PHP :: Sec Bug #80711 :: Archives doesn't matches sha256sum nor GPG Signatures

Archives doesn't matches sha256sum nor GPG Signatures

Submitted:

2021-02-04 15:31 UTC

Modified:

2021-02-05 15:39 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

franck dot lizaga at hardis-group dot com

Assigned:

pollita (profile)

Status:

Closed

Package:

Systems problem

PHP Version:

8.0.2

OS:

N/A

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2021-02-04 15:31 UTC] franck dot lizaga at hardis-group dot com

Description:
------------
On https://www.php.net/downloads , the archives of 8.0.2 (i've tested on .tar.xz and .tar.gz doesn't not match the sha256sum and also doesn't verify the GPG signature.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-02-04 15:49 UTC] cmb@php.net

-Package: Website problem +Package: Systems problem

[2021-02-04 15:49 UTC] cmb@php.net

For .gz and .xz the signature verification works for me, and the
SHA256 hash of .xz matches that on the Website.  However, the .gz
hash does not match; I get

    6A5C0FCCEE4D50712733BC3BE5097886B70DC229F6B933C5E2DDD35A1B66EAF3

When downloading the .gz from the distributions repo I get the
proper SHA256 hash; this might be a systems problem.

Thanks for reporting!  This ticket shouldn't be private, though.

[2021-02-04 16:17 UTC] franck dot lizaga at hardis-group dot com

Here is what I get when I check archive of php-8.0.1.tar.gz : 

[franck@pi php8franck]$ gpg --verify php-8.0.1.tar.gz.asc
gpg: assuming signed data in 'php-8.0.1.tar.gz'
gpg: Signature made Tue Jan  5 14:01:37 2021 UTC
gpg:                using RSA key BFDDD28642824F8118EF77909B67A5C12229118F
gpg:                issuer "carusogabriel@php.net"
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-05-08
gpg: Good signature from "Gabriel Caruso (Release Manager) <carusogabriel@php.net>" [ultimate]

But on 8.0.2 : 
[franck@pi php8franck]$ gpg --verify php-8.0.2.tar.gz.asc
gpg: assuming signed data in 'php-8.0.2.tar.gz'
gpg: Signature made Tue Feb  2 22:06:00 2021 UTC
gpg:                using RSA key BFDDD28642824F8118EF77909B67A5C12229118F
gpg:                issuer "carusogabriel@php.net"
gpg: BAD signature from "Gabriel Caruso (Release Manager) <carusogabriel@php.net>" [ultimate]

[franck@pi php8franck]$ gpg --verify php-8.0.2.tar.xz.asc
gpg: assuming signed data in 'php-8.0.2.tar.xz'
gpg: Signature made Tue Feb  2 11:21:53 2021 UTC
gpg:                using RSA key BFDDD28642824F8118EF77909B67A5C12229118F
gpg:                issuer "carusogabriel@php.net"
gpg: BAD signature from "Gabriel Caruso (Release Manager) <carusogabriel@php.net>" [ultimate]

sha256sum of downloaded files : 
6a5c0fccee4d50712733bc3be5097886b70dc229f6b933c5e2ddd35a1b66eaf3  php-8.0.2.tar.gz
eb9422998fb876853698f41b33a7c0518b36fa5a62cb8ae70a250a60d09fd675  php-8.0.2.tar.gz.asc
84dd6e36f48c3a71ff5dceba375c1f6b34b71d4fa9e06b720780127176468ccc  php-8.0.2.tar.xz
b9f456030a9ad1a5bc64fdb3b79dcd41d28b2208bc24338af8795781fe3d5d31  php-8.0.2.tar.xz.asc

[2021-02-04 16:38 UTC] pollita@php.net

It looks like Gabriel uploaded two sets of binaries. The second set addressing a last-minute bug fix.

Right now www appears to be delivering the first set and it's not clear why that would be the case since the web repo has been pointing at the later set for about four hours.

The good news is that these are not compromised libs from a third party.  The bad news is that they don't have that last-minute fix.

For reassurance, here's the GPG signature for the old .tar.gz bundle:

-----BEGIN PGP SIGNATURE-----

iQJKBAABCAA0FiEEv93ShkKCT4EY73eQm2elwSIpEY8FAmAZNc8WHGNhcnVzb2dh
YnJpZWxAcGhwLm5ldAAKCRCbZ6XBIikRj6vdEACA/Muc84eMMYLt+TjPd6Xg/fC0
eChqermnt+4OEUggidYgguQM3ZIpK5mkCD/gQUUaKjXrqXJpRdJlFmqUMxG/wXEt
Ft80KNUZIvItosPlZjkqlw3viodnQ8k43V+bU98jPCTx1CHRitcnjiiNXrS/Xh2Q
iaXVqUjO0ZT5FyVo3iC2w3xVWP1DaTEle3hhQBU83ZReKS/SF2yuebi5ig2Q2FLb
t9ZuqKxKVbdqwpkBDTSxrGqI23STfvZ4skSDOGF0AlA3oTKgZORTpQfizrqC7yVb
Xnmyjbls5F88TsAJfhc60Ch+1v+q3jM/e7YNU8sFzJ9cZLCPGpWzV+yusbCw2Hai
QxYu46Fy2p/lIkgVGyzzE5ZQcE3grqQl4BhwxIZpStMQEI3Rnn2vBI9jAJDDFcyc
VH9I3RQf93vmW+IVbvAZAswU9yzFuvhtILHNhE9UFC1B5514VSz8Ysm8yOvMOoNH
h9eJXjH8yWVlrzYnNNnBQx/+U5R9NfUo/7nVPxDyaImPAEyOG+kCXyLJsJ0eTt3b
b5CQFg5LVbc8lZFKwB+gHK5i4cRyE0ClA9Q2yogQNAG1DC74MYW6DsLVqf0S1pHZ
M2yZKB6bIVPrpvXeShZTlh7B+PHYFVkzLV8GAnDreS+Ii759BFJnRDLEP7qEip/C
QbfGcV2nh/dH4AoW3w==
=u3dZ
-----END PGP SIGNATURE-----

[2021-02-04 16:42 UTC] pollita@php.net

Looks like a caching issue. If I add a query param to the download link, it busts the cache and gives me the right version: https://www.php.net/distributions/php-8.0.2.tar.gz?a=1

[2021-02-04 16:51 UTC] pollita@php.net

Super-gross hack, but this should mask the issue while we figure out the underlyign cause (site rebuild may take up to half an hour): https://github.com/php/web-php/commit/2e0a93ef3f8cc0806553bd5ec1dcab467cf46ad9

[2021-02-05 15:39 UTC] pollita@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita

[2021-02-05 15:39 UTC] pollita@php.net

The caching issue has expired and I've removed the temporary hack.
All should be well now.
Thank you for the report!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 08:01:28 2024 UTC