Skip to content

chore(deps): update go dependencies to v1 (major) #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update go dependencies to v1 (major) #397

wants to merge 1 commit into from

Conversation

red-hat-konflux[bot]
Copy link

@red-hat-konflux red-hat-konflux bot commented Jun 8, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/ProtonMail/go-crypto indirect major v0.0.0-20230923063757-afb1ddc0824c -> v1.3.0
github.com/golang/snappy indirect major v0.0.4 -> v1.0.0
github.com/imdario/mergo indirect major v0.3.16 -> v1.0.2
github.com/sigstore/sigstore-go require major v0.7.2 -> v1.0.0

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

ProtonMail/go-crypto (github.com/ProtonMail/go-crypto)

v1.3.0

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.2.0...v1.3.0

v1.3.0-proton

Compare Source

This release is v1.3.0 with support for the following non-standardized features:

v1.2.0

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.6...v1.2.0

v1.2.0-proton

Compare Source

What's Changed

This release is v1.2.0 with support for the following non-standardized features:

v1.1.6

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.5...v1.1.6

v1.1.6-proton

Compare Source

What's Changed

This release is v1.1.6 with support for the following non-standardized features:

v1.1.5

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.4...v1.1.5

v1.1.5-proton

Compare Source

What's Changed

This release is v1.1.5 with support for the following non-standardized features:

v1.1.4

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.3...v1.1.4

v1.1.4-proton

Compare Source

What's Changed

This release is v1.1.4 with support for the following non-standardized features:

v1.1.3

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.2...v1.1.3

v1.1.3-proton.2

Compare Source

What's Changed

This release is v1.1.3 with support for the following non-standardized features:

Patches v1.1.3-proton.1:

  • Update PQC ML-KEM key combiner to latest draft version.

v1.1.3-proton.1

Compare Source

What's Changed

This release is v1.1.3 with support for the following non-standardized features:

Patches v1.1.3-proton:

  • Marked forwarding key should not be usable in encryption.

v1.1.3-proton

Compare Source

What's Changed

This release is v1.1.3 with support for the following non-standardized features:

v1.1.2

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.1...v1.1.2

v1.1.2-proton

Compare Source

What's Changed

This release is v1.1.2 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.1

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.0...v1.1.1

v1.1.1-proton

Compare Source

What's Changed

This release is v1.1.1 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0

Compare Source

What's Changed

This release adds full support for the new version of the OpenPGP standard, RFC 9580. In addition, the release introduces an improved non-backwards compatible v2 API. The API in the openpgp package remains fully backwards compatible while the new v2 API is located in a separate v2 package in openpgp.

For the full changes since v1.0.0, see the previous release notes. For the full changelog, see ProtonMail/go-crypto@v1.0.0...v1.1.0.

Changes since v1.1.0-beta.0:

  • Replace expiring curve448 integration test vector by @​lubux
  • Validate input key size in SEIPDv2 decryption by @​lubux

Changelog since v1.1.0-beta.0: ProtonMail/go-crypto@v1.1.0-beta.0...v1.1.0.

v1.1.0-proton

Compare Source

What's Changed

This release is v1.1.0 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-beta.0-proton

Compare Source

This pre-release is v1.1.0-beta.0 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-beta.0

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.0-alpha.5...v1.1.0-beta.0

v1.1.0-alpha.5-proton

Compare Source

This pre-release is v1.1.0-alpha.5 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-alpha.5

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.0-alpha.4...v1.1.0-alpha.5

v1.1.0-alpha.4-proton

Compare Source

This pre-release is v1.1.0-alpha.4 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-alpha.4

Compare Source

What's Changed

Full Changelog: ProtonMail/go-crypto@v1.1.0-alpha.3...v1.1.0-alpha.4

v1.1.0-alpha.3-proton

Compare Source

This pre-release is v1.1.0-alpha.3 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-alpha.3

Compare Source

What's Changed

  • New functions to verify signature hash tags
  • Allow parsing certifications explicitly marked as exportable
  • Sorting signature sub-packets by their ID when serializing
  • Mark creation time, issuer key ID, and key flag signature sub-packets as critical
  • When AEAD is in use, the session key length is now determined by the cipher specified in the AEAD preference.

Full Changelog: v1.1.0-alpha.2...v1.1.0-alpha.3

v1.1.0-alpha.2-proton

Compare Source

v1.1.0-alpha.2

Compare Source

v1.1.0-alpha.1-proton

Compare Source

This pre-release is v1.1.0-alpha.1 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-alpha.1

Compare Source

What's Changed

Removes the openpgp.VerifyDetachedSignatureAndSaltedHash function and the packet.SaltedHashSpecifier as they are no longer required. They were introduced for verifying the headers in cleartext messages. However, in the latest crypto-refresh specification, cleartext message headers were dropped.

Full Changelog: v1.1.0-alpha.0...v1.1.0-alpha.1

v1.1.0-alpha.0-proton

Compare Source

This pre-release is v1.1.0-alpha.0 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

v1.1.0-alpha.0

Compare Source

What's Changed

This major pre-release adds full support for the OpenPGP crypto refresh. In addition, the pre-release introduces an improved non-backwards compatible v2 API. The API in the openpgp package remains fully backwards compatible while the new v2 API is located in a separate v2 package in openpgp.

Full Changelog: v1.0.0...v1.1.0-alpha.0

V2 API

Import

The v2 API can be imported as:

openpgp ProtonMail/go-crypto/openpgp/v2
V2 API Breaking Changes

openpgp.v2.Entity struct fields have changed:

  • SelfSignature *packet.Signature removed
  • Signatures []*packet.Signature removed
  • DirectSignatures []*packet.VerifiableSignature added
  • Revocations []*packet.VerifiableSignature changed type

Methods of openpgp.v2.Entity that changed:

  • PrimaryIdentity(date time.Time) now requires a time argument.
  • EncryptionKey(date time.Time, config *packet.Config) now requires a new config argument.
  • CertificationKey(date time.Time, config *packet.Config) now requires a new config argument.
  • CertificationKeyById(date time.Time, id uint64, config *packet.Config) now requires a new config argument.
  • SigningKey(date time.Time, config *packet.Config) now requires a new config argument.
  • SigningKeyById(date time.Time, id uint64, config *packet.Config) now requires a new config argument.
  • Revoke(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) is renamed to RevokeKey.

Removed methods of openpgp.v2.Entity:

  • RevokeSubkey(...) is replaced by (Subkey).Revoke(...)

openpgp.v2.Subkey struct fields have changed:

  • Sig *packet.Signature removed
  • Bindings []*packet.VerifiableSignature added
  • Primary *Entity added, pointing to the primary key.
  • Revocations []*packet.VerifiableSignature changed type

Methods of openpgp.v2.Subkey that changed:

  • Revoked(selfCertification *packet.Signature, date time.Time) now requires a selfCertification argument.

openpgp.v2.Identity struct fields have changed:

  • SelfSignature *packet.Signature removed
  • Signatures []*packet.Signature removed
  • SelfCertifications []*packet.VerifiableSignature added
  • OtherCertifications []*packet.VerifiableSignature added
  • Primary *Entity added, pointing to the primary key.
  • Revocations []*packet.VerifiableSignature changed type

Methods of openpgp.v2.Identity that changed:

  • Revoked(selfCertification *packet.Signature, date time.Time) now requires a selfCertification argument.

openpgp.v2.Key struct fields have changed:

  • PrimarySelfSignature *packet.Signature added, pointing to the selected self signature of the primary key.
  • Revocations []*packet.VerifiableSignature changed type

Interface openpgp.v2.KeyRing has changed:

  • KeysByIdUsage(...) removed
  • DecryptionKeys(...) removed
  • EntitiesById(id uint64) []*Entity added. This is the main internal method to access keys from the keyring now.

openpgp.v2.FileHints struct field has changed:

  • IsBinary removed and IsUTF8 added

API changes in openpgp.v2 for reading messages:

  • VerifyDetachedSignatureAndHash(...) removed; headers in clearsigned messages are no longer checked.
  • VerifyDetachedSignatureAndSaltedHash(...) removed
  • CheckDetachedSignature(...) removed; call VerifyDetachedSignature(...) instead
  • CheckDetachedSignatureAndSaltedHash(...) removed
  • CheckDetachedSignatureAndHash(...) removed
  • CheckArmoredDetachedSignature removed; call VerifyArmoredDetachedSignature instead

API changes in openpgp.v2 for writing messages:

  • DetachSign(..., signers []*Entity,...) now requires a slice of entities instead of a single entity as an argument.
  • ArmoredDetachSign(..., signers []*Entity,..., , params *SignParams) now requires a slice of entities instead of a single entity as an argument and replaces arguments with a SignParams object.
  • DetachSignText(..., signers []*Entity,...) now requires a slice of entities instead of a single entity as an argument.
  • ArmoredDetachSignText(..., signers []*Entity,...) now requires a slice of entities instead of a single entity as an argument.
  • EncryptText(...) removed; call EncryptWithParams(...) instead
  • EncryptSplit(...) removed; call EncryptWithParams(...) instead
  • EncryptTextSplit(...) removed; call EncryptWithParams(...) instead
  • Encrypt(..., toHidden []*Entity, signers []*Entity) now takes an additional toHidden recipients argument and requires a slice of signer entities instead of a single entity as an argument.
  • Sign(..., signers []*Entity,...) now requires a slice of entities instead of a single entity as an argument.
Features
Intended Recipients

Version 2 of the ProtonMail/go-crypto library introduces a feature for including the recipients' key fingerprints in signatures during message encryption. When encrypting and signing a message, the intended recipients are automatically included in the signature unless specifically hidden (i.e., hidden recipients). During the decryption process, if the signature contains intended recipients and the appropriate configuration flag is set, the library verifies whether the primary ID of the decryption key is present in the recipient list. This check can be disabled in the config when a hidden recipient decrypts the message.

Multi-signature Support

In previous iterations of ProtonMail/go-crypto, only a single signature creation and verification were supported in a PGP message. However, in Version 2, the library introduces the ability to sign messages with multiple signatures using different keys, such as a v4 and a v6 key. The encryption and signing methods now accept multiple signing keys as arguments, with each key designated for a specific signature. When reading PGP messages with Version 2, the library maintains an internal state for each known signature and verifies all of them within the message. To facilitate this functionality, the message details struct includes a new field that stores the verification state for each signature. A message is considered valid if at least one of the signatures successfully validates without any errors. For callers, the process of checking for signature errors remains similar to previous versions. However, if the caller requires the verification state of all signatures, they can utilize the new field in the message details struct.

Rework of How Signatures in Keys and Signatures

are Verified

In previous iterations of ProtonMail/go-crypto, key verification occurred during import based on the current time, while signature verification did not involve further key checks. However, this approach had limitations, as invalid keys could have been valid at the time of signature creation and mistakenly considered invalid. Version 2 changes how and when signatures are verified in keys (i.e., direct-signatures, self-signatures of userids, binding signatures in subkeys, revocations, etc). Unlike before, key signature verification no longer takes place during parsing. Instead, keys are now validated when they are utilized, following a similar approach to key handling in OpenPGP.js. Additionally, all signatures and expirations are validated to adhere to the key lifecycle outlined in the RFC. The validity of keys can now be checked at different points in time, leading to the following specific modifications:

  • During entity parsing, key validity is not checked.
  • When used for encryption or signing, keys are verified using the current time during the writing process.
  • During reading, the library verifies that each verification key was valid at the time of signature creation.
  • A clear separation is maintained between Entity, Subkey, Identity, and their respective validation methods.
  • Signature verification results are cached and reused to optimize computation. Further, version 2 includes various small improvements to increase the robustness of the key parsing functions.
Weak Algorithm Rejection

Version 2 introduces the option to specify weak algorithms for signatures in the config. Signatures that use weak algorithms are considered invalid.

Optional Packet Sequence Checker

Version 2 introduces a new feature that enables the validation of packet sequences in PGP messages. This functionality can be enabled in the config struct. In particular, it implements the pushdown automata (PDA) from PGPainless, developed by Paul Schaub. By leveraging this feature, users can ensure that the packet sequences in their PGP messages are valid and comply with the required structure. This addition further enhances the overall reliability and security of PGP message handling in Version 2.

Session Key Encryption and Decryption

Version 2 allows advanced users to retrieve the session key while encrypting a message by setting the respective flag in the config. In decryption, a caller can provide a session key that should be used for decryption.

Unify Write/Read API

Version 2 improves the compatibility between different APIs to allow combinations. The DetachSign function requires the caller to provide a Reader for the message, while encrypt returns a WriteCloser to which the message is written. The new version adds a function DetachSignWriter, which returns a WriteCloser similar to the encryption API. On the reading side, the verify detached signature API now relies on the same signature verification logic as the other read functions. Additionally, a new VerifyDetachedSignatureReader method similar to the ReadMessage API is introduced. It returns a message details struct that once read verifies the signature. Allows chaining different readers from the API, for example, to have a streaming API for encrypted detached signatures.

Params Struct as a Function Argument in the Write API

With the inclusion of new features, the write functions in go-crypto experienced significant growth in numbers. Each combination has its dedicated function. Version 2 introduces an EncryptWithParams/SignWithParams function that takes an EncryptParams/SignParams struct as an argument. The struct allows configuring the different features. This approach effectively reduces the number of API methods and simplifies the process of adding new features while maintaining compatibility with previous versions.

Others
  • Disable armor checksum on default armor.Encode method
  • Make unarmor more robust to empty header values
  • Allow key generation of v6 keys without an Identity
  • Allow compression in inline signed messages
  • Consider key preferences in detached signatures
  • Only compare time at a second granularity
  • Signal if the tag is not verified on close in AEAD decryption
  • Ensure that critical unknown packet tags result in message rejection
  • Ensure that decompression streams are closed and that the packet is completely read
  • Ensure that entity parsing does not reject keys with unknown subkeys
  • Check for known curves early when parsing ECDSA and ECDH keys
  • Skip signatures with the wrong type while parsing an entity
  • Support for signatures that appear in front of the data
  • Change file hints field IsBinary to IsUTF8

v1.0.0: Initial release

Compare Source

First tagged release.

golang/snappy (github.com/golang/snappy)

v1.0.0

Compare Source

Latest stable version, as of March 2025.

imdario/mergo (github.com/imdario/mergo)

v1.0.2

Compare Source

What's Changed

  • Drops gopkg.in/yaml.v3, only used for loading fixtures. Thanks @​trim21 for bringing to my attention (#​262) that this library is no longer maintained.

Full Changelog: darccio/mergo@v1.0.1...v1.0.2

v1.0.1

Compare Source

What's Changed

New Contributors

Full Changelog: darccio/mergo@v1.0.0...v1.0.1

v1.0.0: 1.0.0 released with new module URL: dario.cat/mergo

Compare Source

This PR is a release containing 0.3.15 features but changing the module URL to dario.cat/mergo.

What's Changed

Full Changelog: darccio/mergo@v0.3.16...v1.0.0

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v1.0.0

Compare Source

We're very excited to release sigstore-go 1.0! View the blog post announcing this release for more details.

This release should contain the last set of breaking changes until version 2.0, including a few renames (such as SignedEntityVerifier -> Verifier and VerifyTimestampAuthority -> VerifySignedTimestamp). We are excited to begin a new phase of simple, stable APIs!

What's Changed

Full Changelog: sigstore/sigstore-go@v0.7.3...v1.0.0

v0.7.3

Compare Source

Note: v0.7.3 will likely be the last release before v1.0.

What's Changed

Full Changelog: sigstore/sigstore-go@v0.7.2...v0.7.3

Configuration

📅 Schedule: Branch creation - "after 5am on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

@red-hat-konflux
chore(deps): update go dependencies to v1
e82bbc2 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Jun 8, 2025
edited
Loading

Reviewer's Guide

This PR majorly upgrades four indirect Go module dependencies to their v1 releases by updating version constraints in go.mod and regenerating go.sum.

Updated Class Diagram for openpgp.v2.Entity in ProtonMail/go-crypto

classDiagram
  class Entity {
    <<openpgp.v2.Entity>>
    +DirectSignatures []*packet.VerifiableSignature
    +Revocations []*packet.VerifiableSignature
    +PrimaryIdentity(date time.Time)
    +EncryptionKey(date time.Time, config *packet.Config)
    +CertificationKey(date time.Time, config *packet.Config)
    +CertificationKeyById(date time.Time, id uint64, config *packet.Config)
    +SigningKey(date time.Time, config *packet.Config)
    +SigningKeyById(date time.Time, id uint64, config *packet.Config)
    +RevokeKey(reason packet.ReasonForRevocation, reasonText string, config *packet.Config)
  }
Loading

Updated Class Diagram for openpgp.v2.Subkey in ProtonMail/go-crypto

classDiagram
  class Subkey {
    <<openpgp.v2.Subkey>>
    +Bindings []*packet.VerifiableSignature
    +Primary *Entity
    +Revocations []*packet.VerifiableSignature
    +Revoked(selfCertification *packet.Signature, date time.Time)
  }
  class Entity {
    <<openpgp.v2.Entity>>
    // Definition as in other diagram
  }
  Subkey --|> Entity : Primary
Loading

Updated Class Diagram for openpgp.v2.Identity in ProtonMail/go-crypto

classDiagram
  class Identity {
    <<openpgp.v2.Identity>>
    +SelfCertifications []*packet.VerifiableSignature
    +OtherCertifications []*packet.VerifiableSignature
    +Primary *Entity
    +Revocations []*packet.VerifiableSignature
    +Revoked(selfCertification *packet.Signature, date time.Time)
  }
  class Entity {
    <<openpgp.v2.Entity>>
    // Definition as in other diagram
  }
  Identity --|> Entity : Primary
Loading

Updated Class Diagram for openpgp.v2.Key in ProtonMail/go-crypto

classDiagram
  class Key {
    <<openpgp.v2.Key>>
    +PrimarySelfSignature *packet.Signature
    +Revocations []*packet.VerifiableSignature
  }
Loading

Updated Class Diagram for openpgp.v2.FileHints in ProtonMail/go-crypto

classDiagram
  class FileHints {
    <<openpgp.v2.FileHints>>
    +IsUTF8 bool
  }
Loading

Class Diagram for sigstore/sigstore-go: SignedEntityVerifier Renamed to Verifier

classDiagram
  class Verifier {
    <<sigstore.Verifier>>
    // New verifier interface/type
    // Specific methods not detailed in PR description
  }
  class SignedEntityVerifier {
    <<sigstore.SignedEntityVerifier (deprecated)>>
    // Old verifier interface/type, now deprecated
  }
Loading

File-Level Changes

Change Details Files
Update indirect Go module dependencies to their v1.x versions
  • Bump github.com/sigstore/sigstore-go from v0.7.2 to v1.0.0
  • Upgrade github.com/ProtonMail/go-crypto from v0.0.0-20230923063757-afb1ddc0824c to v1.3.0
  • Update github.com/golang/snappy from v0.0.4 to v1.0.0
  • Update github.com/imdario/mergo from v0.3.16 to v1.0.2
 go.mod
go.sum
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants