php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #57006 gnupg_verify fails with detached signature
Submitted: 2006-05-09 02:02 UTC Modified: 2006-05-18 15:33 UTC
From: andrew at staff dot inspire dot net dot nz Assigned: traufeisen (profile)
Status: Closed Package: gnupg (PECL)
PHP Version: 5.1.4 OS: Linux (Debian Sarge 3.1)
Private report: No CVE-ID: None
 [2006-05-09 02:02 UTC] andrew at staff dot inspire dot net dot nz
Description:
------------
When trying to verify a detached signature generated by GnuPG 1.4.1, I was continually getting a status of 117440520 returned.
According to gpg-error this is a "Bad Signature"
The same plain text and signature verified fine using GnuPG directly.

Generated a clear signed version of the plain text verified fine in both GnuPG and PHP.

Checking the extension source, the parameters to the gpgme_op_verify call are incorrect in the case of a detached signature and will only work in the case of clear signed messages.
Also the gpgme_data_new calls for gpgme_text seem to be in the wrong order, with the detached signature case not getting the actual text assigned, while the clearsigned case does.

After fixing these problems both detached sigs and clearsigned messages seemed to be able to be verified correctly.

Another thing I noticed but didn't fix is that there seems to be some inconsistancies with how gpgme_data_t variables get freed, some are using gpgme_data_release while others are using free.


Reproduce code:
---------------
http://callisto.mill.net.nz/~andrew/gnupg.patch
above is a link to a patch I made that seems to correct the problem.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-05-15 07:54 UTC] traufeisen@php.net
Thank you for your report.
I?ve tried to reproduce this problem with the most recent version of gnupg (1.4.3).
However, everything worked fine.
Can you please send me the signed text, signature and the pub-key where the verification fails?
Or even better: The same with some kind of a "dummy-key" + private-key, so that I can play around with it.
 [2006-05-15 19:46 UTC] andrew at staff dot inspire dot net dot nz
Changing php version as have upgraded it, but made no difference to this issue it seems.
I'm using debian sarge for testing, and tried with libgpgme-1.0.2 from debian and a self compiled libgpgme-1.0.3, also tried GnuPG 1.4.1, and 1.4.3 with no change.

http://callisto.mill.net.nz/~andrew/test-gpg.phps
is the test code i'm using.

http://callisto.mill.net.nz/~andrew/test.key
is the public/private key used in the test code.

http://callisto.mill.net.nz/~andrew/orig.html
is the output using the original gnupg extension, with SIG_MODE_DETACH coming up as invalid, while SIG_MODE_CLEAR works.

http://callisto.mill.net.nz/~andrew/patched.html
is the output using a patched version of the extension, with SIG_MODE_DETACH giving the same validity as SIG_MODE_CLEAR.
 [2006-05-18 15:33 UTC] traufeisen@php.net
Thanks for the detailled description.
This bug is now fixed in CVS
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu May 23 15:01:32 2019 UTC