Verification of Valid Signature fails - potentially because key is expired

[theseer]

As requested in phar-io/phive#292 (comment):

Download

wget https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar
wget https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar.asc
wget https://keys.openpgp.org/vks/v1/by-fingerprint/B0906BA775992B910F4E83CBD2CCAC42F6295E7D

Import

mkdir gpg
gpg2 --no-tty --homedir ./gpg --import B0906BA775992B910F4E83CBD2CCAC42F6295E7D

CLI Test

$ gpg2 --no-tty --homedir ./gpg --status-fd 1 --verify composer-require-checker.phar.asc composer-require-checker.phar

Output

gpg: WARNING: unsafe permissions on homedir '/tmp/x3/./gpg'
[GNUPG:] NEWSIG magl@magl.net
gpg: Signature made Sa 28 Dez 2019 14:51:12 CET
gpg:                using RSA key B0906BA775992B910F4E83CBD2CCAC42F6295E7D
gpg:                issuer "magl@magl.net"
[GNUPG:] KEYEXPIRED 1674071325
[GNUPG:] KEYEXPIRED 1674072043
[GNUPG:] KEYEXPIRED 1674071325
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[GNUPG:] KEYEXPIRED 1674071325
[GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
[GNUPG:] KEYEXPIRED 1674071325
[GNUPG:] KEYEXPIRED 1674072043
[GNUPG:] KEYEXPIRED 1674071325
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <matthias@glaub-online.de>
gpg: Good signature from "Matthias Glaub <matthias@glaub-online.de>" [expired]
gpg:                 aka "Matthias Glaub <magl@magl.net>" [expired]
[GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
gpg: Note: This key has expired!
Primary key fingerprint: B090 6BA7 7599 2B91 0F4E  83CB D2CC AC42 F629 5E7D

PHP Test

var_dump(extension_loaded('gnupg'));

putenv('GNUPGHOME=./gpg');

$gpg = new \Gnupg();
$gpg->seterrormode(\Gnupg::ERROR_EXCEPTION);

var_dump(
    $gpg->verify(
        file_get_contents('composer-require-checker.phar'),
        file_get_contents('composer-require-checker.phar.asc')
    )
);  

Output

bool(true)
array(1) {
  [0]=>
  array(5) {
    ["fingerprint"]=>
    string(40) "B0906BA775992B910F4E83CBD2CCAC42F6295E7D"
    ["validity"]=>
    int(0)
    ["timestamp"]=>
    int(1577541072)
    ["status"]=>
    int(117440665)
    ["summary"]=>
    int(32)
  }
}

I have no idea where the status of 117440665 comes from, the summary of 32 seems to suggest the signature is considered invalid somehow. Which technically seems wrong.

[bukka]

@theseer Apology for taking a bit longer to look into this. Finally took a look and this doesn't actually mean that the signature is invalid. If it was invalid, you would get an uncaught exception in your script like the below:

[05-May-2023 10:38:53 UTC] PHP Fatal error:  Uncaught Exception: verify failed in ...

I know this is not a great result reporting but the it basically displays fields from gpgme_signature_t as documented in https://www.gnupg.org/documentation/manuals/gpgme/Verify.html .

Specifically for version that I'm just checking the value meaning is following:

• validity 0 is for GPGME_VALIDITY_UNKNOWN
• sumary 32 (0x20) is for GPGME_SIGSUM_KEY_EXPIRED
• status is error value that is composed of two components - code and source. I haven't checked but I would guess that the code component will be GPG_ERR_KEY_EXPIRED. This is very poor reporting though as we don't expose the error code function so it is hard for user to interpret this...

I also tested the script but look that the signature is no longer invalid so I'm not getting any error in both cli gpg and gnupg.