PHP :: Sec Bug #75906 :: php.net lists wrong GPG keys used to sign 7.1 releases

php.net lists wrong GPG keys used to sign 7.1 releases

Submitted:

2018-02-01 17:45 UTC

Modified:

2018-02-20 23:49 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

php dot net at thermoman dot de

Assigned:

stas (profile)

Status:

Closed

Package:

Website problem

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	php dot net at thermoman dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2018-02-01 17:45 UTC] php dot net at thermoman dot de

Description:
------------
https://secure.php.net/downloads.php#gpg-7.1 lists

pub   4096R/7BD5DCD0 2016-05-07
      Key fingerprint = A917 B1EC DA84 AEC2 B568 FED6 F50A BC80 7BD5 DCD0
uid                  Davey Shafik <davey@php.net>

pub   2048R/31CBD89E 2016-12-08
      Key fingerprint = 5289 95BF EDFB A719 1D46  839E F9BA 0ADA 31CB D89E
uid                  Joe Watkins <krakjoe@php.net>

as signatories of the PHP 7.1 releases.

Trying to validate the latest 7.1.13 or 7.1.14 relase fails with error:

gpg: Signature made Tue Jan 30 20:08:39 2018 CET using RSA key ID 70D12172
gpg: Can't check signature: public key not found

RSA key ID 70D12172 corresponds to Sara Golemon, who is listed as a signatory for the 7.2 releases.

Test script:
---------------
mkdir test
cd test

curl -fSL https://secure.php.net/get/php-7.1.13.tar.xz/from/this/mirror -o php.tar.xz
curl -fSL https://secure.php.net/get/php-7.1.13.tar.xz.asc/from/this/mirror -o php.tar.xz.asc

mkdir -m 700 gnupghome
export GNUPGHOME=$PWD/gnupghome

gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 528995BFEDFBA7191D46839EF9BA0ADA31CBD89E
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0

gpg --batch --verify php.tar.xz.asc php.tar.xz

Expected result:
----------------
gpg reporting that php-7.1.13.tar.xz was signed by eighter 31CBD89E or 7BD5DCD0

Actual result:
--------------
gpg: Signature made Wed Jan  3 03:34:35 2018 CET using RSA key ID 70D12172
gpg: Can't check signature: public key not found

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-02-01 18:22 UTC] rasmus@php.net

-Status: Open +Status: Verified

[2018-02-01 18:22 UTC] rasmus@php.net

Yeah, we should note that on the page. Sara has been filling in and doing the last couple of PHP 7.1.x releases, so they are signed with her key.

[2018-02-01 18:51 UTC] pollita@php.net

Indeed.  One-off fill-ins due to exceptional circumstances.

Rasmus, I just replied to your email, but I'll repeat here for the record.  Shall I just add myself to the 7.1 list at this point?

[2018-02-01 18:58 UTC] pollita@php.net

Added my key to the 7.1 list.  www should rebuild shortly.

[2018-02-01 19:40 UTC] php dot net at thermoman dot de

Thanks. Synced already.

[2018-02-20 23:49 UTC] stas@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: stas

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Mar 19 17:01:32 2025 UTC