Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: Support signing of pre-computed hashes #28022

Closed
jvehent opened this issue Oct 4, 2018 · 1 comment
Closed

x/crypto/openpgp: Support signing of pre-computed hashes #28022

jvehent opened this issue Oct 4, 2018 · 1 comment

Comments

@jvehent
Copy link

@jvehent jvehent commented Oct 4, 2018

This is a perhaps unusual feature request: the autograph service provides an API that clients can use to request signatures. Most of the time, clients call /sign/data with a raw message to sign, and that works fine with openpgp. But in some cases, we want to just accept a pre-computed hash to reduce the bandwidth usage between a client and the autograph service.

Trying to implement this with the openpgp package seems rather challenging. From what I can tell, the packet#Signature.Sign() function takes an initialized hash, appends a suffix and finishes the computation of the digest, then signs. There's no obvious way to provide the function with a hash that's already computed. I'm also failing to think of a way to hack around this without touching the openpgp/packet package directly.

Would it be possible to implement a SignHash function in the packet package that takes a pre-computed hash? It might also be useful to export buildHashSuffix for client to assemble the hash themselves.

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Mar 29, 2021

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants