strange gpg / pgp compatibility bug
Felvegi Peter Andras
petschy at lucifer.kgt.bme.hu
Fri Oct 15 13:44:19 CEST 2004
we've run across a strange bug while dealing with pgp/gpg signatures.
a php script (linux/apache) receives POST data through https, the data
is signed w/ pgp. it generates an answer, signs it w/ gpg 1.0.6 (with
system()) and sends back. the other party got 'bad signature' messages
all the time, using pgp. if we checked the signature w/ gpg, on another
linux box, it was okay. if we checked w/ pgp on win32 (pgp fw 6.5.8), it
gave 'bad signature'. did a few tests, the strangest thing was that the
messages signed on the other linux box w/ gpg were checked fine by pgp
narrowing down the logical reasons led to deal with the unlogical: the
only difference between the two linux boxes were that the one with the
web server used --homedir for the keyring directory, while the other
used the default .gnupg in the user's home dir.
the php script ran as www-data, with HOME=/var/www, but /var/www is
owned by www-adm, so www-data can't write there. --homedir was
/opt/keyring. this directory was creted by me, since gpg don't seem to
init the directory passed with --homedir. i touched the keyring files
and set the same permissions like on the files in .gnupg, then generated
a key and imported public keys. i didn't make an options file.
all the signature checks failed when using pgp/win32 for signatures
generated with the keys in /opt/keyring, passed to gpg with --homedir.
gpg checked them fine on the same box and on another too. after making a
www-data dir in /home, and calling gpg as "HOME=/home/www-data gpg ..."
(and generating a new key, and importing the needed pub keys) instead of
using --homedir, everything was healed.
now i wonder if anybody has an idea what the cause for this behaviour
please CC me any answers, i'm not on the list.
More information about the Gnupg-devel