[pkg-php-pear] Bug#1099043: php-crypt-gpg: Crypt_GPG test suite is wrong for Cleartext Signature Framework (CSF) messages

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Feb 27 15:42:02 GMT 2025 

Package: php-crypt-gpg
Version: 1.6.9-3
Severity: normal
Tags: patch
Control: affects -1 + src:gnupg2

GnuPG has traditionally disregarded the OpenPGP standard about Cleartext
Signature Framework (CSF) messages.

Going back to RFC 2440 (in 1998!) the OpenPGP specification has always
said:

> The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
> SIGNATURE-----' line that terminates the signed text is not
> considered part of the signed text.

However, the Crypt_GPG test suite expects this CSF message:

```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, Bob! Goodbye, Alice!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI0vkCwJfZ7JTAY2MRAgzTAKCRecYZsCS+PE46Fa2QLTEP8XGLwwCfQEAL
qO+KlKcldtYdMZH9AA+KOLQ=
=EO2G
-----END PGP SIGNATURE-----
```

to declare its content *with* the trailing newline:

   "Hello, Bob! Goodbye, Alice!\n"

Upstream GnuPG has ignored this specfication
(https://dev.gnupg.org/T7106), but GnuPG in debian is now in alignment
with the specification.

The attached patch should let php-crypt-gpg complete its test suite
correctly.

I've also opened
https://salsa.debian.org/php-team/pear/php-crypt-gpg/-/merge_requests/1
with this same patch.

Regards,

        --dkg

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Avoid-breakage-with-Cleartext-Signature-Framework-co.patch
Type: text/x-diff
Size: 2479 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20250227/17e59bbb/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20250227/17e59bbb/attachment.sig>

More information about the pkg-php-pear mailing list