OpenPGPComment
Before I switched to WordPress on May 1st I was using MovableType and Srijiths MovableType plugin OpenPGPComment. When I found out there was no comparable plugin for WordPress I had to start doing one of my own.
The hardest part was finding out how to pass the signed comments to GPG. Then I’ve found Atom Emets gpg_encrypt and was able to reuse a lot of his code.
The rest was a lot of fiddling with the WordPress-API and trying to find out how to write plugins. Thanks to Mark Gosh who gave me some insights on IRC-channel #wordpress.
The way this plugin works is it strips all of the GPG-stuff off the comment so it looks just like an ordinary comment. Instead of the quite unreadable signature a hint is added to see this is a signed comment you’re dealing with here. This hint contains a link which opens a popup-window. Only when this link is clicked, gpg is called to verify the signed comment against the key being signed with. The result of the verification is shown and a cleartext version of the comment. This is being done by putting the comment into a textarea so a comment can be copy’n'pasted and any HTML that might be included is not parsed.
The popup window is very simple. It used to be the original wp-comments-popup.php that has been stripped off most of its code. This makes this window look pretty ugly and a lot of beautification could be done here. But hey, it’s version 0.9!
If you want to give OpenPGPComment a try, you can find installation instructions following the given link and within the archive.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
This is a comment as an example for a signed comment.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (SunOS)
iEYEARECAAYFAkCytEoACgkQ/ay4pK+rrYOvawCfW8tpkupGPviV+eDvCOpB5inj
ma8AnRSPTkZYWiRIEHB1GDUJzuHwClMm
=8321
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Thanks for this plugin. I was waiting for someone to make a
plugin like this :-)
But I’ve a couple of problems on my site. Take a look:
http://bytewarrior.madoka.be/b2/archives/2004/05/22/nog-altijd-g
een-succes#comments
The comment is signed, but when you click the link, a popup
opens with just the text “Close this window”. Not the way it is
supposed to work, I think ;-) Do you have an idea about what I
did wrong?
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (MingW32) – GPGshell v3.10
iD8DBQFAtHEBqLIDOkaTj9sRAtalAKDIEs5Eaf5XYQGoVtcoKaYj81B6QQCfYUn5
79c62K1zf6/e/dz+V0TmXFI=
=ICxm
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
It seems the function proc_open() which is used to pass the signed comment to GnuPG is only available in PHP 4.3.0 and above. Additionaly there still is a problem with finding the comments unique
comment_IDin the database – I will look into that.—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
Comment: http://bronski.net/bronski.asc
iEYEARECAAYFAkC0jO0ACgkQ/ay4pK+rrYOtRgCgxSOdvDkibLuFh/uhrwfAFUma
OJYAoLhTRBRPNEWQUDsQ+gYjPjLWFDuc
=Akwl
—–END PGP SIGNATURE—–
Thanks for the information. I will ask the server admins if its possible to upgrade to 4.3… :-)
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
OK, fixed that – v0.9.2 doesn’t need to handle localized time and date formats any longer. Having set the time and date format to something different than ‘Y-m-d H:i:s’ resulted in failure. Now I get the
comment_IDby the WP-way:$comment->comment_ID– oh so simple!—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
Comment: http://bronski.net/bronski.asc
iEYEARECAAYFAkC0zt8ACgkQ/ay4pK+rrYNcaACgu4ryxjwQREv66qwFxfczuqga
QqEAoPs5iykWlJKuEyPyuBHLOcE/W+j8
=6uQT
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Great job! I was hoping that someone could implement OpenPGPComment as a WP plugin ‘cos I too am shifting to WP for some of my internal blogs, a I know PHP as much as I know Greek.
Thanks a lot!
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAtOysF4k5uXLdWDgRAp8xAJ925wYWQQjTZiEuTna+xSWBI4IqHACfZK/M
HOL3xJjNXuZkTNxQwqstldQ=
=j8oo
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
OK, let’s see. First, some markup. GPG had better handle the _raw_ comment — otherwise, this will fail miserably.
Did that work?
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAv6kbnyqPIXpYcjcRAp8hAKD1hREhOLqLI4ERrEwmcP4R1e28KQCgm00j
R2iD29lPDCiDgN65C0rasUI=
=lAF4
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Well, there is still a problem with HTML-entities, e.g. when I write a “greater than”-bracket as is, it still will get converted to “ampersand gt semicolon”.
But when I write it as “ampersand gt semicolon”, verification works, but it does get displayed as “>” so verification will fail when somebody copy’n'pastes the sig out of the textarea and does a remote verification – this will fail as the “greater than”-bracket is not HTML anylonger. Don’t know what to do about that yet…
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
Comment: http://bronski.net/bronski.asc
iEYEARECAAYFAkDABqcACgkQ/ay4pK+rrYMb9ACfYZG6aVNMlcllODexc5Tyvsdl
nLEAoMR21n//kPlqJfZtKFFC4JtoxfrC
=Ar45
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Ah. So let’s do some more experiments.
An & (&), a raw & (&) and a & (&)
An < (<) and a raw < (<).
And now to exercise the famous backslash bug: \ (\) \ (\\) and \ (\).
And let’s try a little Iñtërnâtiônàlizætiøn.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAwIeCnyqPIXpYcjcRAsiKAJ9GKraT8lPNeVpNm3EuQ87RfervvACdEhch
wrtvDz2CpjC+PECepcmxKB8=
=cc7f
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Hmm. That didn’t work so well. Let’s try again.
An & (&), a raw & (&) and a & (&)
An < (<).
And now to exercise the famous backslash bug: \ (\) \ (\\) and \ (\).
And let’s try a little Iñtërnâtiônàlizætiøn.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAwIjinyqPIXpYcjcRAhStAJ0Yc04FOzt3Sr9gWijVkL9FiXIlnwCgt3hK
erieakF2vYA8+wZ6pfJG/6o=
=+3zN
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
OK, the opening < breakes it… but that is an problem of the underlying WordPress-parser, I think. Everything after that gets swallowed…
I can try to do some replacements around that. Hey, it’s weekend, loads of time to spend with that! ;-)
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (SunOS)
iEYEARECAAYFAkDAiV4ACgkQ/ay4pK+rrYP/BQCeM2ybDYYOQ9cue9ccL6NHGsEs
hIwAoOPdPwHpYSeDFG/RfstAWQ2j8W8A
=Ucb/
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Well, your second test successfully breakes the sig.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (SunOS)
iEYEARECAAYFAkDAicAACgkQ/ay4pK+rrYPbxACfc/UyvjYP0bnvDKVpsmMwgt2s
wbAAoN3H7S5cXEC8RW2MJHIgkYst2NGa
=3Agi
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
OK That failed miserably. Let’s try the tests again individually.
First the ampersands: an & (&), a raw & (&) and a & (&).
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAwIrpnyqPIXpYcjcRAkKEAJ0XDNlG2p0IfJsI8CQYeE5Oco+c/ACfVmwP
GDSTsO3sopBwLtgWptP35EA=
=wDlU
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Next the < (<) test.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAwItrnyqPIXpYcjcRAgF/AJ0cQMHa0Oh/KPNsY7vlZu5MZ5qIMgCeLXlG
MxA0/Nd3H3AEDyaU13rZZP4=
=ADpZ
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
The evil backslash bug: \ \ and \ .
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAwIvqnyqPIXpYcjcRAno7AKCvOxV+kWLvdnnxc+D9pVgb6bEfuQCcCS9k
iOaAYSl6gqmJcQwjF+V6IQ8=
=3ctZ
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
And, finally, let’s try a little Iñtërnâtiônàlizætiøn.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAwIw4nyqPIXpYcjcRAjLlAJ0bRSSpOR3T+TvtY3g8abIIxFNxQwCfZFeG
ugLTzmmSqSdNRgxG66P7IhQ=
=PFHp
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Two out of four tests passed.
To be fair, the last test failed on my blog, too. However, copying and pasting the “raw” comment from the
textarea, it did verify correctly, at least for me.—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAwJBqnyqPIXpYcjcRAt/rAJ4ycZEHfB3frv1SOt5MMq42NOpSOwCfd/Ws
QAnj5cb5p+iYMeaUMBueZAE=
=Ddze
—–END PGP SIGNATURE—–
Hi again.
The server software has been upgraded, so I tested OpenPGP Comment again. Still, no luck. If I click to show the popupwindows, I get a MySQL error. Maybe you can tell me what I’m doing wrong…
This is the link to the post on my weblog: http://bytewarrior.madoka.be/b2/archives/2004/11/30/openpgpcomment
And this is the link to the comment itself:
http://bytewarrior.madoka.be/b2/wp-signature-popup.php?c=312&p=203
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
It looks quite good, but I get an error:
when trying to install it. Furthermore I can’t do step five, since I
don’t have command line access to my host. Any ideas on how I can fix
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.1 (MingW32) – WinPT 0.7.96rc1
iD8DBQFBuD9HCFFxLzl8aXcRAnCoAJ9tfHqZEx/eCBspsHHA04DhcWV5dQCggm/l
1yZKjZhOXit2h9wzoIPuDb4=
=Kfpf
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Delete lines 13 – 28 in openpgpcommentadmin.php
I’ll delete that in a new version.
Step 5 – can you create a keyring on your home-machine? you can upload those dirs and the keyring via FTP.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.6 (SunOS)
iEYEARECAAYFAkG4REsACgkQ/ay4pK+rrYPlrQCfYoGU9H5F4TLZpFcap51DQKC0
7qcAoJXmyFxT2R4SqiKJEB1n3efgHzf6
=yKgU
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Works like a breeze now. :) Thanks a lot.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.1 (MingW32) – WinPT 0.7.96rc1
iD8DBQFBuFLOCFFxLzl8aXcRAgZ2AJ46Den4ivAjbPmS44K4nqv3JJ4NlgCeP/hy
LS7TONoFuXftbl5y2xn37kE=
=OTSM
—–END PGP SIGNATURE—–
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Thanks very much for the excellent plugin!
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.1 (MingW32) – WinPT 0.9.90
iD8DBQFCSI/H3KUrxmmXe+ARAvXYAKDf3ldf0cv0Z7IAzexbq+aogaRKkgCfUIMf
06SFEaYbcgqJsZChjuWFfQk=
=7w6l
—–END PGP SIGNATURE—–
Super, danke! Mal sehen, ob ich das im chroot zum laufen bewegen kann!