Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

golang: bump github.com/ProtonMail/gopenpgp/v2 from 2.5.2 to 2.7.4 #685

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 30, 2023

Bumps github.com/ProtonMail/gopenpgp/v2 from 2.5.2 to 2.7.4.

Release notes

Sourced from github.com/ProtonMail/gopenpgp/v2's releases.

Release v2.7.4

Fixed

  • Ensure that (SessionKey).Decrypt functions return an error if no integrity protection is present in the encrypted input. To protect SEIPDv1 encrypted messages, SED packets must not be allowed in decryption.

Release 2.7.4-proton

This release is 2.7.4 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

Release v2.7.3

Added

  • Add helper.QuickCheckDecrypt function to the helper package. The function allows to check with high probability if a session key can decrypt a SEIPDv1 data packet given its 24-byte prefix.

Release 2.7.3-proton

This release is 2.7.3 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

Release v2.7.2

Update the underlying crypto library

Release 2.7.2-proton

This release is 2.7.2 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

Release v2.7.1

Added

  • Add mobile helpers for signature verification with contexts.

Release v2.7.1-proton

This release is 2.7.1 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

Release v2.7.0

Changed

  • The SignatureVerificationError struct now has a Cause error field, which is returned by the the Unwrap function. The cause is also included in the error message. NB: If the caller was relying on the exact message of the error, it might break the flow.
  • When a signature fails verification because of the signature context, it returns a SignatureVerificationError with status constants.SIGNATURE_BAD_CONTEXT instead of constants.SIGNATURE_FAILED.

Added

  • Add api for signature context on streams SignDetachedStreamWithContext.
  • Add API for signature context on embedded signatures.

Fixed

  • When verifying detached signatures, gopenpgp sometimes needs to reattempt verification a second time to check for edge cases of signature expiration. This logic was broken because it was not rewinding the data readers.

Release v2.7.0-proton

This release is 2.7.0 with support for symmetric keys and automatic forwarding, both of which are not standardized yet.

Release v2.6.1

Security fix

  • Update github.com/ProtonMail/go-crypto and github.com/ProtonMail/go-mime to fix

... (truncated)

Changelog

Sourced from github.com/ProtonMail/gopenpgp/v2's changelog.

[2.7.4] 2023-10-27

Fixed

  • Ensure that (SessionKey).Decrypt functions return an error if no integrity protection is present in the encrypted input. To protect SEIPDv1 encrypted messages, SED packets must not be allowed in decryption.

[2.7.3] 2023-08-28

Added

  • Add helper.QuickCheckDecrypt function to the helper package. The function allows to check with high probability if a session key can decrypt a SEIPDv1 data packet given its 24-byte prefix.

[2.7.2] 2023-07-17

Changed

  • Updated underlying crypto library

Fixed

  • Ensure DecryptSessionKey returns an error for a missing key packet

[2.7.1] 2023-04-21

Added

  • Add mobile helpers for signature verification with contexts.

[2.7.0] 2023-04-14

Changed

  • The SignatureVerificationError struct now has a Cause error field, which is returned by the the Unwrap function. The cause is also included in the error message. NB: If the caller was relying on the exact message of the error, it might break the flow.
  • When a signature fails verification because of the signature context, it returns a SignatureVerificationError with status constants.SIGNATURE_BAD_CONTEXT instead of constants.SIGNATURE_FAILED.

Added

  • Add api for signature context on streams SignDetachedStreamWithContext.
  • Add API for signature context on embedded signatures.

Fixed

  • When verifying detached signatures, gopenpgp sometimes needs to reattempt verification a second time to check for edge cases of signature expiration. This logic was broken because it was not rewinding the data readers.

[2.6.1] 2023-03-22

Security fix

  • Update github.com/ProtonMail/go-crypto and github.com/ProtonMail/go-mime to fix panic on invalid inputs.

[2.6.0] 2023-03-15

Added

  • API for adding context to detached signatures:
    sig, err := keyRing.SignDetachedWithContext(message, context)
  • API to verify the context of detached signatures:
    err := keyRing.VerifyDetachedWithContext(message, signature, verifyTime, verificationContext)

... (truncated)

Commits
  • 02a4599 Prepare release 2.7.4 (#256)
  • da4cecf Update session key decryption to not allow SED packets (#255)
  • 0eace54 Release version 2.7.3 (#252)
  • 987923f Add quick check for session key decryption (#249)
  • b97d994 Release version 2.7.2 (#247)
  • ca02a21 Ensure DecryptSessionKey returns an error for a missing key packet (#245)
  • cf8b8d4 Update go-crypto
  • d37f4eb Merge pull request #237 from ProtonMail/feat/signature-context-mobile-helpers
  • 2cf7a8c Add mobile helpers to verify signature contexts.
  • 753a3fe Merge pull request #234 from ProtonMail/release-2.7.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Oct 30, 2023
@kr8n3r
Copy link

kr8n3r commented Jan 31, 2024

@dependabot recreate

Bumps [github.com/ProtonMail/gopenpgp/v2](https://github.com/ProtonMail/gopenpgp) from 2.5.2 to 2.7.4.
- [Release notes](https://github.com/ProtonMail/gopenpgp/releases)
- [Changelog](https://github.com/ProtonMail/gopenpgp/blob/main/CHANGELOG.md)
- [Commits](ProtonMail/gopenpgp@v2.5.2...v2.7.4)

---
updated-dependencies:
- dependency-name: github.com/ProtonMail/gopenpgp/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/ProtonMail/gopenpgp/v2-2.7.4 branch from fb06421 to 2ac65e5 Compare January 31, 2024 14:44
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 12, 2024

Superseded by #726.

@dependabot dependabot bot closed this Feb 12, 2024
@dependabot dependabot bot deleted the dependabot/go_modules/github.com/ProtonMail/gopenpgp/v2-2.7.4 branch February 12, 2024 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant