Bug#706742: libgnupg-perl: $gnupg->verify() fails if signature has OpenPGP notation subpacket

[Daniel Kahn Gillmor]

Package: libgnupg-perl
Version: 0.19-1
Severity: normal

Some signatures that i wish to verify have an OpenPGP Notation
subpacket in them.

You can create these signatures with:

 echo test > test.txt
 gpg --sig-notation test at example.net=abc123 --detach-sign --armor test.txt

and then you can verify them with:

 gpg --status-fd 1 --verify test.txt.asc test.txt

which produces status-fd output like the following:

[GNUPG:] SIG_ID ader2rZR418urkx2zsi3l7YwtvM 2013-05-04 1367652205
[GNUPG:] GOODSIG A52401B11BFDFA5C Daniel Kahn Gillmor <dkg at fifthhorseman.net>
[GNUPG:] NOTATION_NAME test at example.net
[GNUPG:] NOTATION_DATA abc123
[GNUPG:] VALIDSIG EB9691287A7ADDE3757D911EA52401B11BFDFA5C 2013-05-04 1367652205 0 4 0 1 10 00 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
[GNUPG:] TRUST_ULTIMATE

however, using verify() from perl's GnuPG module causes a crash because it was not expecting NOTATION_NAME or NOTATION_DATA:

protocol error: expected VALIDSIG at /usr/share/perl5/GnuPG.pm line 159
	GnuPG::abort_gnupg('GnuPG=HASH(0x1285c00)', 'protocol error: expected VALIDSIG') called at /usr/share/perl5/GnuPG.pm line 669
	GnuPG::check_sig('GnuPG=HASH(0x1285c00)') called at /usr/share/perl5/GnuPG.pm line 707
	GnuPG::verify('GnuPG=HASH(0x1285c00)', 'signature', 'test.txt.asc', 'file', 'test.txt') called at ./vfy.pl line 15

        --dkg

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnupg-perl depends on:
ii  gnupg  1.4.12-7.1
ii  perl   5.14.2-21

libgnupg-perl recommends no packages.

libgnupg-perl suggests no packages.

-- debconf-show failed