PHP :: Bug #57006 :: gnupg_verify fails with detached signature

Bug #57006	gnupg_verify fails with detached signature
Submitted:	2006-05-09 02:02 UTC	Modified:	2006-05-18 15:33 UTC
From:	andrew at staff dot inspire dot net dot nz	Assigned:	traufeisen (profile)
Status:	Closed	Package:	gnupg (PECL)
PHP Version:	5.1.4	OS:	Linux (Debian Sarge 3.1)
Private report:	No	CVE-ID:	None

View Developer Edit

[2006-05-09 02:02 UTC] andrew at staff dot inspire dot net dot nz

Description:
------------
When trying to verify a detached signature generated by GnuPG 1.4.1, I was continually getting a status of 117440520 returned.
According to gpg-error this is a "Bad Signature"
The same plain text and signature verified fine using GnuPG directly.

Generated a clear signed version of the plain text verified fine in both GnuPG and PHP.

Checking the extension source, the parameters to the gpgme_op_verify call are incorrect in the case of a detached signature and will only work in the case of clear signed messages.
Also the gpgme_data_new calls for gpgme_text seem to be in the wrong order, with the detached signature case not getting the actual text assigned, while the clearsigned case does.

After fixing these problems both detached sigs and clearsigned messages seemed to be able to be verified correctly.

Another thing I noticed but didn't fix is that there seems to be some inconsistancies with how gpgme_data_t variables get freed, some are using gpgme_data_release while others are using free.


Reproduce code:
---------------
http://callisto.mill.net.nz/~andrew/gnupg.patch
above is a link to a patch I made that seems to correct the problem.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-05-15 07:54 UTC] traufeisen@php.net

Thank you for your report.
I?ve tried to reproduce this problem with the most recent version of gnupg (1.4.3).
However, everything worked fine.
Can you please send me the signed text, signature and the pub-key where the verification fails?
Or even better: The same with some kind of a "dummy-key" + private-key, so that I can play around with it.

[2006-05-15 19:46 UTC] andrew at staff dot inspire dot net dot nz

Changing php version as have upgraded it, but made no difference to this issue it seems.
I'm using debian sarge for testing, and tried with libgpgme-1.0.2 from debian and a self compiled libgpgme-1.0.3, also tried GnuPG 1.4.1, and 1.4.3 with no change.

http://callisto.mill.net.nz/~andrew/test-gpg.phps
is the test code i'm using.

http://callisto.mill.net.nz/~andrew/test.key
is the public/private key used in the test code.

http://callisto.mill.net.nz/~andrew/orig.html
is the output using the original gnupg extension, with SIG_MODE_DETACH coming up as invalid, while SIG_MODE_CLEAR works.

http://callisto.mill.net.nz/~andrew/patched.html
is the output using a patched version of the extension, with SIG_MODE_DETACH giving the same validity as SIG_MODE_CLEAR.

[2006-05-18 15:33 UTC] traufeisen@php.net

Thanks for the detailled description.
This bug is now fixed in CVS

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 12:01:31 2024 UTC