Edit report at https://bugs.php.net/bug.php?id=65840&edit=1
ID: 65840
User updated by: deeelwy at gmail dot com
Reported by: deeelwy at gmail dot com
Summary: Gpg key 90D90EC1 that signed git tag php-5.5.4 not
listed on your Web site.
Status: Assigned
Type: Bug
Package: Website problem
PHP Version: 5.5.4
Assigned To: jpauli
Block user comment: N
Private report: N
New Comment:
Please remember that just adding output similar to what you get from gpg
--list-keys, which is what's listed on the php download page, is not enough.
Because that output does not actually contain the key.
You must also upload your key 90D90EC1 to a gpg keyserver, so I and others can
actually download it.
This is easily done with just gpg:
gpg --keyserver pgp.mit.edu --send-keys 90D90EC1
Thanks,
Dave.
Previous Comments:
------------------------------------------------------------------------
[2013-10-07 07:52:19] [email protected]
Hi,
This is my key yes.
We're gonna add it to the server soon, thx for this report.
------------------------------------------------------------------------
[2013-10-06 17:36:56] [email protected]
I presume this is your key, Julien.
------------------------------------------------------------------------
[2013-10-06 05:18:54] deeelwy at gmail dot com
Description:
------------
On the page http://us1.php.net/downloads.php at the bottom gpg keys are listed
for the developers who signed the git tags that correspond to each php release.
These tags can be verified with the verify-tag git command as shown below:
git verify-tag php-5.5.3
gpg: Signature made Tue 20 Aug 2013 12:50:57 AM EDT using DSA key ID 5DA04B5D
gpg: Good signature from "Stanislav Malyshev (PHP key) <[email protected]>"
gpg: aka "Stanislav Malyshev (PHP key) <[email protected]>"
gpg: aka "Stanislav Malyshev (PHP key) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F382 5282 6ACD 957E F380 D39F 2F79 56BC 5DA0 4B5D
But the latest version of php, 5.5.4, is signed by someone mysterious whose gpg
key is, 90D90EC1. This person's gpg key is not available on any gpg keyserver,
and since it's not listed on the Web site either, I cannot import this
developer's key into my keyring to verify php-5.5.4.
I also find it troubling that the key is not listed on a public keyserver,
which makes me want to mistrust it, and wonder who really signed that version
of php.
Below is my attempt to verify the latest version of php:
git verify-tag php-5.5.4
gpg: Signature made Wed 18 Sep 2013 09:40:37 AM EDT using RSA key ID 90D90EC1
gpg: Can't check signature: public key not found
The key is not listed on any public key server such as MIT's: pgp.mit.edu
You get an error message:
http://pgp.mit.edu:11371/pks/lookup?search=90D90EC1&op=index Because the key is
not listed.
Could you please figure out who released php 5.5.4, and ask them to add their
public key to a public key server to make importing it possible? They can do it
on a Web site: pgp.mit.edu, or use the gpg command 'gpg --keyserver pgp.mit.edu
--send-key 90D90EC1' to have gpg upload it to a keyserver.
Perhaps also have whatever script you use to release php check for this during
each release so others can verify the release, or even add it to the page if
needed, or at least email a Webmaster to add it.
Also, could you please add this mysterious developer's key to the list of them
on your Website on the page: http://us1.php.net/downloads.php
Thanks,
Dave.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65840&edit=1
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
