strange gpg / pgp compatibility bug

Felvegi Peter Andras petschy at lucifer.kgt.bme.hu
Fri Oct 15 13:44:19 CEST 2004


hello,

we've run across a strange bug while dealing with pgp/gpg signatures.
the scenario:

a php script (linux/apache) receives POST data through https, the data
is signed w/ pgp. it generates an answer, signs it w/ gpg 1.0.6 (with
system()) and sends back. the other party got 'bad signature' messages
all the time, using pgp. if we checked the signature w/ gpg, on another
linux box, it was okay. if we checked w/ pgp on win32 (pgp fw 6.5.8), it
gave 'bad signature'. did a few tests, the strangest thing was that the
messages signed on the other linux box w/ gpg were checked fine by pgp
on win32.

narrowing down the logical reasons led to deal with the unlogical: the
only difference between the two linux boxes were that the one with the
web server used --homedir for the keyring directory, while the other
used the default .gnupg in the user's home dir.

the php script ran as www-data, with HOME=/var/www, but /var/www is
owned by www-adm, so www-data can't write there. --homedir was
/opt/keyring. this directory was creted by me, since gpg don't seem to
init the directory passed with --homedir. i touched the keyring files
and set the same permissions like on the files in .gnupg, then generated
a key and imported public keys. i didn't make an options file.

all the signature checks failed when using pgp/win32 for signatures
generated with the keys in /opt/keyring, passed to gpg with --homedir.
gpg checked them fine on the same box and on another too. after making a
www-data dir in /home, and calling gpg as "HOME=/home/www-data gpg ..."
(and generating a new key, and importing the needed pub keys) instead of
using --homedir, everything was healed.

now i wonder if anybody has an idea what the cause for this behaviour
could be.

please CC me any answers, i'm not on the list.

cheers, peter







More information about the Gnupg-devel mailing list