Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
x/crypto/openpgp: fails to handle expired subkeys correctly #15353
importing OpenPGP keys with expired signature subkeys, but a valid non-expired signature subkey, is not being handled correctly by golang.org/x/crypto/openpgp functions such as ReadEntity.
What I am experiencing is that when the imported public key has a single non-expired signature subkey then there are no issues.
However if the imported key has one or more expired signature subkeys, and a valid one as the last packet, only the first expired subkey is considered when creating the PublicKey object, making it invalid for encryption.
I am attaching a public key that exhibits these properties, the key was parsed as follows:
keyBlock, _ := armor.Decode(keyFile)
and later used with openpgp.Encrypt().
Currently gpg --export, even with --export-options export-minimal, always carry expired signature subkeys (despite gpg documentation suggesting the contrary). This means that I have no easy way of exporting the public key in a way which is friendly to golang.org/x/crypto/openpgp, unless I am missing something.
Let me know if you need further information to debug this.
changed the title
golang.org/x/crypto/openpgp fails to handle expired subkeys correctly
Apr 18, 2016
added a commit
Apr 20, 2016
added a commit
Jun 8, 2016
I also have this problem as my key contains multiple subkey binding signatures, but only the first (expired) one is processed. Later packets are ignored, so
I've written and tested a patch on our fork which is working for us.
Regarding GnuPG, yes