Skip to content

Update module to v2.7.5

renovate requested to merge renovate/ into master

This MR contains the following updates:

Package Type Update Change require minor v2.5.0 -> v2.7.5


Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

ProtonMail/gopenpgp (


Compare Source

  • API to get signature key IDs for mobile:
    func (msg *PGPMessage) GetHexSignatureKeyIDsJson() []byte
  • API to get encryption key IDs for mobile:
    func (msg *PGPMessage) GetHexEncryptionKeyIDsJson() []byte
  • API to get the number of key packets in a PGP message:
    func (msg *PGPSplitMessage) GetNumberOfKeyPackets() (int, error)
  • API in package helper to encrypt a PGP message to an additional key:
    func EncryptPGPMessageToAdditionalKey(messageToModify *crypto.PGPSplitMessage, keyRing *crypto.KeyRing, additionalKey *crypto.KeyRing) error


Compare Source

  • Ensure that (SessionKey).Decrypt functions return an error if no integrity protection is present in the encrypted input. To protect SEIPDv1 encrypted messages, SED packets must not be allowed in decryption.


Compare Source


  • Add helper.QuickCheckDecrypt function to the helper package. The function allows to check with high probability if a session key can decrypt a SEIPDv1 data packet given its 24-byte prefix.


Compare Source

Update the underlying crypto library


Compare Source


  • Add mobile helpers for signature verification with contexts.


Compare Source

  • The SignatureVerificationError struct now has a Cause error field, which is returned by the the Unwrap function. The cause is also included in the error message. NB: If the caller was relying on the exact message of the error, it might break the flow.
  • When a signature fails verification because of the signature context, it returns a SignatureVerificationError with status constants.SIGNATURE_BAD_CONTEXT instead of constants.SIGNATURE_FAILED.


  • Add api for signature context on streams SignDetachedStreamWithContext.
  • Add API for signature context on embedded signatures.


  • When verifying detached signatures, gopenpgp sometimes needs to reattempt verification a second time to check for edge cases of signature expiration. This logic was broken because it was not rewinding the data readers.


Compare Source

Security fix
  • Update and to fix panic on invalid inputs.

v2.6.0: Release version 2.6.0

Compare Source

  • API for adding context to detached signatures:
    sig, err := keyRing.SignDetachedWithContext(message, context)
  • API to verify the context of detached signatures:
    err := keyRing.VerifyDetachedWithContext(message, signature, verifyTime, verificationContext)
  • Update to the latest version
  • More strictly verify detached signatures: reject detached signatures from revoked and expired keys.
  • In GetVerifiedSignatureTimestamp, use the new VerifyDetachedSignatureAndHash function to get the verified signature, instead of parsing the signature packets manually to get the timestamp.
  • Upgraded dependency to v0.7.0

v2.5.2: Release version 2.5.2

Compare Source


  • Update to the latest version

v2.5.1: Release version 2.5.1

Compare Source

  • Streaming API to encrypt with compression:
    • func (keyRing *KeyRing) EncryptStreamWithCompression
    • func (keyRing *KeyRing) EncryptSplitStreamWithCompression
    • func (sk *SessionKey) EncryptStreamWithCompression


📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by renovate

Merge request reports