ProtonMail · lubux · Aug 14, 2024 · Apr 6, 2023 · Apr 11, 2023 · Apr 17, 2023
diff --git a/.github/actions/build-gosop/action.yml b/.github/actions/build-gosop/action.yml
@@ -2,7 +2,6 @@ name: 'build-gosop'
 description: 'Build gosop from the current branch'
 
 inputs:
-
   gopenpgp-ref: 
     description: 'gopenpgp branch tag or commit to build from'
     required: true
@@ -21,6 +20,12 @@ runs:
       with:
         ref: ${{ inputs.gopenpgp-ref }}
         path: gopenpgp
+    - name: Set env
+      run: echo "GOSOP_BRANCH_REF=$(./.github/test-suite/determine_gosop_branch.sh)" >> $GITHUB_ENV
+      shell: bash
+    - name: Print gosop branch
+      run: echo ${{ env.GOSOP_BRANCH_REF}}
+      shell: bash
     # Build gosop
     - name: Set up latest golang
       uses: actions/setup-go@v3
@@ -30,6 +35,7 @@ runs:
       uses: actions/checkout@v3
       with:
         repository: ProtonMail/gosop
+        ref: ${{ env.GOSOP_BRANCH_REF}}
         path: gosop
     - name: Cache go modules
       uses: actions/cache@v3

diff --git a/.github/test-suite/build_gosop.sh b/.github/test-suite/build_gosop.sh
@@ -1,4 +1,6 @@
+VERSION=$(awk '/^module github.com\/ProtonMail\/gopenpgp\/v[0-9]+/ {print $NF}' gopenpgp/go.mod | awk -F'v' '{print $2}')
+
 cd gosop
-echo "replace github.com/ProtonMail/gopenpgp/v2 => ../gopenpgp" >> go.mod
-go get github.com/ProtonMail/gopenpgp/v2/crypto
+echo "replace github.com/ProtonMail/gopenpgp/v${VERSION} => ../gopenpgp" >> go.mod
+go get github.com/ProtonMail/gopenpgp/v${VERSION}/crypto
 go build .
diff --git a/.github/test-suite/config.json.template b/.github/test-suite/config.json.template
@@ -5,8 +5,8 @@
         "path": "__GOSOP_BRANCH__"
       },
       {
-        "id": "gosop-main",
-        "path": "__GOSOP_MAIN__"
+        "id": "gosop-target",
+        "path": "__GOSOP_TARGET__"
       },
       {
         "path": "__SQOP__"
@@ -17,10 +17,6 @@
       {
         "path": "__SOP_OPENPGPJS__"
       },
-      {
-        "id": "gosop-v2",
-        "path": "__GOSOP_V2__"
-      },
       {
         "path": "__RNP_SOP__"
       }

diff --git a/.github/test-suite/determine_gosop_branch.sh b/.github/test-suite/determine_gosop_branch.sh
@@ -0,0 +1,7 @@
+VERSION=$(awk '/^module github.com\/ProtonMail\/gopenpgp\/v[0-9]+/ {print $NF}' gopenpgp/go.mod | awk -F'v' '{print $2}')
+
+if [ "$VERSION" -eq 3 ]; then
+  echo "gosop-gopenpgp-v3"
+else
+  echo "main"
+fi
diff --git a/.github/test-suite/prepare_config.sh b/.github/test-suite/prepare_config.sh
@@ -1,13 +1,12 @@
 CONFIG_TEMPLATE=$1
 CONFIG_OUTPUT=$2
 GOSOP_BRANCH=$3
-GOSOP_MAIN=$4
+GOSOP_TARGET=$4
 cat $CONFIG_TEMPLATE \
     | sed "s@__GOSOP_BRANCH__@${GOSOP_BRANCH}@g" \
-    | sed "s@__GOSOP_MAIN__@${GOSOP_MAIN}@g" \
+    | sed "s@__GOSOP_TARGET__@${GOSOP_TARGET}@g" \
     | sed "s@__SQOP__@${SQOP}@g" \
     | sed "s@__GPGME_SOP__@${GPGME_SOP}@g" \
-    | sed "s@__SOP_OPENPGPJS__@${SOP_OPENPGPJS}@g" \
-    | sed "s@__GOSOP_V2__@${GOSOP_DIR_V2}/gosop@g" \
+    | sed "s@__SOP_OPENPGPJS__@${SOP_OPENPGPJS_V2}@g" \
     | sed "s@__RNP_SOP__@${RNP_SOP}@g" \
     > $CONFIG_OUTPUT
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -4,12 +4,12 @@ on:
   push:
     branches: [ main ]
   pull_request:
-    branches: [ main ]
+    branches: [ main, v3 ]
 
 jobs:
   build:
     name: Build library for Android with gomobile
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
     - name: Set up JDK 1.8

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches: [ main ]
   pull_request:
-    branches: [ main ]
+    branches: [ main, v3 ]
 
 jobs:
   test:
@@ -36,7 +36,7 @@ jobs:
 
     - name: Test
       run: go test -v -race ./...
-
+      
   lint:
     name: Lint
     runs-on: ubuntu-latest
@@ -48,4 +48,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.50.1
+          version: v1.54.2
diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml
@@ -4,18 +4,18 @@ on:
   push:
     branches: [ main ]
   pull_request:
-    branches: [ main ]
+    branches: [ main, v3 ]
 
 jobs:
   build:
     name: Build library for iOS with gomobile
     runs-on: macos-latest
 
     steps:
-      - name: Set up xcode 14.2
+      - name: Set up xcode 14.3
         uses: maxim-lobanov/setup-xcode@v1
         with:
-          xcode-version: 14.2
+          xcode-version: 14.3
         id: xcode
 
       - name: Set up Go 1.x
@@ -31,9 +31,6 @@ jobs:
         env:
           platform: ${{ 'iOS Simulator' }}
         run: |
-          for d in $ANDROID_NDK_HOME/../23*; do
-            ANDROID_NDK_HOME=$d
-          done
           ./build.sh apple
           find dist
 

diff --git a/.github/workflows/sop-test-suite.yml b/.github/workflows/sop-test-suite.yml
@@ -2,7 +2,7 @@ name: SOP interoperability test suite
 
 on:
   pull_request:
-    branches: [ main ]
+    branches: [ main, v3 ]
 
 jobs:
 
@@ -23,49 +23,49 @@ jobs:
           name: gosop-${{ github.sha }}
           path: ./gosop-${{ github.sha }}
 
-  build-gosop-main:
-    name: Build gosop from main
+  build-gosop-target:
+    name: Build gosop from target
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Build gosop from branch
         uses: ./.github/actions/build-gosop
         with: 
-          gopenpgp-ref: main
-          binary-location: ./gosop-main
+          gopenpgp-ref: ${{ github.base_ref }}
+          binary-location: ./gosop-target
       # Upload as artifact
-      - name: Upload gosop-main artifact
+      - name: Upload gosop-target artifact
         uses: actions/upload-artifact@v3
         with:
-          name: gosop-main
-          path: ./gosop-main
+          name: gosop-target
+          path: ./gosop-target
 
 
   test-suite:
     name: Run interoperability test suite
     runs-on: ubuntu-latest
     container: 
-      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.4
+      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.7
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}
     needs: 
       - build-gosop
-      - build-gosop-main
+      - build-gosop-target
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-      # Fetch gosop from main
-      - name: Download gosop-main
+      # Fetch gosop from target
+      - name: Download gosop-target
         uses: actions/download-artifact@v3
         with:
-          name: gosop-main
-      # Test gosop-main
-      - name: Make gosop-main executable
-        run: chmod +x gosop-main
-      - name: Print gosop-main version
-        run: ./gosop-main version --extended
+          name: gosop-target
+      # Test gosop-target
+      - name: Make gosop-target executable
+        run: chmod +x gosop-target
+      - name: Print gosop-target version
+        run: ./gosop-target version --extended
       # Fetch gosop from branch
       - name: Download gosop-branch
         uses: actions/download-artifact@v3
@@ -80,7 +80,7 @@ jobs:
         run: ./gosop-branch version --extended
       # Run test suite
       - name: Prepare test configuration
-        run: ./.github/test-suite/prepare_config.sh $CONFIG_TEMPLATE $CONFIG_OUTPUT $GITHUB_WORKSPACE/gosop-branch $GITHUB_WORKSPACE/gosop-main
+        run: ./.github/test-suite/prepare_config.sh $CONFIG_TEMPLATE $CONFIG_OUTPUT $GITHUB_WORKSPACE/gosop-branch $GITHUB_WORKSPACE/gosop-target
         env:
          CONFIG_TEMPLATE: .github/test-suite/config.json.template
          CONFIG_OUTPUT: .github/test-suite/config.json
@@ -104,8 +104,8 @@ jobs:
           name: test-suite-results.html
           path: .github/test-suite/test-suite-results.html
 
-  compare-with-main:
-    name: Compare with main
+  compare-with-target:
+    name: Compare with target
     runs-on: ubuntu-latest
     needs: test-suite
     steps:
@@ -117,9 +117,9 @@ jobs:
         with:
           name: test-suite-results.json
       - name: Compare with baseline
-        uses: ProtonMail/openpgp-interop-test-analyzer@5d7f4b6868ebe3bfc909302828342c461f5f4940
+        uses: ProtonMail/openpgp-interop-test-analyzer@v2.0.0
         with: 
           results: ${{ steps.download-test-results.outputs.download-path }}/test-suite-results.json
           output: baseline-comparison.json
-          baseline: gosop-main
+          baseline: gosop-target
           target: gosop-branch
diff --git a/.gitignore b/.gitignore
@@ -7,4 +7,4 @@ vendor
 *.html
 reports
 .idea
-v2
+v3
diff --git a/.golangci.yml b/.golangci.yml
@@ -4,11 +4,11 @@ linters-settings:
       - BUG
       - FIXME
   funlen:
-    lines: 100
+    lines: 150
     statements: 80
   cyclop:
     # the minimal code complexity to report
-    max-complexity: 20
+    max-complexity: 26
   gocognit:
     min-complexity: 45
 
@@ -18,6 +18,19 @@ issues:
     - Using the variable on range scope `tt` in function literal
     - GetJsonSHA256Fingerprints should be GetJSONSHA256Fingerprints
     - ST1003  # CamelCase variables; see constants/cipher.go
+    - missing output for example, go test can't validate it
+    - variable 'hasExpiredEntity' is only used in the if-statement
+  exclude-rules:
+    - path: crypto/key_clear.go
+      text: "SA1019"
+    - path: crypto/crypto_example_test.go
+      text: "G101: Potential hardcoded credentials"
+    - path: crypto/encrypt_decrypt_test.go
+      text: "Using the variable on range scope"
+    - path: crypto/encrypt_decrypt_err_test.go
+      text: "Using the variable on range scope"
+    - path: crypto/sign_verify_test.go
+      text: "Using the variable on range scope"
 
 linters:
   enable-all: true
@@ -47,4 +60,6 @@ linters:
     - forcetypeassert   # Forces to assert types in tests
     - nonamedreturns    # Disallows named returns
     - exhaustruct       # Forces all structs to be named
-    - nosnakecase       # Disallows snake case 
+    - nosnakecase       # Disallows snake case 
+    - depguard
+    - nestif
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,8 +4,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [2.8.0-alpha.1] 2024-04-09
+## [3.0.0-alpha.4] 2024-07-18
+### Changed
+- Update go-crypto to `1.1.0-alpha.4`.
+- Remove logic to get a profile by name. 
+- Reduce preset profiles to `Default`, `RFC4880`, and `RFC9580`.
+- Update go-crypto to check signature details of binding signatures.
+
+## [3.0.0-alpha.3] 2024-06-25
+### Added
+- API to armor data with the option to remove the checksum 
+
+### Changed
+- All armor functions append a checksum per default for compatibility with certain libraries although the crypto-refresh advises not to. 
+- `Encryption` and `Sign` handle now append a checksum when armoring. If the produced OpenPGP packets are crypto-refresh packets, the checksum is not appended as mandated by the crypto-refresh.
 
+## [3.0.0-alpha.2] 2024-04-12
 ### Added
 - API to serialize KeyRings to binary data:
 	```go
@@ -15,15 +29,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 	```go
 	func NewKeyRingFromBinary(binKeys []byte) (*KeyRing, error)
 	```
+- API to a create/verify plaintext detached signatures on the encryption/decryption handle instead of just encrypted detached signatures.
 
-## [2.8.0-alpha.0] 2024-02-28
+## [3.0.0-alpha.1] 2024-03-20
+### Added
+- Allow to override algorithm in key generation
+- Always create a verification result on signature verification
 
-### Added 
-- Adds support for the OpenPGP crypto-refresh by updating the go-crypto dependency to `v1.1.0-alpha.1`.
-- Adapts the session key logic to handle PKESK/SKESK v6 packets without an algorithm attached
-- Updates the min go version to `1.17` as required by  go-crypto `v1.1.0-alpha.1`.
-- Update the cricl dependency to `1.3.7` matching go-crypto.
+### Changed
+- Update ProtonMail/go-crypto to 1.1.0-alpha.2
 
+## [3.0.0-alpha.0] 2024-01-18
+### Added
+- New simplified API that is not backward compatible.
+- Full support for the crypto refresh.
+- Improved interoperability with other OpenPGP libraries.
+- Streaming support for all operations.
+- Introduces profiles for OpenPGP customization.
+- More documentation and examples.
+
+### Changed
+- Mobile specific code is moved to the `mobile` package.
+- Mime specific code is moved to the `mime` package.
+- Replaces the go-crypto v1 API with the v2 API.
+
+### Removed
+- The `helper` package, use the crypto package with the new API instead.
+- `subtle` and `models` package.
+- Time management code for retrieving and setting timestamps.
 
 ## [2.7.5] 2023-31-01
 
@@ -50,7 +83,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Ensure that `(SessionKey).Decrypt` functions return an error if no integrity protection is present in the encrypted input. To protect SEIPDv1 encrypted messages, SED packets must not be allowed in decryption.
 
 ## [2.7.3] 2023-08-28
-## Added
+### Added
 - Add `helper.QuickCheckDecrypt` function to the helper package. The function allows to check with high probability if a session key can decrypt a SEIPDv1 data packet given its 24-byte prefix.
 
 ## [2.7.2] 2023-07-17