x/crypto/openpgp: ReadEntity(): returning error on first invalid self-signature

[proglottis]

After having a key expire and then resetting the expiry using GPG commandline. The openpgp package can no longer read secring.gpg.

http://play.golang.org/p/StEcvGUCvF

Which errors with:

$ go run secring.go
panic: openpgp: invalid data: user ID self-signature invalid: openpgp: invalid signature: hash tag doesn't match

goroutine 1 [running]:
main.main()
/Users/james/Development/Projects/goplay/secring.go:25 +0x237

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/usr/local/Cellar/go/1.4.2/libexec/src/runtime/asm_amd64.s:2232 +0x1
exit status 2

I've created a new private key with a 1 day expiry. I should hopefully be able to upload a failing secring.gpg tomorrow.

As discussed https://groups.google.com/d/msg/golang-nuts/ZG1WgG7NwRg/ZvrOH2OZWu8J

[ianlancetaylor]

CC @agl

[proglottis]

This isn't as simple as letting a key expire and resetting it. It doesn't seem cause additional self-signatures.

[exarkun]

It appears this is still a problem. When I try to use sops:

Could not load secring: openpgp: invalid data: user ID self-signature invalid: openpgp: invalid signature: hash tag doesn't match

[FiloSottile]

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.