Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: ReadEntity doesn't support V3 signatures #27679

Closed
emersion opened this issue Sep 14, 2018 · 1 comment
Closed

x/crypto/openpgp: ReadEntity doesn't support V3 signatures #27679

emersion opened this issue Sep 14, 2018 · 1 comment
Milestone

Comments

@emersion
Copy link

@emersion emersion commented Sep 14, 2018

What version of Go are you using (go version)?

1.11

Does this issue reproduce with the latest release?

Aye.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/home/simon/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/simon/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/lib/go"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build609952039=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Try to use openpgp.ReadEntity on a keyring containing V3 signatures (for instance http://keyserver.mattrude.com/dump/current/sks-dump-0000.pgp).

package main

import (
	"io"
	"log"
	"os"

	"golang.org/x/crypto/openpgp"
	"golang.org/x/crypto/openpgp/packet"
)

func main() {
	pr := packet.NewReader(os.Stdin)
	for {
		_, err := openpgp.ReadEntity(pr)
		if err == io.EOF {
			break
		} else if err != nil {
			log.Fatal(err)
		}
	}
}

What did you expect to see?

No error.

What did you see instead?

openpgp: invalid data: subkey packet not followed by signature

This happens because of this line: https://github.com/golang/crypto/blob/master/openpgp/keys.go#L442

  • We should at least provide a sensible error message if it's a *packet.SignatureV3 ("V3 signatures not supported by Entity").
  • We could add a SignatureV3 field alongside Signature fields (just like MessageDetails)

What do you think?

@gopherbot gopherbot added this to the Unreleased milestone Sep 14, 2018
@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Mar 29, 2021

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants