Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: Better support for signing subkeys #41618

Closed
taralx opened this issue Sep 24, 2020 · 3 comments
Closed

x/crypto/openpgp: Better support for signing subkeys #41618

taralx opened this issue Sep 24, 2020 · 3 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@taralx
Copy link

taralx commented Sep 24, 2020

Support already exists for reading and verifying signing subkeys, but not creating or writing them. Proposed changes:

  • https://go-review.googlesource.com/c/crypto/+/256279 openpgp/packet: serialize embedded signatures
    Currently embedded signatures will not serialize if the signature is generated/re-generated. This adds that functionality and introduces a Signature.SerializeRaw method that writes the signature without the packet wrapper.
  • https://go-review.googlesource.com/c/crypto/+/256280 openpgp: add cross-signature support
    Signing subkeys require a cross-signature, which is computed on the same hash as the subkey binding signature. This introduces a Signature.CrossSignKey method that can be used to generate these cross-signatures.
@gopherbot gopherbot added this to the Unreleased milestone Sep 24, 2020
@katiehockman
Copy link
Contributor

/cc @FiloSottile

@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 28, 2020
@syadav2015
Copy link

@taralx I had added support for subkey signatures along with revocation support for keys and subkeys in https://go-review.googlesource.com/c/crypto/+/161817, however lack of any reviews or response from upstream devs for ctypto/openpgp package ( see this discussion for reference ) led me to submit my changes to protonmail's crypto package fork and update my project to use their fork.

@FiloSottile
Copy link
Contributor

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

Thank you!

@golang golang locked and limited conversation to collaborators Mar 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

6 participants