net

I presume this is your key, Julien.

[2013-10-07 07:52 UTC] jpauli@php.net

Hi,

This is my key yes.
We're gonna add it to the server soon, thx for this report.

[2013-10-07 23:59 UTC] deeelwy at gmail dot com

Please remember that just adding output similar to what you get from gpg --list-keys, which is what's listed on the php download page, is not enough. Because that output does not actually contain the key.

You must also upload your key 90D90EC1 to a gpg keyserver, so I and others can actually download it.

This is easily done with just gpg: 

gpg --keyserver pgp.mit.edu --send-keys 90D90EC1

Thanks,
Dave.

[2013-10-14 20:22 UTC] jpauli@php.net

-Status: Assigned +Status: Closed

[2013-10-14 20:22 UTC] jpauli@php.net

The fix for this bug has been committed. Since the websites are not directly
updated from the repository, the fix might need some time to spread
across the globe to all mirror sites, including PHP.net itself.

Thank you for the report, and for helping us make PHP.net better.

The key info has been added to both php.net download page, and pgp.mit.edu

[2013-10-14 21:48 UTC] deeelwy at gmail dot com

Thanks for adding you key. Git verify-tag works great now.

Thanks,
Dave.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 20 07:00:01 2025 UTC