Error while verifing gpg key using pecl gnupg #292
Comments
|
Wow. I'll add some more debug output (maybe I should actually make that a feature ;-) ) so we can see the raw output from the gnupg call. Would you mind running that again? I'll place it at the same place as the previous debug build. |
|
Debug Phar updated. |
|
Done, but I do not see any changes to the output: https://github.com/phpDocumentor/phpDocumentor/runs/1431924644?check_suite_focus=true |
|
Not sure what's happening there. When I wget the debug phar and run it locally, I do get debug output: theseer@nyda /tmp/x9 $ wget https://theseer.dev/phive-debug.phar
--2020-11-20 20:45:29-- https://theseer.dev/phive-debug.phar
Resolving theseer.dev (theseer.dev)... 188.94.27.6
Connecting to theseer.dev (theseer.dev)|188.94.27.6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 192762 (188K) [application/octet-stream]
Saving to: ‘phive-debug.phar’
phive-debug.phar 100%[=================================================>] 188,24K 544KB/s in 0,3s
2020-11-20 20:45:30 (544 KB/s) - ‘phive-debug.phar’ saved [192762/192762]
theseer@nyda /tmp/x9 $ ll
total 192
-rw-rw-r--. 1 theseer theseer 192762 20. Nov 13:32 phive-debug.phar
theseer@nyda /tmp/x9 $ php phive-debug.phar --home ./phive install --trust-gpg-keys D2CCAC42F6295E7D composer-require-checker
Phive 0.14.4-13-gf0bd1b4-dirty - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Fetching repository list
Downloading https://phar.io/data/repositories.xml
Downloading https://api.github.com/repos/maglnet/ComposerRequireChecker/releases
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar.asc
---[ GNUPG DEBUG START ]---
RC: 2
Array
(
[0] => [GNUPG:] NEWSIG magl@magl.net
[1] => [GNUPG:] ERRSIG D2CCAC42F6295E7D 1 10 00 1577541072 9 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
[2] => [GNUPG:] NO_PUBKEY D2CCAC42F6295E7D
)
---[ GNUPG DEBUG END ]---
Downloading key D2CCAC42F6295E7D
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xD2CCAC42F6295E7D
Successfully downloaded key.
[WARNING] Parsing key data failed with error code 0: No UIDs in key found
Trying to connect to keyserver.ubuntu.com (162.213.33.8)
Successfully downloaded key.
Fingerprint: B090 6BA7 7599 2B91 0F4E 83CB D2CC AC42 F629 5E7D
Matthias Glaub <matthias@glaub-online.de>
Matthias Glaub <info@8db8.de>
Matthias Glaub <magl@magl.net>
Matthias Glaub <maglnet@keybase.io>
Created: 2013-09-04
---[ GNUPG DEBUG START ]---
RC: 0
Array
(
[0] => [GNUPG:] NEWSIG magl@magl.net
[1] => [GNUPG:] KEYEXPIRED 1599040223
[2] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[3] => [GNUPG:] KEYEXPIRED 1599040223
[4] => [GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
[5] => [GNUPG:] KEYEXPIRED 1599040223
[6] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[7] => [GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <matthias@glaub-online.de>
[8] => [GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
[9] => [GNUPG:] KEYEXPIRED 1599040223
[10] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[11] => [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
)
---[ GNUPG DEBUG END ]---
Linking ./phive/phars/composer-require-checker-2.1.0.phar to /tmp/x9/tools/composer-require-checker
Can you double check you have the actual updated phar? |
|
I was able to reproduce the issue local... it looks like the pecl extensions is doing something wrong here. That also explains why I didn't get the debug output... I didn't have the pecl extension installed locally so that's why it worked, and also the reason why it would have worked for you. |
jaapio
changed the title
|
Confirmed. With |
|
While I can reproduce this, I currently see no way of getting any additional useful details. I enabled some debug output for the pecl verify call: theseer@nyda /tmp/x9 $ phive --home ./phive install --trust-gpg-keys D2CCAC42F6295E7D composer-require-checker
Phive 0.14.4-13-gf0bd1b4-dirty - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/maglnet/ComposerRequireChecker/releases
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar.asc
array(1) {
[0]=>
array(5) {
["fingerprint"]=>
string(40) "B0906BA775992B910F4E83CBD2CCAC42F6295E7D"
["validity"]=>
int(0)
["timestamp"]=>
int(1577541072)
["status"]=>
int(117440665)
["summary"]=>
int(32)
}
}
bool(false)
[ERROR] Signature could not be verified
[ERROR] Unknown error code "117440665" Aparently, from the perspective of That is rather interesting, given that calling it via gpg1 or gpg2 via cli, it certainly isn't fully happy but considers the signature valid nevertheless, as the output contains "VALIDSIG": Not sure how to fix this. Is that an issue in |
|
I just revisited this issue and still can a) reproduce this with current PHP 8.2.4 + pecl/gnupg 1.5.1 Trying to involve the pecl/gnupg dev(s) here :) |
|
My guess is that it's because of the expired key but would need to investigate properly to confirm. Are you able to extract the gnupg ext calls and report it to https://github.com/php-gnupg/php-gnupg ? |
|
Can certainly do :) |
With help from @theseer, I got a modified version of phive which gives me some more output when key validation fails.
The error code itself cannot be found in: https://raw.githubusercontent.com/gpg/libgpg-error/master/src/err-codes.h.in
The text was updated successfully, but these errors were encountered: