v6.0.0-beta.0

What's Changed

The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

Breaking changes:

• Fix wrong serialization of PKESK v6 for x25519/x448 (#1734): invalid encrypted messages are generated by the alpha releases of OpenPGP.js v6 when using encryption keys of algorithms enums.publicKey.x25519/x448 with SEIPDv2 feature flag.
  Such encryption keys could be generated by OpenPGP.js v6 (but not by older versions) via generateKey by:

  • enabling config.aeadProtect (off by default) and
  • requesting type: 'curve448'|'curve25519' (which is the default only if config.v6Keys: true).
    The affected messages will fail to parse and decrypt in OpenPGP.js v6.0.0-beta.0+ as well as in other OpenPGP libraries.

• Drop config.revocationsExpire, always honour revocation expiration (#1736): the option used to default to false, and ignore revocation expirations. We now honour those expirations, namely match the behaviour resulting from setting the option to true.

• Add back armor checksum for non-v6 artifacts (#1741): the change is needed to work around a GnuPG decoding bug affecting some messages without the checksum. It causes a breaking change, limited to openpgp.armor, which takes an additional emitChecksum argument (defaults to false).

Main non-breaking changes:

• Randomise v4 and v5 signatures via custom notation (#1737): while this notation solution is interoperable, it will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases. For this reason, the option config.nonDeterministicSignaturesViaNotation (defaulting to true) has been added to turn off the feature.

• Fix email address validity check to still allow unicode values, and further relax constraints (#1739): this follows up to a change made in v6.0.0-alpha.1; previous versions already accepted unicode values.

Full Changelog: v6.0.0-alpha.1...v6.0.0-beta.0

v6.0.0-alpha.1

What's Changed

The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.

Main non-breaking changes:

• Add config.parseAEADEncryptedV4KeysAsLegacy to support decrypting AEAD-encrypted v4 keys from OpenPGP.js v5 or older (#1672)
• Skip key validation for keys encrypted with non-legacy AEAD mechanism (#1713)
• Add sha3_256 and sha3_512 to preferred algorithms in newly generated keys (#1696)
• Relax constraints for UserID email address validity, to accept domains such as @localhost (#1641)
• Use WebCrypto for AES-KW, drop AES_ECB dependency (#1724)
• Use the Compression Stream API when available (#1717)
• Import legacy ciphers (CAST5, TwoFish, BlowFish, DES) only on demand, to optimise lightweight build (#1723)
• Node: drop asn1.js dependency (#1722)

Breaking changes:

• Throw if WebCrypto API is not available (before, it was already required, but it would not cause issues with operations that did not rely on it, such as RSA encryption)
• Drop support for native Node Readable stream: require passing Node Web Streams (#1716). Utils to convert from and to Web Streams in Node are available from v17.
• Ensure primary key meets strength and algo requirements when encrypting/verifying/signing using subkeys (#1719)
• Rename NIST curves to disambiguate the names with the Brainpool curves (#1721).:
  • the identifiers enums.curve.p256, .p384, .p521 are now marked as @deprecated (to be dropped in the main release)
  • the new identifiers are, respectively: enums.curve.nistP256, .nistP384, .nistP521.
  • the corresponding values have been changed from 'p256','p384','p521' to 'nistP256', 'nistP384', 'nistP521' (these new values are expected by generateKey, for the options.curve argument).
• Remove config.deflateLevel (#1717)

Full Changelog: v6.0.0-alpha.0...v6.0.0-alpha.1

v5.11.1

What's Changed

• Patch for Node v18.19.1+, 20.11.1+ and 21.6.2+: use JS fallback code for RSA decryption on Node when PKCS#1 is not supported (see #1728).

Full Changelog: v5.11.0...v5.11.1

v6.0.0-alpha.0

What's Changed

OpenPGP.js v6 includes only minor API changes while adding full support for the OpenPGP crypto refresh.

Main non-breaking changes:

• Implement crypto refresh features (some behind flags, given the limited ecosystem support):
  • Add support for v6 keys, signatures and encrypted-session keys & more (behind feature flag openpgp.config.v6Keys)
  • Add support for AEAD-protected encrypted messages (new format, behind feature flag openpgp.config.aeadProtect)
  • Add support for Argon2 (#1597) (since WASM is used, it might require specific configurations in web apps, see note under "Breaking changes" below)
  • Add support for Ed448 & X448 (#1676)
  • Add support for generating Ed25519 & X25519 keys in new format (#1676, following up to #1620)
• Drop elliptic.js in favor of noble-curves (#1694)
• Add support for SHA3 (#1680)

Breaking changes:

• Drop support for Node 14 (EOL end of April '23)
• The library is now declared as a module, and declares exports, alongside the legacy package.json entrypoints, which should ensure backwards compatibility. Still, bundlers might be affected by the package.json changes depending on how they load the library.
• Remove embedded Web Streams ponyfill, since it's now supported in all browsers (applications can load a polyfill themselves instead, if they need to support older browser versions: see README).
• The crypto refresh has updated parts of the draft RFC4880bis as implemented by OpenPGP.js v4 and v5. Related changes in v6 are:
  • Drop config.v5Keys flag and corresponding key generation. The flag is replaced by .v6Keys, and results in a different key format.
  • Keys generated without .v5Keys flag and encrypted with config.aeadProtect = true cannot be decrypted by OpenPGP.js v6 out-of-the-box. Support for decrypting these keys will be added in the next v6 prerelease (see #1672).
  • The config.aeadProtect flag has a different effect than in v5:
    • for private keys, a new encryption mechanism is used;
    • for password-encrypted messages, a new message format is used;
    • when encrypting messages to public keys, the flag is ignored (see #1678).
• Argon2 relies on a WASM module, thus web apps might need to make changes to their CSP policy in order to use the feature. Alternatively, since the Argon2 WASM module is only loaded if needed, apps can manually reject password-encrypted messages and private keys which use Argon2 by checking e.g. SymEncryptedSessionKeyPacket.s2k?.type === 'argon2' or SecretKeyPacket|SecretSubkeyPacket.keyPacket.s2k?.type === 'argon2'.
• Refuse to use keys without key flags, but add config.allowMissingKeyFlags to bypass the check if needed (see #1677)
• Drop config.minBytesForWebCrypto, and always use WebCrypto if available, since there is no longer a performance overhead for small messages.
• Rename EdDSA-related enums following the standardisation of new key formats:
  • Drop enums.publicKey.eddsa in favour of enums.publicKey.eddsaLegacy
  • Rename string value of enums.curve.ed25519Legacy to 'ed25519Legacy' (was: 'ed25519')
  • Rename string value of enums.curve.curve25519Legacy to 'curve25519Legacy' (was: 'curve25519')
• Rename config.useIndutnyElliptic to .useEllipticFallback, to reflect the change of underlying library.
• Remove enums.symmetric.plaintext (internally unused)

Full Changelog: v5.11.0...v6.0.0-alpha.0

v5.11.0

What's Changed

• crypto-refresh: minor fixes and updates for X25519/Ed25519 (new format) (#1687)
  • Introduce enums.publicKey.eddsaLegacy, set to replace enums.publicKey.eddsa in v6
  • Introduce enums.curve.ed25519Legacy and .curve25519Legacy, set to replace enums.curve.ed25519 and .curve25519 in v6
• Fix stream closure when using Node's stream.pipeline (#1691)
• Fix binding signature generation using shorter hash than expected for some ECDSA subkeys
• Always use NodeCrypto over WebCrypto in Node 20 (#1692)
• TS: Allow nullable date in VerifyOptions (#1644)

Full Changelog: v5.10.2...v5.11.0

v5.10.2

What's Changed

• Fix CFB decryption performance in JS fallback for ciphers other than AES (#1679)
• Minor: fix packet validity check for new curve25519 keys without key flags

Full Changelog: v5.10.1...v5.10.2

v5.10.1

Reject cleartext messages with extraneous data preceeding hash, addressing: GHSA-ch3c-v47x-4pgp.

v5.10.0

• crypto-refresh: add support for new Ed25519/X25519 keys, signatures and messages (#1620)
• Support parsing encrypted key with unknown s2k types or cipher algos (#1658)
• Fix forward compatibility of keys, SKESKs, and detached/cleartext signatures and ECDH (#1656)

This release does not include any breaking changes.

Full Changelog: v5.9.0...v5.10.0

v4.10.11 (legacy)

Reject cleartext messages with extraneous data preceeding hash, addressing: GHSA-ch3c-v47x-4pgp.

v5.9.0

• Add support for verifying User Attributes in verifyAllUsers (#1637)
• Allow email addresses with trailing numbers in domain (#1642)
  
  
• TS: add declaration for verify with CleartextMessage input (#1640)
• Add revoke to Subkey in type definition (#1639)