Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible #23231

paultag opened this issue Dec 23, 2017 · 4 comments


Copy link

@paultag paultag commented Dec 23, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.9.2 linux/amd64

Does this issue reproduce with the latest release?


What operating system and processor architecture are you using (go env)?

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build824936553=/tmp/go-build -gno-record-gcc-switches"

What did you do?

When creating a signing subkey in Go, I created an EmbeddedSignature, but when I Serialize, it goes missing.

This strikes me as weird, since Serialize will output the Signature when it parses one coming in. This makes me think that it's dumping some sort of raw internal slice containing the packets it saw coming in.

Is it possible to create a signing subkey in go? I don't see anyone using this field outside of validation.

What did you expect to see?

A Signature subpacket in my signature

What did you see instead?

No cross signature.

@gopherbot gopherbot added this to the Unreleased milestone Dec 23, 2017
@paultag paultag changed the title x/crypto/openpgp x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible Dec 23, 2017
Copy link

@paultag paultag commented Dec 23, 2017

(Sorry for not finishing the title; updated)

Copy link

@paultag paultag commented Dec 28, 2017

cc @kbsriram @agl - if either of you can do a quick triage on if it's user error (in which case, I'll open a PR with docs) or if this is a legit issue.

I tried taking a whack at fixing it, but the signature serialization is a bit .... tightly coupled with writing out a signature packet. It didn't seem clear on the right way to refactor it, so I'm going to have to give up on fixing it.

Copy link

@syadav2015 syadav2015 commented Dec 10, 2018

@paultag @agl Seems like EmbeddedSignatures (0x19: Primary Key Binding Signature from RFC4880 Section 5.2.1) are not currently supported. Taking a look at the code in addSubKey() in openpgp/keys.go:

if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
	return errors.StructuralError("subkey signature with wrong type")

Seems like only SigTypeSubkeyBinding (0x18) is supported. I am planning to take a shot at implementing this. Any poc code or notes/docs you could share regarding this would help me get a jumpstart on this issue.

Copy link

@FiloSottile FiloSottile commented Mar 29, 2021

Per the accepted #44226 proposal and due to lack of maintenance, the package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, for inline signatures, or for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of We don't endorse any specific one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants