Your message dated Thu, 27 Feb 2025 17:41:55 +0000
with message-id <[email protected]>
and subject line Bug#1099043: fixed in php-crypt-gpg 1.6.9-4
has caused the Debian Bug report #1099043,
regarding php-crypt-gpg: Crypt_GPG test suite is wrong for Cleartext Signature
Framework (CSF) messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1099043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099043
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php-crypt-gpg
Version: 1.6.9-3
Severity: normal
Tags: patch
Control: affects -1 + src:gnupg2
GnuPG has traditionally disregarded the OpenPGP standard about Cleartext
Signature Framework (CSF) messages.
Going back to RFC 2440 (in 1998!) the OpenPGP specification has always
said:
> The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
> SIGNATURE-----' line that terminates the signed text is not
> considered part of the signed text.
However, the Crypt_GPG test suite expects this CSF message:
```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, Bob! Goodbye, Alice!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI0vkCwJfZ7JTAY2MRAgzTAKCRecYZsCS+PE46Fa2QLTEP8XGLwwCfQEAL
qO+KlKcldtYdMZH9AA+KOLQ=
=EO2G
-----END PGP SIGNATURE-----
```
to declare its content *with* the trailing newline:
"Hello, Bob! Goodbye, Alice!\n"
Upstream GnuPG has ignored this specfication
(https://dev.gnupg.org/T7106), but GnuPG in debian is now in alignment
with the specification.
The attached patch should let php-crypt-gpg complete its test suite
correctly.
I've also opened
https://salsa.debian.org/php-team/pear/php-crypt-gpg/-/merge_requests/1
with this same patch.
Regards,
--dkg
-- System Information:
Debian Release: trixie/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (200,
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.12-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From bc5e39b921e376e2f3963c7f25a7407fa9188b1a Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <[email protected]>
Date: Thu, 27 Feb 2025 10:32:44 -0500
Subject: [PATCH] Avoid breakage with Cleartext Signature Framework-compliant
gpg
---
...ing-an-extra-newline-in-CSF-messages.patch | 33 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 34 insertions(+)
create mode 100644 debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch
diff --git a/debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch b/debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch
new file mode 100644
index 0000000..631b959
--- /dev/null
+++ b/debian/patches/Avoid-assuming-an-extra-newline-in-CSF-messages.patch
@@ -0,0 +1,33 @@
+From: Daniel Kahn Gillmor <[email protected]>
+Date: Thu, 27 Feb 2025 10:26:35 -0500
+Subject: Avoid assuming an extra newline in CSF messages.
+
+The OpenPGP documentation (going back all the way to RFC 2440 in 1998)
+makes it clear that there should be no trailing newline:
+
+> The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
+> SIGNATURE-----' line that terminates the signed text is not
+> considered part of the signed text.
+
+GnuPG has traditionally ignored this specification (see
+https://dev.gnupg.org/T7106), but the versions shipped in debian fix
+this bug.
+
+Signed-off-by: Daniel Kahn Gillmor <[email protected]>
+---
+ Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php b/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php
+index 39eff26..a8e2a42 100644
+--- a/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php
++++ b/Crypt_GPG-1.6.9/tests/DecryptAndVerifyTest.php
+@@ -917,7 +917,7 @@ TEXT;
+ // }}}
+
+ $expectedResults = array(
+- 'data' => "Hello, Bob! Goodbye, Alice!\n",
++ 'data' => "Hello, Bob! Goodbye, Alice!",
+ 'signatures' => array($signature)
+ );
+
diff --git a/debian/patches/series b/debian/patches/series
index eea6b20..ff26d5a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
Group-write-if-write-access-is-needed.patch
testExportPrivateKey_with_bad_pass-Ignore-E_NOTICE-report.patch
Tests-Fix-race-condition-during-GNUPGHOME-cleanup.patch
+Avoid-assuming-an-extra-newline-in-CSF-messages.patch
--
2.47.2
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: php-crypt-gpg
Source-Version: 1.6.9-4
Done: Daniel Kahn Gillmor <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php-crypt-gpg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated php-crypt-gpg
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Feb 2025 11:56:39 -0500
Source: php-crypt-gpg
Architecture: source
Version: 1.6.9-4
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Closes: 1099043
Changes:
php-crypt-gpg (1.6.9-4) unstable; urgency=medium
.
* Team upload
* Avoid breakage with Cleartext Signature Framework-compliant gpg
(Closes: #1099043)
* don't run tests under notest profile
* override lintian about package description and summary
Checksums-Sha1:
25b320da62c5b8e1777aedf954e2170d9cbadb83 1640 php-crypt-gpg_1.6.9-4.dsc
2cd5e443ef1a80d965476d81c38580e95087537f 8596
php-crypt-gpg_1.6.9-4.debian.tar.xz
4a12ae663566a960baf47b3a248508b458ca522d 11347
php-crypt-gpg_1.6.9-4_amd64.buildinfo
Checksums-Sha256:
2858af0681417b400ec57b137453623aa067b0e175e26089c9806d560ccc3652 1640
php-crypt-gpg_1.6.9-4.dsc
20d58bbc805898d6c77c833bb7cf3a655262a14211cb241ca547930b00e04d88 8596
php-crypt-gpg_1.6.9-4.debian.tar.xz
d486a6d18df1f8031cbe34e1147f9ca80fd00f0bc872ccd77f34035d6f01db86 11347
php-crypt-gpg_1.6.9-4_amd64.buildinfo
Files:
0ce0f4424bb89e5b097171ada2ce03f7 1640 php optional php-crypt-gpg_1.6.9-4.dsc
d12cf9f5acf4e1bf5595c287ccefb469 8596 php optional
php-crypt-gpg_1.6.9-4.debian.tar.xz
efa452cf8c06092a20f1bb312cda10f0 11347 php optional
php-crypt-gpg_1.6.9-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRjrBGOWy5dZsiKhad4C4VO2cK0lgUCZ8CfVgAKCRB4C4VO2cK0
lvHkAQDNLpxBbVHhBnBIVyERxd8ZNpLRvTtk5UDLNiKdOG3l/wD/ZTEMNgf9RDaa
G/6ZCiRyrVioVidiCMwbQ5iJ7yWTCwM=
=Hcg/
-----END PGP SIGNATURE-----
pgp_RjeRuY4Zb.pgp
Description: PGP signature
--- End Message ---
