[imp] PATCH - PGP question

Chris Hastie lists at oak-wood.co.uk
Fri Jan 17 09:02:00 PST 2003


On Thu, 16 Jan 2003, Chris Hastie <lists at oak-wood.co.uk> wrote
>On Wed, 15 Jan 2003, Rick Emery <rick at emery.homelinux.net> wrote
>>When I receive a PGP signed email from someone not in my addressbook (from a
>>mailing list, for example), the signature is not verified. I have tried
>>pgp.mit.edu and search.keyserver.net for the public keyserver. Before 
>>tonight's
>>cvs update, I was getting
>>
>>"Invalid email"
>>
>>Now, I'm getting
>>
>>"No pgpPublickey entry found for" followed by the person's email address
>>
>I did some work on a patch to get Key IDs of signing keys yesterday. It 
>needs a bit more work yet but should solve the problem

OK, here it is, usual I'm-not-a-programmer-I'm-a-jumped-up-tree-surgeon 
caveats apply.

Basically a new function in imp/lib/PGP.php, clumsily called 
getSignersFingerprint(), will take as input a PGP signed text block (not 
a detached signature) and returns the short fingerprint.

This is called from verifySignature() if the value of $signature is 
empty. At the same time a pointless call to pgpPacketInformation() with 
an empty string as argument is avoided.

The process means that a getPublicKey() is given a fingerprint as 
argument and is thus able to retrieve the key from the key server.
-- 
Chris Hastie
-------------- next part --------------
--- imp/lib/PGP.php, v1.53
+++ imp/lib/PGP.php	Fri Jan 17 08:46:30 2003
@@ -479,6 +479,38 @@
     }
 
     /**
+     * Gets the short fingerprint (Key ID) of the key used to sign
+     * a block of PGP data
+     *
+     * @access public
+     *
+     * @param string $text  The PGP signed text block.
+     *
+     * @return string   The short fingerprint of the key used to sign $text
+     */
+    function getSignersFingerprint($text) 
+    {
+        $fingerprint = null;
+        
+        $input = $this->_createTempFile('horde-pgp');
+
+        $fp = fopen($input, 'w+');
+        fputs($fp, $text);
+        fclose($fp);
+
+        $fp = popen($this->_gnupg . '--verify ' . $input . ' 2>&1', 'r');
+        while (!feof($fp)) {
+            $gpg_op = fgets($fp, 1024);
+            if (preg_match("/gpg:\sSignature\smade.*ID\s+([A-F0-9]{8})$/", $gpg_op, $matches)) { 
+                $fingerprint = $matches[1];
+                break;
+            }            
+        }
+        pclose($fp); 
+        return $fingerprint;       
+    }
+
+    /**
      * Verifies a signed message with a given public key.
      *
      * @access public
@@ -496,9 +528,13 @@
         $fingerprint = null;
 
         /* Get fingerprint of key. */
-        $packet_info = $this->pgpPacketInformation($signature);
-        if (array_key_exists('fingerprint', $packet_info)) {
-            $fingerprint = $packet_info['fingerprint'];
+        if (!empty($signature)){
+            $packet_info = $this->pgpPacketInformation($signature);
+            if (array_key_exists('fingerprint', $packet_info)) {
+                $fingerprint = $packet_info['fingerprint'];
+            }
+        } else {        
+            $fingerprint = $this->getSignersFingerprint($text);
         }
 
         $public_key = $this->getPublicKey($address, $fingerprint);


More information about the imp mailing list