phar-io
Error while verifing gpg key using pecl gnupg
With help from @theseer, I got a modified version of phive which gives me some more output when key validation fails.
The error code itself cannot be found in: https://raw.githubusercontent.com/gpg/libgpg-error/master/src/err-codes.h.in
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xD2CCAC42F6295E7D
Successfully downloaded key.
Warning: Parsing key data failed with error code 8: Undefined offset: 0
Trying to connect to keyserver.ubuntu.com (162.213.33.8)
Successfully downloaded key.
Fingerprint: B090 6BA7 7599 2B91 0F4E 83CB D2CC AC42 F629 5E7D
Matthias Glaub <[email protected]>
Matthias Glaub <[email protected]>
Matthias Glaub <[email protected]>
Matthias Glaub <[email protected]>
Created: 2013-09-04
Error: Signature could not be verified
Error: Unknown error code "117440665"
Error: Process completed with exit code 4.
Wow. 117440665 is certainly far off from what is listed in the .h file.
That almost makes me wonder if there's a parsing bug in the output handler. At least the internet does not yield any result for this error code.
I'll add some more debug output (maybe I should actually make that a feature ;-) ) so we can see the raw output from the gnupg call.
Would you mind running that again? I'll place it at the same place as the previous debug build.
Done, but I do not see any changes to the output: https://github.com/phpDocumentor/phpDocumentor/runs/1431924644?check_suite_focus=true
Not sure what's happening there. When I wget the debug phar and run it locally, I do get debug output:
theseer@nyda /tmp/x9 $ wget https://theseer.dev/phive-debug.phar
--2020-11-20 20:45:29-- https://theseer.dev/phive-debug.phar
Resolving theseer.dev (theseer.dev)... 188.94.27.6
Connecting to theseer.dev (theseer.dev)|188.94.27.6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 192762 (188K) [application/octet-stream]
Saving to: ‘phive-debug.phar’
phive-debug.phar 100%[=================================================>] 188,24K 544KB/s in 0,3s
2020-11-20 20:45:30 (544 KB/s) - ‘phive-debug.phar’ saved [192762/192762]
theseer@nyda /tmp/x9 $ ll
total 192
-rw-rw-r--. 1 theseer theseer 192762 20. Nov 13:32 phive-debug.phar
theseer@nyda /tmp/x9 $ php phive-debug.phar --home ./phive install --trust-gpg-keys D2CCAC42F6295E7D composer-require-checker
Phive 0.14.4-13-gf0bd1b4-dirty - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Fetching repository list
Downloading https://phar.io/data/repositories.xml
Downloading https://api.github.com/repos/maglnet/ComposerRequireChecker/releases
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar.asc
---[ GNUPG DEBUG START ]---
RC: 2
Array
(
[0] => [GNUPG:] NEWSIG [email protected]
[1] => [GNUPG:] ERRSIG D2CCAC42F6295E7D 1 10 00 1577541072 9 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
[2] => [GNUPG:] NO_PUBKEY D2CCAC42F6295E7D
)
---[ GNUPG DEBUG END ]---
Downloading key D2CCAC42F6295E7D
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xD2CCAC42F6295E7D
Successfully downloaded key.
[WARNING] Parsing key data failed with error code 0: No UIDs in key found
Trying to connect to keyserver.ubuntu.com (162.213.33.8)
Successfully downloaded key.
Fingerprint: B090 6BA7 7599 2B91 0F4E 83CB D2CC AC42 F629 5E7D
Matthias Glaub <[email protected]>
Matthias Glaub <[email protected]>
Matthias Glaub <[email protected]>
Matthias Glaub <[email protected]>
Created: 2013-09-04
---[ GNUPG DEBUG START ]---
RC: 0
Array
(
[0] => [GNUPG:] NEWSIG [email protected]
[1] => [GNUPG:] KEYEXPIRED 1599040223
[2] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[3] => [GNUPG:] KEYEXPIRED 1599040223
[4] => [GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
[5] => [GNUPG:] KEYEXPIRED 1599040223
[6] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[7] => [GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <[email protected]>
[8] => [GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
[9] => [GNUPG:] KEYEXPIRED 1599040223
[10] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[11] => [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
)
---[ GNUPG DEBUG END ]---
Linking ./phive/phars/composer-require-checker-2.1.0.phar to /tmp/x9/tools/composer-require-checker
Can you double check you have the actual updated phar?
I was able to reproduce the issue local... it looks like the pecl extensions is doing something wrong here. That also explains why I didn't get the debug output...
I didn't have the pecl extension installed locally so that's why it worked, and also the reason why it would have worked for you.
root@7ce314c0a447:/opt/phpdoc# php -m | grep gnupg
gnupg
While I can reproduce this, I currently see no way of getting any additional useful details.
I enabled some debug output for the pecl verify call:
theseer@nyda /tmp/x9 $ phive --home ./phive install --trust-gpg-keys D2CCAC42F6295E7D composer-require-checker
Phive 0.14.4-13-gf0bd1b4-dirty - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/maglnet/ComposerRequireChecker/releases
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar.asc
array(1) {
[0]=>
array(5) {
["fingerprint"]=>
string(40) "B0906BA775992B910F4E83CBD2CCAC42F6295E7D"
["validity"]=>
int(0)
["timestamp"]=>
int(1577541072)
["status"]=>
int(117440665)
["summary"]=>
int(32)
}
}
bool(false)
[ERROR] Signature could not be verified
[ERROR] Unknown error code "117440665"
Aparently, from the perspective of ext/gnupg, the signature is not valid (Summary code 32: Invalid signature class).
That is rather interesting, given that calling it via gpg1 or gpg2 via cli, it certainly isn't fully happy but considers the signature valid nevertheless, as the output contains "VALIDSIG":
theseer@nyda /tmp/x9 $ gpg1 --no-tty --status-fd 1 --homedir ./phive/gpg --with-colons --exit-on-status-write-error --verify ./signature ./message
gpg: Signature made Sa 28 Dez 2019 14:51:12 CET using RSA key ID F6295E7D
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <[email protected]>
gpg: Good signature from "Matthias Glaub <[email protected]>"
gpg: aka "Matthias Glaub <[email protected]>"
gpg: aka "Matthias Glaub <[email protected]>"
gpg: aka "Matthias Glaub <[email protected]>"
[GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
gpg: Note: This key has expired!
Primary key fingerprint: B090 6BA7 7599 2B91 0F4E 83CB D2CC AC42 F629 5E7D
theseer@nyda /tmp/x9 $ gpg2 --no-tty --quiet --status-fd 1 --homedir ./phive/gpg --with-colons --exit-on-status-write-error --verify ./signature ./message
[GNUPG:] NEWSIG [email protected]
gpg: Signature made Sa 28 Dez 2019 14:51:12 CET
gpg: using RSA key B0906BA775992B910F4E83CBD2CCAC42F6295E7D
gpg: issuer "[email protected]"
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <[email protected]>
gpg: Good signature from "Matthias Glaub <[email protected]>" [expired]
gpg: aka "Matthias Glaub <[email protected]>" [expired]
gpg: aka "Matthias Glaub <[email protected]>" [expired]
gpg: aka "Matthias Glaub <[email protected]>" [expired]
[GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
gpg: Note: This key has expired!
Primary key fingerprint: B090 6BA7 7599 2B91 0F4E 83CB D2CC AC42 F629 5E7D
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
Not sure how to fix this. Is that an issue in ext/gnupg? If so, based on the fact the key is expired? That shouldn't affect the validity of the signature...
I just revisited this issue and still can
a) reproduce this with current PHP 8.2.4 + pecl/gnupg 1.5.1 b) have no means of fixing this as it's failing in the pecl/gnupg code somewhere
Trying to involve the pecl/gnupg dev(s) here :)
My guess is that it's because of the expired key but would need to investigate properly to confirm. Are you able to extract the gnupg ext calls and report it to https://github.com/php-gnupg/php-gnupg ?
