fix: use updated OpenPGP implementation

Fixes syncthing/syncthing#9835

go.mod

@@ -3,15 +3,18 @@ module kastelo.dev/ezapt
 go 1.23.3
 
 require (
+	github.com/ProtonMail/go-crypto v1.1.3
 	github.com/alecthomas/kong v1.4.0
-	golang.org/x/crypto v0.9.0
 	golang.org/x/mod v0.22.0
 	pault.ag/go/debian v0.17.0
 )
 
 require (
+	github.com/cloudflare/circl v1.5.0 // indirect
 	github.com/kjk/lzma v0.0.0-20161016003348-3fd93898850d // indirect
 	github.com/klauspost/compress v1.16.5 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
 	pault.ag/go/topsort v0.1.1 // indirect
 )

go.sum

@@ -1,9 +1,15 @@
+github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
+github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/kong v1.4.0 h1:UL7tzGMnnY0YRMMvJyITIRX1EpO6RbBRZDNcCevy3HA=
 github.com/alecthomas/kong v1.4.0/go.mod h1:p2vqieVMeTAnaC83txKtXe8FLke2X07aruPWXyMPQrU=
 github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
 github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
+github.com/cloudflare/circl v1.5.0 h1:hxIWksrX6XN5a1L2TI/h53AGPhNHoUBo+TD1ms9+pys=
+github.com/cloudflare/circl v1.5.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/kjk/lzma v0.0.0-20161016003348-3fd93898850d h1:RnWZeH8N8KXfbwMTex/KKMYMj0FJRCF6tQubUuQ02GM=
@@ -12,10 +18,16 @@ github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/d
 github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
-golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
-golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
 golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 pault.ag/go/debian v0.17.0 h1:H+frUQv9X5yoJpYE0MLdqoAdyoHQizFL6vq+4qMMKrc=
 pault.ag/go/debian v0.17.0/go.mod h1:JFl0XWRCv9hWBrB5MDDZjA5GSEs1X3zcFK/9kCNIUmE=
 pault.ag/go/topsort v0.1.1 h1:L0QnhUly6LmTv0e3DEzbN2q6/FGgAcQvaEw65S53Bg4=

internal/publish/pgp.go

@@ -2,38 +2,33 @@ package publish
 
 import (
 	"crypto"
+	"encoding/hex"
 	"fmt"
 	"io"
+	"log/slog"
 
-	_ "crypto/sha256"
-
-	_ "golang.org/x/crypto/ripemd160"
-
-	"golang.org/x/crypto/openpgp"
-	"golang.org/x/crypto/openpgp/clearsign"
-	"golang.org/x/crypto/openpgp/packet"
+	"github.com/ProtonMail/go-crypto/openpgp/clearsign"
+	"github.com/ProtonMail/go-crypto/openpgp/packet"
+	openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
 )
 
 type signer struct {
-	keys []*packet.PrivateKey
+	entities []*openpgp.Entity
 }
 
 func newSigner(keychain io.Reader) (*signer, error) {
 	pr := packet.NewReader(keychain)
 	s := &signer{}
 	for {
-		pkt, err := pr.Next()
+		ent, err := openpgp.ReadEntity(pr)
 		if err == io.EOF {
 			break
 		}
 		if err != nil {
 			return nil, err
 		}
-		if key, ok := pkt.(*packet.PrivateKey); ok {
-			if !key.IsSubkey && key.PublicKey.PublicKey != nil {
-				s.keys = append(s.keys, key)
-			}
-		}
+		slog.Info("Loaded key", "fingerprint", hex.EncodeToString(ent.PrimaryKey.Fingerprint))
+		s.entities = append(s.entities, ent)
 	}
 	return s, nil
 }
@@ -44,30 +39,28 @@ type seekable interface {
 }
 
 func (s *signer) DetachSign(in seekable, out io.Writer) error {
-	if len(s.keys) == 0 {
-		return fmt.Errorf("no private keys found")
+	if len(s.entities) == 0 {
+		return fmt.Errorf("no entities")
 	}
 	cfg := &packet.Config{
 		DefaultHash: crypto.SHA256,
 	}
-	for _, key := range s.keys {
-		if _, err := in.Seek(0, io.SeekStart); err != nil {
-			return err
-		}
-		signer := &openpgp.Entity{PrivateKey: key}
-		if err := openpgp.DetachSign(out, signer, in, cfg); err != nil {
-			return err
-		}
+	if err := openpgp.DetachSign(out, s.entities, in, cfg); err != nil {
+		return err
 	}
 	return nil
 }
 
 func (s *signer) ClearSign(in seekable, out io.Writer) error {
-	if len(s.keys) == 0 {
-		return fmt.Errorf("no private keys found")
+	if len(s.entities) == 0 {
+		return fmt.Errorf("no entities")
 	}
 
-	w, err := clearsign.EncodeMulti(out, s.keys, nil)
+	keys := make([]*packet.PrivateKey, len(s.entities))
+	for i, e := range s.entities {
+		keys[i] = e.PrivateKey
+	}
+	w, err := clearsign.EncodeMulti(out, keys, nil)
 	if err != nil {
 		return err
 	}