Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/openpgp: ReadEntity(): returning error on first invalid self-signature #11809

Closed
proglottis opened this issue Jul 21, 2015 · 4 comments
Closed

x/crypto/openpgp: ReadEntity(): returning error on first invalid self-signature #11809

proglottis opened this issue Jul 21, 2015 · 4 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@proglottis
Copy link

After having a key expire and then resetting the expiry using GPG commandline. The openpgp package can no longer read secring.gpg.

http://play.golang.org/p/StEcvGUCvF

Which errors with:

$ go run secring.go
panic: openpgp: invalid data: user ID self-signature invalid: openpgp: invalid signature: hash tag doesn't match

goroutine 1 [running]:
main.main()
/Users/james/Development/Projects/goplay/secring.go:25 +0x237

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/usr/local/Cellar/go/1.4.2/libexec/src/runtime/asm_amd64.s:2232 +0x1
exit status 2

I've created a new private key with a 1 day expiry. I should hopefully be able to upload a failing secring.gpg tomorrow.

As discussed https://groups.google.com/d/msg/golang-nuts/ZG1WgG7NwRg/ZvrOH2OZWu8J
@ianlancetaylor ianlancetaylor added this to the Unreleased milestone Jul 21, 2015
@ianlancetaylor
Copy link
Contributor

CC @agl

@agl agl self-assigned this Jul 22, 2015
@proglottis
Copy link
Author

This isn't as simple as letting a key expire and resetting it. It doesn't seem cause additional self-signatures.

@exarkun
Copy link

exarkun commented Jun 9, 2017

It appears this is still a problem. When I try to use sops:

Could not load secring: openpgp: invalid data: user ID self-signature invalid: openpgp: invalid signature: hash tag doesn't match

@exarkun exarkun mentioned this issue Jun 9, 2017
Closed
@FiloSottile
Copy link
Contributor

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

@golang golang locked and limited conversation to collaborators Mar 29, 2022
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@agl @proglottis @exarkun @FiloSottile @ianlancetaylor @gopherbot