From: deeelwy at gmail dot com Operating system: PHP version: 5.5.4 Package: Website problem Bug Type: Bug Bug description:Gpg key 90D90EC1 that signed git tag php-5.5.4 not listed on your Web site.
Description: ------------ On the page http://us1.php.net/downloads.php at the bottom gpg keys are listed for the developers who signed the git tags that correspond to each php release. These tags can be verified with the verify-tag git command as shown below: git verify-tag php-5.5.3 gpg: Signature made Tue 20 Aug 2013 12:50:57 AM EDT using DSA key ID 5DA04B5D gpg: Good signature from "Stanislav Malyshev (PHP key) <[email protected]>" gpg: aka "Stanislav Malyshev (PHP key) <[email protected]>" gpg: aka "Stanislav Malyshev (PHP key) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F382 5282 6ACD 957E F380 D39F 2F79 56BC 5DA0 4B5D But the latest version of php, 5.5.4, is signed by someone mysterious whose gpg key is, 90D90EC1. This person's gpg key is not available on any gpg keyserver, and since it's not listed on the Web site either, I cannot import this developer's key into my keyring to verify php-5.5.4. I also find it troubling that the key is not listed on a public keyserver, which makes me want to mistrust it, and wonder who really signed that version of php. Below is my attempt to verify the latest version of php: git verify-tag php-5.5.4 gpg: Signature made Wed 18 Sep 2013 09:40:37 AM EDT using RSA key ID 90D90EC1 gpg: Can't check signature: public key not found The key is not listed on any public key server such as MIT's: pgp.mit.edu You get an error message: http://pgp.mit.edu:11371/pks/lookup?search=90D90EC1&op=index Because the key is not listed. Could you please figure out who released php 5.5.4, and ask them to add their public key to a public key server to make importing it possible? They can do it on a Web site: pgp.mit.edu, or use the gpg command 'gpg --keyserver pgp.mit.edu --send-key 90D90EC1' to have gpg upload it to a keyserver. Perhaps also have whatever script you use to release php check for this during each release so others can verify the release, or even add it to the page if needed, or at least email a Webmaster to add it. Also, could you please add this mysterious developer's key to the list of them on your Website on the page: http://us1.php.net/downloads.php Thanks, Dave. -- Edit bug report at https://bugs.php.net/bug.php?id=65840&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65840&r=trysnapshot54 Try a snapshot (PHP 5.5): https://bugs.php.net/fix.php?id=65840&r=trysnapshot55 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65840&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65840&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65840&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65840&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65840&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65840&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65840&r=support Expected behavior: https://bugs.php.net/fix.php?id=65840&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65840&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65840&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65840&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65840&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65840&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65840&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65840&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65840&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65840&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65840&r=mysqlcfg -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
