[pkg-gnupg-maint] Bug#1099043: php-crypt-gpg: Crypt_GPG test suite is wrong for Cleartext Signature Framework (CSF) messages

Andreas Metzler ametzler at bebt.de
Wed Mar 12 17:13:49 GMT 2025 

On 2025-02-27 Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> Package: php-crypt-gpg
> Version: 1.6.9-3
> Severity: normal
> Tags: patch
> Control: affects -1 + src:gnupg2

> GnuPG has traditionally disregarded the OpenPGP standard about Cleartext
> Signature Framework (CSF) messages.

> Going back to RFC 2440 (in 1998!) the OpenPGP specification has always
> said:

> > The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
> > SIGNATURE-----' line that terminates the signed text is not
> > considered part of the signed text.

> However, the Crypt_GPG test suite expects this CSF message:

> ```
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> Hello, Bob! Goodbye, Alice!
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)

> iD8DBQFI0vkCwJfZ7JTAY2MRAgzTAKCRecYZsCS+PE46Fa2QLTEP8XGLwwCfQEAL
> qO+KlKcldtYdMZH9AA+KOLQ=
> =EO2G
> -----END PGP SIGNATURE-----
> ```

> to declare its content *with* the trailing newline:

>    "Hello, Bob! Goodbye, Alice!\n"

> Upstream GnuPG has ignored this specfication
> (https://dev.gnupg.org/T7106), but GnuPG in debian is now in alignment
> with the specification.

> The attached patch should let php-crypt-gpg complete its test suite
> correctly.

> I've also opened
> https://salsa.debian.org/php-team/pear/php-crypt-gpg/-/merge_requests/1
> with this same patch.
[...]

Hello Daniel,

I think this is a bit worrying.

php-crypt-gpg 1.6.9-3 can be built against gnupg 2.2.46-1 but fails
against gnupg 2.2.46-3 and later. And vice versa the patched testsuite
of php-crypt-gpg 1.6.9-4 only works with gnupg 2.2.46-3 (or similarily
patched versions of 2.4).

So this cannot be applied upstream. Afaiui this is nowadays niche,
non-recommended usage of gnupg so I wonder whether the cost/benefit
ratio for applying this patch to our gnupg packages (or including it in
FreePG) is good enough.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the pkg-gnupg-maint mailing list