From 3f873eaea2f85a8eb200095eccf05e00c9e2a9ee Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 13 Mar 2025 21:05:37 -0400
Subject: [PATCH] Handle OpenPGP-compliant CSF message verfication

GnuPG has traditionally emitted a spurious newline when outputting the
text verified from a cleartext signing framework message, if the
signed message doesn't contain a trailing newline.

This is clearly wrong according to the OpenPGP specification, which
says:

> The line ending (i.e., the <CR><LF>) before the '-----BEGIN PGP
> SIGNATURE-----' line that terminates the signed text is not
> considered part of the signed text.

The test in Crypt_GPG presumes that the trailing newline is returned,
as that has been traditional GnuPG (mis)behavior.

This change adjusts the test suite so that it passes regardless of
whether GnuPG conforms to the specification or misbehaves in the
traditional way.

See https://dev.gnupg.org/T7106 for discussion with upstream.

See also https://gitlab.com/freepg/gnupg/-/merge_requests/15, where
the FreePG project is bringing a patched version of GnuPG into
compliance with the specification.

Finally, please also see the discussion over on
https://bugs.debian.org/1099043 -- debian's GnuPG is being brought
into compliance with the OpenPGP standard for CSF messages, so we need
something like this to ensure that the Crypt_GPG test suite succeeds.
---
 tests/DecryptAndVerifyTest.php | 2 +-
 tests/TestCase.php             | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/tests/DecryptAndVerifyTest.php b/tests/DecryptAndVerifyTest.php
index 39eff26..9866132 100644
--- a/tests/DecryptAndVerifyTest.php
+++ b/tests/DecryptAndVerifyTest.php
@@ -939,7 +939,7 @@ public function testDecryptVerifySignedOnlyBadSignature()
         // }}}
 
         $results = $this->gpg->decryptAndVerify($clearsignedData);
-        $this->assertDecryptAndVerifyResultsEquals($expectedResults, $results);
+        $this->assertDecryptAndVerifyResultsEquals($expectedResults, $results, true);
     }
 
     /**
diff --git a/tests/TestCase.php b/tests/TestCase.php
index d5b7c8c..6626f89 100644
--- a/tests/TestCase.php
+++ b/tests/TestCase.php
@@ -634,7 +634,7 @@ protected function getTempFilename($filename)
         return __DIR__ . '/' . self::TEMPDIR . '/' . $filename;
     }
 
-    protected function assertDecryptAndVerifyResultsEquals(array $expected, array $actual)
+    protected function assertDecryptAndVerifyResultsEquals(array $expected, array $actual, $csf = false)
     {
         $this->assertEquals(
             count($expected),
@@ -666,6 +666,11 @@ protected function assertDecryptAndVerifyResultsEquals(array $expected, array $a
             'Actual result does not include signatures.'
         );
 
+        if ($csf && (substr($actual['data'], -1) != "\n")) {
+            // see discussion around GnuPG's handling of trailing
+            // newlines in CSF messages at https://dev.gnupg.org/T7106
+            $actual['data'] = $actual['data']."\n";
+        }
         $this->assertEquals(
             $expected['data'],
             $actual['data'],