Package: php-crypt-gpg Version: 1.6.9-3 Severity: normal Tags: patch Control: affects -1 + src:gnupg2
GnuPG has traditionally disregarded the OpenPGP standard about Cleartext Signature Framework (CSF) messages. Going back to RFC 2440 (in 1998!) the OpenPGP specification has always said: > The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP > SIGNATURE-----' line that terminates the signed text is not > considered part of the signed text. However, the Crypt_GPG test suite expects this CSF message: ``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Bob! Goodbye, Alice! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI0vkCwJfZ7JTAY2MRAgzTAKCRecYZsCS+PE46Fa2QLTEP8XGLwwCfQEAL qO+KlKcldtYdMZH9AA+KOLQ= =EO2G -----END PGP SIGNATURE----- ``` to declare its content *with* the trailing newline: "Hello, Bob! Goodbye, Alice!\n" Upstream GnuPG has ignored this specfication (https://dev.gnupg.org/T7106), but GnuPG in debian is now in alignment with the specification. The attached patch should let php-crypt-gpg complete its test suite correctly. I've also opened https://salsa.debian.org/php-team/pear/php-crypt-gpg/-/merge_requests/1 with this same patch. Regards, --dkg -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.12.12-amd64 (SMP w/20 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
From bc5e39b921e376e2f3963c7f25a7407fa9188b1a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <[email protected]> Date: Thu, 27 Feb 2025 10:32:44 -0500 Subject: [PATCH] Avoid breakage with Cleartext Signature Framework-compliant gpg --- ...ing-an-extra-newline-in-CSF-messages.patch | 33 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 34 insertions(+) create mode 100644 debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch diff --git a/debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch b/debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch new file mode 100644 index 0000000..631b959 --- /dev/null +++ b/debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch @@ -0,0 +1,33 @@ +From: Daniel Kahn Gillmor <[email protected]> +Date: Thu, 27 Feb 2025 10:26:35 -0500 +Subject: Avoid assuming an extra newline in CSF messages. + +The OpenPGP documentation (going back all the way to RFC 2440 in 1998) +makes it clear that there should be no trailing newline: + +> The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP +> SIGNATURE-----' line that terminates the signed text is not +> considered part of the signed text. + +GnuPG has traditionally ignored this specification (see +https://dev.gnupg.org/T7106), but the versions shipped in debian fix +this bug. + +Signed-off-by: Daniel Kahn Gillmor <[email protected]> +--- + Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php b/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php +index 39eff26..a8e2a42 100644 +--- a/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php ++++ b/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php +@@ -917,7 +917,7 @@ TEXT; + // }}} + + $expectedResults = array( +- 'data' => "Hello, Bob! Goodbye, Alice!\n", ++ 'data' => "Hello, Bob! Goodbye, Alice!", + 'signatures' => array($signature) + ); + diff --git a/debian/patches/series b/debian/patches/series index eea6b20..ff26d5a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ Group-write-if-write-access-is-needed.patch testExportPrivateKey_with_bad_pass-Ignore-E_NOTICE-report.patch Tests-Fix-race-condition-during-GNUPGHOME-cleanup.patch +Avoid-assuming-an-extra-newline-in-CSF-messages.patch -- 2.47.2
signature.asc
Description: PGP signature
