x/crypto/openpgp: fails to handle expired subkeys correctly #15353
importing OpenPGP keys with expired signature subkeys, but a valid non-expired signature subkey, is not being handled correctly by golang.org/x/crypto/openpgp functions such as ReadEntity.
What I am experiencing is that when the imported public key has a single non-expired signature subkey then there are no issues.
However if the imported key has one or more expired signature subkeys, and a valid one as the last packet, only the first expired subkey is considered when creating the PublicKey object, making it invalid for encryption.
I am attaching a public key that exhibits these properties, the key was parsed as follows:
keyBlock, _ := armor.Decode(keyFile)
and later used with openpgp.Encrypt().
Currently gpg --export, even with --export-options export-minimal, always carry expired signature subkeys (despite gpg documentation suggesting the contrary). This means that I have no easy way of exporting the public key in a way which is friendly to golang.org/x/crypto/openpgp, unless I am missing something.
Let me know if you need further information to debug this.
The text was updated successfully, but these errors were encountered:
I also have this problem as my key contains multiple subkey binding signatures, but only the first (expired) one is processed. Later packets are ignored, so
I've written and tested a patch on our fork which is working for us.
Regarding GnuPG, yes
Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.
If this is a security issue, please email firstname.lastname@example.org and we will assess it and provide a fix.
If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.
If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.