Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible #23231

Closed
paultag opened this issue Dec 23, 2017 · 4 comments
Milestone

Comments

@paultag
Copy link

@paultag paultag commented Dec 23, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.9.2 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/paultag/go"
GORACE=""
GOROOT="/usr/lib/go-1.9"
GOTOOLDIR="/usr/lib/go-1.9/pkg/tool/linux_amd64"
GCCGO="/usr/bin/gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build824936553=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

When creating a signing subkey in Go, I created an EmbeddedSignature, but when I Serialize, it goes missing.

This strikes me as weird, since Serialize will output the Signature when it parses one coming in. This makes me think that it's dumping some sort of raw internal slice containing the packets it saw coming in.

Is it possible to create a signing subkey in go? I don't see anyone using this field outside of validation.

What did you expect to see?

A Signature subpacket in my signature

What did you see instead?

No cross signature.

@gopherbot gopherbot added this to the Unreleased milestone Dec 23, 2017
@paultag paultag changed the title x/crypto/openpgp x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible Dec 23, 2017
@paultag
Copy link
Author

@paultag paultag commented Dec 23, 2017

(Sorry for not finishing the title; updated)

@paultag
Copy link
Author

@paultag paultag commented Dec 28, 2017

cc @kbsriram @agl - if either of you can do a quick triage on if it's user error (in which case, I'll open a PR with docs) or if this is a legit issue.

I tried taking a whack at fixing it, but the signature serialization is a bit .... tightly coupled with writing out a signature packet. It didn't seem clear on the right way to refactor it, so I'm going to have to give up on fixing it.

@syadav2015
Copy link

@syadav2015 syadav2015 commented Dec 10, 2018

@paultag @agl Seems like EmbeddedSignatures (0x19: Primary Key Binding Signature from RFC4880 Section 5.2.1) are not currently supported. Taking a look at the code in addSubKey() in openpgp/keys.go:

if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
	return errors.StructuralError("subkey signature with wrong type")
}

Seems like only SigTypeSubkeyBinding (0x18) is supported. I am planning to take a shot at implementing this. Any poc code or notes/docs you could share regarding this would help me get a jumpstart on this issue.

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Mar 29, 2021

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants