php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #75906 php.net lists wrong GPG keys used to sign 7.1 releases
Submitted: 2018-02-01 17:45 UTC Modified: 2018-02-20 23:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: php dot net at thermoman dot de Assigned: stas (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php dot net at thermoman dot de
New email:
PHP Version: OS:

 

 [2018-02-01 17:45 UTC] php dot net at thermoman dot de 
Description:
------------
https://secure.php.net/downloads.php#gpg-7.1 lists

pub   4096R/7BD5DCD0 2016-05-07
      Key fingerprint = A917 B1EC DA84 AEC2 B568 FED6 F50A BC80 7BD5 DCD0
uid                  Davey Shafik <davey@php.net>

pub   2048R/31CBD89E 2016-12-08
      Key fingerprint = 5289 95BF EDFB A719 1D46  839E F9BA 0ADA 31CB D89E
uid                  Joe Watkins <krakjoe@php.net>

as signatories of the PHP 7.1 releases.

Trying to validate the latest 7.1.13 or 7.1.14 relase fails with error:

gpg: Signature made Tue Jan 30 20:08:39 2018 CET using RSA key ID 70D12172
gpg: Can't check signature: public key not found

RSA key ID 70D12172 corresponds to Sara Golemon, who is listed as a signatory for the 7.2 releases.

Test script:
---------------
mkdir test
cd test

curl -fSL https://secure.php.net/get/php-7.1.13.tar.xz/from/this/mirror -o php.tar.xz
curl -fSL https://secure.php.net/get/php-7.1.13.tar.xz.asc/from/this/mirror -o php.tar.xz.asc

mkdir -m 700 gnupghome
export GNUPGHOME=$PWD/gnupghome

gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 528995BFEDFBA7191D46839EF9BA0ADA31CBD89E
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0

gpg --batch --verify php.tar.xz.asc php.tar.xz

Expected result:
----------------
gpg reporting that php-7.1.13.tar.xz was signed by eighter 31CBD89E or 7BD5DCD0

Actual result:
--------------
gpg: Signature made Wed Jan  3 03:34:35 2018 CET using RSA key ID 70D12172
gpg: Can't check signature: public key not found

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-01 18:22 UTC] rasmus@php.net
-Status: Open +Status: Verified
 [2018-02-01 18:22 UTC] rasmus@php.net 
Yeah, we should note that on the page. Sara has been filling in and doing the last couple of PHP 7.1.x releases, so they are signed with her key.
 [2018-02-01 18:51 UTC] pollita@php.net 
Indeed.  One-off fill-ins due to exceptional circumstances.

Rasmus, I just replied to your email, but I'll repeat here for the record.  Shall I just add myself to the 7.1 list at this point?
 [2018-02-01 18:58 UTC] pollita@php.net 
Added my key to the 7.1 list.  www should rebuild shortly.
 [2018-02-01 19:40 UTC] php dot net at thermoman dot de 
Thanks. Synced already.
 [2018-02-20 23:49 UTC] stas@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: stas
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Apr 29 06:01:28 2025 UTC