x/crypto/openpgp: implement certification revocation signature

[aviau]

It would be great if the openpgp package implemented Certification revocation signature as defined in RFC4880.

Currently, depending on the packet ordering, the openpgp package can add revoked identities to the entity's identities slice, this can be misleading because there is no possibility to see that it has been revoked.

[gopherbot]

Change https://golang.org/cl/118995 mentions this issue: openpgp: implement Cert Revocation Signature

[aviau]

@FiloSottile <3

[aviau]

ping @FiloSottile, you reviewed one of the dependencies but not the main changeset.

(also, I have added you as a reviewer to this smaller change: https://go-review.googlesource.com/c/crypto/+/138997)

Cheers,

[aviau]

Ping @FiloSottile. You mind me reminding you again?

The changeset is here: https://golang.org/cl/118995

[aviau]

I'll try again...

Ping @FiloSottile

[FiloSottile]

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.