I run into folder tests:

sh runtests.sh

but I receive this errors (I work with linux ):

PHP Warning: require_once(PHPUnit/Framework/TestCase.php): failed to open stream: No such file or directory in /home/daniele/development/php/php-gpg/php-gpg/tests/gpg/EncryptTest.php on line 11
PHP Fatal error: require_once(): Failed opening required 'PHPUnit/Framework/TestCase.php' (include_path='/home/daniele/development/php/php-gpg/php-gpg/libs:.:/usr/share/php:/usr/share/pear') in /home/daniele/development/php/php-gpg/php-gpg/tests/gpg/EncryptTest.php on line 11

• PHP-GPG Version: 1.6.1
• This issue is reproducible.

Description

I encountered an E_NOTICE error I don't understand because it's only happening on one of my keys, and not on other keys. The specific error is:

Notice: Undefined offset: 5472 in …/GPG/Public_Key.php on line 91
Notice: Undefined offset: 5473 in …/GPG/Public_Key.php on line 91
Notice: Undefined offset: 5474 in …/GPG/Public_Key.php on line 91

The offending code in my project is simple:

$public_key_ascii = "OFFENDING_KEY_HERE_SNIPPED_FOR_LENGTH";
$pub_key = new GPG_Public_Key($public_key_ascii);

(The offending key happens to be my own key.)

Code to reproduce the issue

I wrote a unit test case that triggers a failure.

1. First, be sure to set convertNoticesToExceptions="true" in your phpunit.xml config.
2. Then, add the following code to the tests/gpg/KeyTest.php:

    function get_maymays_offending_key () {
        return "[INSERT_THE_ASCII_KEY_LINKED_ABOVE_HERE]";
    }

    function test_maymays_offending_key () {
        error_reporting(E_ALL);
        $public_key_ascii = $this->get_maymays_offending_key();
        $pub_key = new GPG_Public_Key($public_key_ascii);
    }

When I run this, I get this output:

There was 1 error:

1) KeyTest::test_maymays_offending_key
Undefined offset: 5472

…/GPG/Public_Key.php:141

Workarounds

I can use the error-suppression operator (@new GPG_Public_Key($public_key_ascii)) to avoid this error, but it seems weird to need to do this and I'd rather not have to.

Other information

The perplexing part of this for me is that I can't figure out what's causing the E_NOTICE errors with only my key. I have tried several other keys without encountering this issue, including other keys of the same type (RSA) and length (2048 bits), as well as other keys that match this description with multiple subkeys and user IDs attached. The only key that produces this error is mine, and I can't figure out why. Halp?

People are likely to confuse this library with the GnuPG project, since it takes its name from there.

Some implementations of it are, but that does not affect alternate implementations of the same spec (unless you're basing your code on GPL'd implementation code).

We have two version numbers, 1.1 here https://github.com/jasonhinkle/php-gpg/blob/master/libs/GPG.php#L20 and 1.4.7 here https://github.com/jasonhinkle/php-gpg/blob/master/libs/GPG.php#L33

How do they relate?

I think we can make a release (1.5.0, SemVer style for Packagist) here on GitHub and upate the version number.

My PGP public keys use 2 subkeys and when I plug this public key into php-gpg, I'm unable to decrypt it.

I get two errors;

gpg: public key decryption failed: wrong secret key used
gpg: decryption failed: secret key not available

But when I revoke one of my subkeys, and only use 1 then I'm able to decrypt the message. I'm guessing you don't have support for multiple subkeys?

Hi, I've been scratching my head trying to use this library with wp-pgp-email here:

https://gist.github.com/timnashcouk/dd1ff318489f6bfd8743

Turns out that my headaches were caused by a typo in the variable being passed to the GPG::encrypt meaning that it was passed an undefined variable which resulted in what looked like a valid encrypted message, but neither Enigmail in Thunderbird or GNU Privacy Assistant would decrypt them. The same seems to happen if I pass in an empty string for encryption.

Is this the expected operation for a blank / undefined context, or does the fault lie with my decryption software? For reference, I've got gnupg 2.1.9 installed on a Windows 10 system.

Thanks in advance.

--Tobes

I think that $gpg->encrypt($pub_key,$plain_text_string); method should have a 3rd optional Boolean parameter $show_version.

Hiding the client and the version in the encrypted text could prevent some future attacks on encrypted messages that target a specific version (if that version has been proven insecure).

This was discussed in length in the openpgp.js project.

I know this isn't really an issue, but do you have any tips on storing public keys in a database? I'm trying to use this library and fetch keys from a mysql db, but the public key constructor keeps failing. I know it must have something to do with the data as it enters/leaves the db. Im open to using any database.

The (correct, I believe) tests for getting a key ID are failing.

% tests/runtests.sh
PHPUnit 5.1.3 by Sebastian Bergmann and contributors.

.F.FE                                                               5 / 5 (100%)

Time: 521 ms, Memory: 14.00Mb

There was 1 error:

1) KeyTest::test_VerifyGnuPGDSAKey
Exception: Unable to parse Public Key

/Users/ian/gpg/libs/GPG/Public_Key.php:222
/Users/ian/gpg/tests/gpg/KeyTest.php:1458

--

There were 2 failures:

1) KeyTest::test_VerifyGnuPGKey
OpenPGP Incorrect Key ID
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'47009B66424E9476'
+'04343C988F215A2E'

/Users/ian/gpg/tests/gpg/KeyTest.php:1413

2) KeyTest::test_VerifyOpenPGPKey2
OpenPGP Incorrect Key ID
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'C87538697986219A'
+'38B09C3E598ED36F'

/Users/ian/gpg/tests/gpg/KeyTest.php:1447

FAILURES!
Tests: 5, Assertions: 9, Errors: 1, Failures: 2.

For what it's worth, I'm working on restructuring and cleaning up this code in certly/php-gpg. If I fix this, I'll submit a PR here.

Especially when you put new lines after

I tried to do a pr but the diff broke master...BitpopCoin:master

Hello,

When I use your library with an OpenPGP.js generated key, the key ID is not correct. It happens with 2048 bit and 4096 bit length keys, but everything is ok with 1024 bit length key.

Here some test keys:

with a 1024 bit length key
Real Key ID: 8DCE498F6091DFD6
Key ID with php-gpg: 8DCE498F6091DFD6 (the same - no problem)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v.1.20140106
Comment: http://openpgpjs.org

xo0EUsvlVAEEAJN0OBFbVM21z3OzG9DDCohpaF9+rWUyCreRIDC+Cou9680f
t8v5m9B0+BTM2OVEB3uK7QbcWhsPkfpn7zW9YntStSXI5ESC+eAhNGbAKnvq
32MadP7DbwRUrtcldSEd2B6uI/embnmv1CBkmrTAh0MiKscHPh5xrxwcxLLJ
TQstABEBAAHNF1Rlc3QgPHRlc3RAZXhhbXBsZS5jb20+wpwEEAEIABAFAlLL
5VUJEI3OSY9gkd/WAAAgKwP/TUeVmXMS3YYvTLC0tRw/Ae1M4sNduvuKcza2
4l6iuiIhXHntL9u5pQERcyhzL171DsR1S3EUj/nIFpfqN8OWOuj0Wqt3H4F9
igkfsrJr68qHEQztSXRufP/jv7OX+0EF+ve0+IFa6r5LPRmibl0qta522gHd
2LVudfBDDi0Y6k4=
=JjPg
-----END PGP PUBLIC KEY BLOCK-----

with a 2048 bit length key
Real Key ID: C87538697986219A
Key ID with php-gpg: 38B09C3E598ED36F (not the same!)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v.1.20140106
Comment: http://openpgpjs.org

xsBNBFLL5JEBCACFBaNfA4Iicm/MvO0sJcllB/iGc0qNgtqwpXGBydDt8Pj7
+mn0ZZ4Q1ol5wAYAxapGGaoEB1Wh5ALy2UvnrFx1/dyZEQhU3oUTRQevzhm1
/gp/0l9bNijBONir1spMuDc7okXWaR8GCW0mWwmeFgXZnjL4Dmr6dUJvZHpX
ZiekLPT3xHWQxrKdsafxmULVgd71ZdBq/6ikWQsK5XqBVykD2C/6jNDJ8Cga
wzCs8WOSQkpss7L28qQrEkL3+JaLGEe3+6UUnzs5KjwgTZvlAawDkm55corz
TistbvOotDVbs/nXyu6TnMhZXqJR2a0TEuRDXpS93qGr97flZKwVBp6vABEB
AAHNF1Rlc3QgPHRlc3RAZXhhbXBsZS5jb20+wsBcBBABCAAQBQJSy+SZCRDI
dThpeYYhmgAAVecH/R2IXW82smV41eDIwA9PzV6sKF7ywmlEl/zkZTEpTLaB
bXM3wScspVHGWV7hO+9ZQImtdcqb2AFpNpBgBtpFypM2nMGdFxTzv0m3uRUs
J8KT0lU0Uj4FEsr5YYCb1UWGgDrZP+vZFxfw8j+NWGIS5NlLHPeTTMJVRhKX
Xe0c8AaAF8qz10+JyapyDlUlFVr8+n/UjGwsUp15ODnDt0nsGTfw6jKelTU2
y/d0ckERWE0rWT2eooAxqxIoVayJkEZTzbfx/mHJXeGhOFwjg5danv7JnDI/
FHAUVqBD8zTkqmjdk9LZ6GnF6tuKRAWS59qU7y4+fchP58dhjep0mIFa6FQ=
=8aNP
-----END PGP PUBLIC KEY BLOCK-----

Could you try to find what is going wrong with the second key?
Thank you!

You are only bound to GPL if you used their code. The protocol is not copyrighted.

The Mailvelope plugin for Chrome and Firefox rejects messages without an MDC, which apparently is what 1.4.7 generates. I haven't tested with 1.5.0 yet. gpg just shows a warning when the MDC is missing. It's easy to test to see if the MDC is generated, just use "gpg --list-packets" on the encrypted message to see if it is generating an encrypted data packet with the mdc:

:encrypted data packet:
    length: unknown
    mdc_method: 2

The messages generate by php-pgp do not have the MDC method:

:encrypted data packet:
    length: 546

See: mailvelope/mailvelope#341

Created my key with Enigmail for Thunderbird. My key works correctly when using: https://www.igolder.com/pgp/encryption/

Here is my code:

<?php
$keyData = "My public key";
$gpg = new GPG();
$pub_key = new GPG_Public_Key($keyData);
$plain_text_string = "Encrypt me";
echo "<pre>";
var_dump($pub_key);
$encrypted = $gpg->encrypt($pub_key, $plain_text_string);

Here is my public key: https://www.juicereview.rocks/assets/public.key

It is showing the fingerprint as: 71bd74429bddc5712bc7d740bebe9417913acfa5

I am not sure if this is the right solution.

Advice is very welcome.

In file Public_Key.php I added

class GPG_Public_Key {
    var $version;
    var $fp;
    var $key_id;
    var $user;
    var $public_key;
    var $type;
    var $size;
...
function GetKeySize()
    {
        return $this->size;
    }
...
function GPG_Public_Key($asc) {
...
        $len = 0;
        $s =  base64_decode($asc);
        $sa = str_split($s);
        $this->size=(ord($sa[1])<<8)*8;

Which gives me 2048, 4096 and so on (plus 13 extra bytes in $sa[2] which seem to be headers and so on?).

In the readme these features are mentioned, which are missing:

• signing (needs private key)
• decryption (needs private key)
• signature verification (needs public key)
• key generation
• MDC packet
• integrity check (needs private key)

Are there more things, which we need?
I think getting some contributors from https://github.com/openpgpjs/openpgpjs would be very helpful, as they support signing, decryption and much more.

Porting some of their functions would be the way I would go.

For decryption these are some of the functions used by OpenPGP.js:
decrypt (RSA, Elgamal)
readArmored (signed cleartext, armored text keys, armored text message object)
and all the used functions by these

https://github.com/openpgpjs/openpgpjs/blob/0958a9ec02565faf18e85f99de29a091180c6e46/dist/openpgp.js

http://php.net/manual/de/function.random-int.php

This function is based on Andrew Moore's UUID generation function on the uniqid function; it has been updated to use random_int() on PHP 7.0 or later yet continue to function with earlier versions using mt_rand().

[Sun Jan 24 18:35:24 2016] [error] [client 192.168.3.5] PHP Fatal error: Call to undefined function random_int() in /dir/classes/php-gpg/libs/GPG/Utility.php on line 112

Hello,

After I use your library to encrypt, the encryption process is ok but after tried to decrypt with GnuPG 1.4.10 I found this error

gpg: WARNING: message was not integrity protected
gpg: [don't know]: invalid packet (ctb=74)
gpg: no valid OpenPGP data found.

and the file is partial decrypted

The key I use is 4096 bits and text file size is around 210 KB and text file contains UTF-8 (Thai) characters

I received a tweet saying that there are a lot of bugs in the library, see https://twitter.com/voodooKobra/status/676121698022899713?cn=cmVwbHk%3D

Obviously the tweet alone isn't really helpful for the project unless Scott is interested in perhaps giving us some details about the bugs. I'm putting this task here so that he can reply easily if he chooses to participate. Being a security specialist, of course that would be wonderful for a community project like this.

Hey! When I try to decrypt bigger files (all the ones I have problem with are > 250kb), I get this error:

gpg: [don't know]: invalid packet (ctb=47)
gpg: WARNING: message was not integrity protected
gpg: [don't know]: invalid packet (ctb=31)
gpg: no valid OpenPGP data found.

I have a lot of files I encrypted that way, I had tested at first but with smaller files (80kb) and it worked great, so I didn't bother check with bigger files. Do you know what's going on?

Files are jpg/png files, base64ed first and then encrypted with your function.

I now run the test but i give these errors:

There were 2 failures:

1. KeyTest::test_VerifyGnuPGKey
   OpenPGP Incorrect Key ID
   Failed asserting that two strings are equal.
   --- Expected
   +++ Actual
   @@ @@
   -'47009B66424E9476'
   +'04343C988F215A2E'

/home/daniele/development/php/php-gpg/php-gpg/tests/gpg/KeyTest.php:1420

2. KeyTest::test_VerifyOpenPGPKey2
   OpenPGP Incorrect Key ID
   Failed asserting that two strings are equal.
   --- Expected
   +++ Actual
   @@ @@
   -'C87538697986219A'
   +'38B09C3E598ED36F'

/home/daniele/development/php/php-gpg/php-gpg/tests/gpg/KeyTest.php:1454

FAILURES!
Tests: 5, Assertions: 9, Errors: 1, Failures: 2.

I'm playing around a little with the code at the moment on my local machine (haven't yet committed anything), and with that, thought I'd have a go at trying to do a bit of PSR and phpDoc work on it, if this is something you'd be okay with. :-)

(I've noticed, too, that certly was working on cleaning up some of the code; What was being done looked interesting, and a fair amount of work had already been done, but consequent commits have also since already been pushed to the parent, so, the fork doesn't seem to be automatically mergeable anymore).

I had a quick question, too, regarding one particular phpDoc comment in the code, currently located at GPG.php:L17.

* @copyright 1997-2012 VerySimple, Inc.

Should this be changed to:

* @copyright 1997-2016 VerySimple, Inc.

(To reflect that work is still currently being done on php-gpg), or left as is?