GpgError during composer install of phar version

[flexponsive]

When running composer require --dev captainhook/captainhook-phar:5.23.5, I get a GpgError and the installation aborts without a vendor/bin/captainhook file being created.

Installing the full source version with composer require --dev captainhook/captainhook works as expected.

Below follows some diagnostic info referring to the installation of the phar version only:

$ composer require --dev  captainhook/captainhook-phar:5.23.5
./composer.json has been updated
Running composer update captainhook/captainhook-phar
Loading composer repositories with package information
Updating dependencies
Lock file operations: 5 installs, 0 updates, 0 removals
  - Locking captainhook/captainhook-phar (5.23.5)
  - Locking phar-io/composer-distributor (1.0.2)
  - Locking phar-io/executor (1.0.1)
  - Locking phar-io/filesystem (2.0.1)
  - Locking phar-io/gnupg (1.0.3)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 5 installs, 0 updates, 0 removals
  - Installing phar-io/filesystem (2.0.1): Extracting archive
  - Installing phar-io/executor (1.0.1): Extracting archive
  - Installing phar-io/gnupg (1.0.3): Extracting archive
  - Installing phar-io/composer-distributor (1.0.2): Extracting archive
captainhook/captainhook-phar contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "captainhook/captainhook-phar" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
  - Installing captainhook/captainhook-phar (5.23.5): Extracting archive
  - Downloading artifact from https://github.com/captainhookphp/captainhook/releases/download/5.23.5/captainhook.phar

In GpgError.php line 13:

  Unable to verify "captainhook" with "captainhook.asc"!  

require [--dev] [--dry-run] [--prefer-source] [--prefer-dist] [--prefer-install PREFER-INSTALL] [--fixed] [--no-suggest] [--no-progress] [--no-update] [--no-install] [--no-audit] [--audit-format AUDIT-FORMAT] [--update-no-dev] [-w|--update-with-dependencies] [-W|--update-with-all-dependencies] [--with-dependencies] [--with-all-dependencies] [--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--prefer-stable] [--prefer-lowest] [-m|--minimal-changes] [--sort-packages] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX] [--] [<packages>...]

After this error, the installation aborts. If I try to re-run the same install command, the error is not printed again but I also don't get a vendor/bin/captainhook file. If I remove and re-install the package, the same GnuPg error again appears.

Composer is at the latest version:

$ composer diagnose
Checking composer.json: OK
Checking composer.lock: OK
Checking platform settings: OK
Checking git settings: OK git version 2.43.2
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK does not expire
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: OK
Composer version: 2.8.1
PHP version: 8.3.11
PHP binary path: /usr/bin/php8.3
OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
curl version: 7.81.0 libz 1.2.11 ssl OpenSSL/3.0.2
zip: extension present, unzip present, 7-Zip not available

Manually verifying the signature on terminal:

$ gpg --verify captainhook.asc captainhook
gpg: Signature made Thu 05 Sep 2024 03:45:48 PM UTC
gpg:                using RSA key E99C4926B6D749C64897D591661E97400F658E25
gpg:                issuer "captainhook@sebastian-feldmann.info"
gpg: Can't check signature: No public key

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys E99C4926B6D749C64897D591661E97400F658E25
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 661E97400F658E25: public key "Captain Hook (Captain Hook Signing Key) <captainhook@sebastian-feldmann.info>" imported

$ gpg --verify captainhook.asc captainhook
gpg: Signature made Thu 05 Sep 2024 03:45:48 PM UTC
gpg:                using RSA key E99C4926B6D749C64897D591661E97400F658E25
gpg:                issuer "captainhook@sebastian-feldmann.info"
gpg: Good signature from "Captain Hook (Captain Hook Signing Key) <captainhook@sebastian-feldmann.info>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E99C 4926 B6D7 49C6 4897  D591 661E 9740 0F65 8E25

[sebastianfeldmann]

I have a guess why it breaks. Could you try to add some debug output to

vendor/phar-io/gnupg/src/GnuPG.php

and add print_r($status); to line 106 to check what gpg actually does?

I think the output parsing is somewhat broken.

[sebastianfeldmann]

And of course it works on my machine :(

composer install
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 0 removals
  - Upgrading captainhook/captainhook-phar (5.22.2 => 5.23.5)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
  - Upgrading captainhook/captainhook-phar (5.22.2 => 5.23.5): Extracting archive
  - Downloading artifact from https://github.com/captainhookphp/captainhook/releases/download/5.23.5/captainhook.phar
  - PHAR signature successfully verified
Generating autoload files
2 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found.

I also created some integration build that check the installation. You can check it out here:

https://github.com/captainhookphp/captainhook-phar/actions/runs/11406757859/job/31741218378