Error while verifing gpg key using pecl gnupg

[jaapio]

With help from @theseer, I got a modified version of phive which gives me some more output when key validation fails.

The error code itself cannot be found in: https://raw.githubusercontent.com/gpg/libgpg-error/master/src/err-codes.h.in

 Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xD2CCAC42F6295E7D
Successfully downloaded key.
Warning:  Parsing key data failed with error code 8: Undefined offset: 0
Trying to connect to keyserver.ubuntu.com (162.213.33.8)
Successfully downloaded key.

    Fingerprint: B090 6BA7 7599 2B91 0F4E 83CB D2CC AC42 F629 5E7D

    Matthias Glaub <matthias@glaub-online.de>
    Matthias Glaub <info@8db8.de>
    Matthias Glaub <magl@magl.net>
    Matthias Glaub <maglnet@keybase.io>

    Created: 2013-09-04

Error:    Signature could not be verified

Error:    Unknown error code "117440665"
Error: Process completed with exit code 4.

[theseer]

Wow. 117440665 is certainly far off from what is listed in the .h file. That almost makes me wonder if there's a parsing bug in the output handler. At least the internet does not yield any result for this error code.

I'll add some more debug output (maybe I should actually make that a feature ;-) ) so we can see the raw output from the gnupg call.

Would you mind running that again? I'll place it at the same place as the previous debug build.

[theseer]

Debug Phar updated.

[jaapio]

Done, but I do not see any changes to the output: https://github.com/phpDocumentor/phpDocumentor/runs/1431924644?check_suite_focus=true

[theseer]

Not sure what's happening there. When I wget the debug phar and run it locally, I do get debug output:

theseer@nyda /tmp/x9 $ wget https://theseer.dev/phive-debug.phar
--2020-11-20 20:45:29--  https://theseer.dev/phive-debug.phar
Resolving theseer.dev (theseer.dev)... 188.94.27.6
Connecting to theseer.dev (theseer.dev)|188.94.27.6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 192762 (188K) [application/octet-stream]
Saving to: ‘phive-debug.phar’

phive-debug.phar              100%[=================================================>] 188,24K   544KB/s    in 0,3s    

2020-11-20 20:45:30 (544 KB/s) - ‘phive-debug.phar’ saved [192762/192762]

theseer@nyda /tmp/x9 $ ll
total 192
-rw-rw-r--. 1 theseer theseer 192762 20. Nov 13:32 phive-debug.phar

theseer@nyda /tmp/x9 $ php phive-debug.phar --home ./phive install --trust-gpg-keys D2CCAC42F6295E7D composer-require-checker

Phive 0.14.4-13-gf0bd1b4-dirty - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Fetching repository list
Downloading https://phar.io/data/repositories.xml
Downloading https://api.github.com/repos/maglnet/ComposerRequireChecker/releases
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar.asc
---[ GNUPG DEBUG START ]---
RC: 2
Array
(
    [0] => [GNUPG:] NEWSIG magl@magl.net
    [1] => [GNUPG:] ERRSIG D2CCAC42F6295E7D 1 10 00 1577541072 9 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
    [2] => [GNUPG:] NO_PUBKEY D2CCAC42F6295E7D
)
---[ GNUPG DEBUG END ]---
Downloading key D2CCAC42F6295E7D
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xD2CCAC42F6295E7D
Successfully downloaded key.
[WARNING]  Parsing key data failed with error code 0: No UIDs in key found 
Trying to connect to keyserver.ubuntu.com (162.213.33.8)
Successfully downloaded key.

    Fingerprint: B090 6BA7 7599 2B91 0F4E 83CB D2CC AC42 F629 5E7D

    Matthias Glaub <matthias@glaub-online.de>
    Matthias Glaub <info@8db8.de>
    Matthias Glaub <magl@magl.net>
    Matthias Glaub <maglnet@keybase.io>

    Created: 2013-09-04

---[ GNUPG DEBUG START ]---
RC: 0
Array
(
    [0] => [GNUPG:] NEWSIG magl@magl.net
    [1] => [GNUPG:] KEYEXPIRED 1599040223
    [2] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
    [3] => [GNUPG:] KEYEXPIRED 1599040223
    [4] => [GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
    [5] => [GNUPG:] KEYEXPIRED 1599040223
    [6] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
    [7] => [GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <matthias@glaub-online.de>
    [8] => [GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
    [9] => [GNUPG:] KEYEXPIRED 1599040223
    [10] => [GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
    [11] => [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
)
---[ GNUPG DEBUG END ]---
Linking ./phive/phars/composer-require-checker-2.1.0.phar to /tmp/x9/tools/composer-require-checker

Can you double check you have the actual updated phar?

[jaapio]

I was able to reproduce the issue local... it looks like the pecl extensions is doing something wrong here. That also explains why I didn't get the debug output...

I didn't have the pecl extension installed locally so that's why it worked, and also the reason why it would have worked for you.

root@7ce314c0a447:/opt/phpdoc# php -m | grep gnupg
gnupg

[theseer]

Confirmed.

With ext/gnupg I can reproduce this on my maschine.

[theseer]

While I can reproduce this, I currently see no way of getting any additional useful details.

I enabled some debug output for the pecl verify call:

theseer@nyda /tmp/x9 $ phive --home ./phive install --trust-gpg-keys D2CCAC42F6295E7D composer-require-checker
Phive 0.14.4-13-gf0bd1b4-dirty - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/maglnet/ComposerRequireChecker/releases
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar
Downloading https://github.com/maglnet/ComposerRequireChecker/releases/download/2.1.0/composer-require-checker.phar.asc
array(1) {
  [0]=>
  array(5) {
    ["fingerprint"]=>
    string(40) "B0906BA775992B910F4E83CBD2CCAC42F6295E7D"
    ["validity"]=>
    int(0)
    ["timestamp"]=>
    int(1577541072)
    ["status"]=>
    int(117440665)
    ["summary"]=>
    int(32)
  }
}
bool(false)
[ERROR]    Signature could not be verified 
[ERROR]    Unknown error code "117440665" 

Aparently, from the perspective of ext/gnupg, the signature is not valid (Summary code 32: Invalid signature class).

That is rather interesting, given that calling it via gpg1 or gpg2 via cli, it certainly isn't fully happy but considers the signature valid nevertheless, as the output contains "VALIDSIG":

theseer@nyda /tmp/x9 $ gpg1 --no-tty --status-fd 1 --homedir ./phive/gpg --with-colons --exit-on-status-write-error --verify ./signature ./message 

gpg: Signature made Sa 28 Dez 2019 14:51:12 CET using RSA key ID F6295E7D
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <matthias@glaub-online.de>
gpg: Good signature from "Matthias Glaub <matthias@glaub-online.de>"
gpg:                 aka "Matthias Glaub <info@8db8.de>"
gpg:                 aka "Matthias Glaub <magl@magl.net>"
gpg:                 aka "Matthias Glaub <maglnet@keybase.io>"
[GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
gpg: Note: This key has expired!
Primary key fingerprint: B090 6BA7 7599 2B91 0F4E  83CB D2CC AC42 F629 5E7D

theseer@nyda /tmp/x9 $ gpg2 --no-tty --quiet --status-fd 1 --homedir ./phive/gpg --with-colons --exit-on-status-write-error --verify ./signature ./message
[GNUPG:] NEWSIG magl@magl.net
gpg: Signature made Sa 28 Dez 2019 14:51:12 CET
gpg:                using RSA key B0906BA775992B910F4E83CBD2CCAC42F6295E7D
gpg:                issuer "magl@magl.net"
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] SIG_ID i6rvZb5Bq2lNoRKCxrd/8j/81Wc 2019-12-28 1577541072
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
[GNUPG:] EXPKEYSIG D2CCAC42F6295E7D Matthias Glaub <matthias@glaub-online.de>
gpg: Good signature from "Matthias Glaub <matthias@glaub-online.de>" [expired]
gpg:                 aka "Matthias Glaub <info@8db8.de>" [expired]
gpg:                 aka "Matthias Glaub <magl@magl.net>" [expired]
gpg:                 aka "Matthias Glaub <maglnet@keybase.io>" [expired]
[GNUPG:] VALIDSIG B0906BA775992B910F4E83CBD2CCAC42F6295E7D 2019-12-28 1577541072 0 4 0 1 10 00 B0906BA775992B910F4E83CBD2CCAC42F6295E7D
[GNUPG:] KEYEXPIRED 1599040223
[GNUPG:] KEY_CONSIDERED B0906BA775992B910F4E83CBD2CCAC42F6295E7D 0
gpg: Note: This key has expired!
Primary key fingerprint: B090 6BA7 7599 2B91 0F4E  83CB D2CC AC42 F629 5E7D
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23

Not sure how to fix this. Is that an issue in ext/gnupg? If so, based on the fact the key is expired? That shouldn't affect the validity of the signature...

[theseer]

I just revisited this issue and still can

a) reproduce this with current PHP 8.2.4 + pecl/gnupg 1.5.1 b) have no means of fixing this as it's failing in the pecl/gnupg code somewhere

Trying to involve the pecl/gnupg dev(s) here :)

[bukka]

My guess is that it's because of the expired key but would need to investigate properly to confirm. Are you able to extract the gnupg ext calls and report it to https://github.com/php-gnupg/php-gnupg ?

[theseer]

Can certainly do :)