On 2025-02-27 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > Package: php-crypt-gpg > Version: 1.6.9-3 > Severity: normal > Tags: patch > Control: affects -1 + src:gnupg2
> GnuPG has traditionally disregarded the OpenPGP standard about Cleartext > Signature Framework (CSF) messages. > Going back to RFC 2440 (in 1998!) the OpenPGP specification has always > said: > > The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP > > SIGNATURE-----' line that terminates the signed text is not > > considered part of the signed text. > However, the Crypt_GPG test suite expects this CSF message: > ``` > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > Hello, Bob! Goodbye, Alice! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > iD8DBQFI0vkCwJfZ7JTAY2MRAgzTAKCRecYZsCS+PE46Fa2QLTEP8XGLwwCfQEAL > qO+KlKcldtYdMZH9AA+KOLQ= > =EO2G > -----END PGP SIGNATURE----- > ``` > to declare its content *with* the trailing newline: > "Hello, Bob! Goodbye, Alice!\n" > Upstream GnuPG has ignored this specfication > (https://dev.gnupg.org/T7106), but GnuPG in debian is now in alignment > with the specification. > The attached patch should let php-crypt-gpg complete its test suite > correctly. > I've also opened > https://salsa.debian.org/php-team/pear/php-crypt-gpg/-/merge_requests/1 > with this same patch. [...] Hello Daniel, I think this is a bit worrying. php-crypt-gpg 1.6.9-3 can be built against gnupg 2.2.46-1 but fails against gnupg 2.2.46-3 and later. And vice versa the patched testsuite of php-crypt-gpg 1.6.9-4 only works with gnupg 2.2.46-3 (or similarily patched versions of 2.4). So this cannot be applied upstream. Afaiui this is nowadays niche, non-recommended usage of gnupg so I wonder whether the cost/benefit ratio for applying this patch to our gnupg packages (or including it in FreePG) is good enough. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
