x/crypto/openpgp: Better support for signing subkeys

[taralx]

Support already exists for reading and verifying signing subkeys, but not creating or writing them. Proposed changes:

• https://go-review.googlesource.com/c/crypto/+/256279 openpgp/packet: serialize embedded signatures
  Currently embedded signatures will not serialize if the signature is generated/re-generated. This adds that functionality and introduces a Signature.SerializeRaw method that writes the signature without the packet wrapper.
• https://go-review.googlesource.com/c/crypto/+/256280 openpgp: add cross-signature support
  Signing subkeys require a cross-signature, which is computed on the same hash as the subkey binding signature. This introduces a Signature.CrossSignKey method that can be used to generate these cross-signatures.

[katiehockman]

/cc @FiloSottile

[syadav2015]

@taralx I had added support for subkey signatures along with revocation support for keys and subkeys in https://go-review.googlesource.com/c/crypto/+/161817, however lack of any reviews or response from upstream devs for ctypto/openpgp package ( see this discussion for reference ) led me to submit my changes to protonmail's crypto package fork and update my project to use their fork.

[FiloSottile]

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

Thank you!