x/crypto/openpgp: Support signing of pre-computed hashes #28022
Comments
ALTree
added
Proposal-Crypto
|
Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed. If this is a security issue, please email security@golang.org and we will assess it and provide a fix. If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here. If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one. |
This is a perhaps unusual feature request: the autograph service provides an API that clients can use to request signatures. Most of the time, clients call
/sign/datawith a raw message to sign, and that works fine with openpgp. But in some cases, we want to just accept a pre-computed hash to reduce the bandwidth usage between a client and the autograph service.Trying to implement this with the openpgp package seems rather challenging. From what I can tell, the packet#Signature.Sign() function takes an initialized hash, appends a suffix and finishes the computation of the digest, then signs. There's no obvious way to provide the function with a hash that's already computed. I'm also failing to think of a way to hack around this without touching the openpgp/packet package directly.
Would it be possible to implement a
SignHashfunction in thepacketpackage that takes a pre-computed hash? It might also be useful to exportbuildHashSuffixfor client to assemble the hash themselves.The text was updated successfully, but these errors were encountered: