x/crypto/openpgp: fails to handle expired subkeys correctly #15353
Comments
abarisani
changed the title
bradfitz
changed the title
|
I also have this problem as my key contains multiple subkey binding signatures, but only the first (expired) one is processed. Later packets are ignored, so Thanks so much @abarisani for your workaround This very recent commit (which fixed #26449) nearly fixed this but not quite.
I've written and tested a patch on our fork which is working for us. Regarding GnuPG, yes |
|
Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed. If this is a security issue, please email security@golang.org and we will assess it and provide a fix. If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here. If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one. |
Hello,
importing OpenPGP keys with expired signature subkeys, but a valid non-expired signature subkey, is not being handled correctly by golang.org/x/crypto/openpgp functions such as ReadEntity.
What I am experiencing is that when the imported public key has a single non-expired signature subkey then there are no issues.
However if the imported key has one or more expired signature subkeys, and a valid one as the last packet, only the first expired subkey is considered when creating the PublicKey object, making it invalid for encryption.
I am attaching a public key that exhibits these properties, the key was parsed as follows:
keyBlock, _ := armor.Decode(keyFile)
reader := packet.NewReader(keyBlock.Body)
entity, _ := openpgp.ReadEntity(reader)
and later used with openpgp.Encrypt().
Currently gpg --export, even with --export-options export-minimal, always carry expired signature subkeys (despite gpg documentation suggesting the contrary). This means that I have no easy way of exporting the public key in a way which is friendly to golang.org/x/crypto/openpgp, unless I am missing something.
Let me know if you need further information to debug this.
Thanks!
test_key.txt
The text was updated successfully, but these errors were encountered: