replace golang.org/x/crypto/openpgp with github.com/ProtonMail/go-crypto/openpgp

[paulcacheux]

Fixes some TODOs in the code

Requirements

All new code should be covered with tests, documentation should be updated. CI should pass.

Description of the Change

This PR replaces golang.org/x/crypto/openpgp which is unsupported (issue) with github.com/ProtonMail/go-crypto/openpgp.

This has the added bonus of adding support for new pgp key types

Checklist

• unit-test added (if change is algorithm)
• functional test added/updated (if change is functional)
• man page updated (if applicable)
• bash completion updated (if applicable)
• documentation updated
• author name in AUTHORS

[codecov]

Codecov Report

Merging #1228 (6773724) into master (f1649a6) will increase coverage by 0.03%.
The diff coverage is n/a.

❗ Current head 6773724 differs from pull request most recent head f1c1891. Consider uploading reports for the commit f1c1891 to get more accurate results

@@            Coverage Diff             @@
##           master    #1228      +/-   ##
==========================================
+ Coverage   74.85%   74.89%   +0.03%     
==========================================
  Files         143      143              
  Lines       16187    16179       -8     
==========================================
  Hits        12117    12117              
+ Misses       3134     3126       -8     
  Partials      936      936              

Files	Coverage Δ
pgp/internal.go	56.97% <ø> (ø)
pgp/openpgp.go	61.48% <ø> (+3.15%)	⬆️

📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today!

[paulcacheux]

@randombenj sorry for the direct ping. Is this something you would be interested in ?

[randombenj]

Thanks for the change, I think this makes sense. Why was the V3 switch removed?

[randombenj]

Will this have any impact?

[paulcacheux]

Yes something I should have made clearer in the PR description. Basically this means we would lose support for SignatureV3. They are old and nearly unsupported so I think it's your decision.

On the other hand, the current openpgp does not support ed25519 keys (example issue), and is not supported. So migrating has both upsides and downsides.

I searched for another maintained /x/crypto/openpgp alternatives that is still maintained without success sadly

[paulcacheux]

After double checking https://github.com/ProtonMail/go-crypto/blob/afb1ddc0824ce0052d72ac0d6917f144a1207424/openpgp/packet/packet.go#L339, I think there was already no way to read a SignatureV3 from a packet, so I think we don't lose anything.

Here is a public issue showing a similar intel golang/go#27679

[randombenj]

@neolynx any input on this, otherwise I think we can merge

[neolynx]

I would go with that. We can test with old mirrors and repos, and readd it in case this brings any troubles...

[paulcacheux]

Regarding the failing tests it seems the upstream repos were updated. Happy to rebase once main is green regarding those

[paulcacheux]

@randombenj maybe we can fix the CI first before merging. How can I help in that direction ?

[neolynx]

lgtm :)

[randombenj]

@paulcacheux as the tests don't fail because of your changes, I will merge this and then later on fix the tests on the main branch. Thanks for the contribution 🎉