revert from github.com/ProtonMail/go-crypto to golang.org/x/crypto/openpgp

The ProtonMail fork has removed support for v3 signatures, which is a
reasonable choice for modern libraries since v4 and v5 signatures are
much more secure, but lots of SLES 12 repos have old v3 signatures, so
we need to continue supporting those for the rest of SLES 12's lifecycle.

In a related change, we now also cache expired keys. The signatures on
mny of these SLES 12 repos were made with expired keys, but since the
signature was made before the key expired, the signature is still fine.

/cc @talal

Author: majewsky

go.mod

@@ -3,13 +3,13 @@ module github.com/sapcc/swift-http-import
 go 1.16
 
 require (
-	github.com/ProtonMail/go-crypto v0.0.0-20210707164159-52430bf6b52c
 	github.com/cactus/go-statsd-client/v4 v4.0.0
 	github.com/gophercloud/gophercloud v0.17.0
 	github.com/gophercloud/utils v0.0.0-20210323225332-7b186010c04f
 	github.com/majewsky/schwift v1.0.0
 	github.com/sapcc/go-bits v0.0.0-20210518135053-8a9465bb1339
 	github.com/ulikunitz/xz v0.5.10
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
 	golang.org/x/net v0.0.0-20210525063256-abc453219eb5
 	gopkg.in/yaml.v2 v2.4.0
 	pault.ag/go/debian v0.11.0

go.sum

@@ -1,5 +1,3 @@
-github.com/ProtonMail/go-crypto v0.0.0-20210707164159-52430bf6b52c h1:FP7mMdsXy0ybzar1sJeIcZtaJka0U/ZmLTW4wRpolYk=
-github.com/ProtonMail/go-crypto v0.0.0-20210707164159-52430bf6b52c/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -108,8 +106,8 @@ golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -129,6 +127,7 @@ golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

pkg/util/gpg.go

@@ -30,14 +30,13 @@ import (
 	"regexp"
 	"strings"
 	"sync"
-	"time"
 
-	"github.com/ProtonMail/go-crypto/openpgp"
-	"github.com/ProtonMail/go-crypto/openpgp/armor"
-	"github.com/ProtonMail/go-crypto/openpgp/clearsign"
-	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"github.com/majewsky/schwift"
 	"github.com/sapcc/go-bits/logg"
+	"golang.org/x/crypto/openpgp"
+	"golang.org/x/crypto/openpgp/armor"
+	"golang.org/x/crypto/openpgp/clearsign"
+	"golang.org/x/crypto/openpgp/packet"
 )
 
 //GPGKeyRing contains a list of openpgp Entities. It is used to verify different
@@ -74,12 +73,9 @@ func NewGPGKeyRing(cntr *schwift.Container, keyserverURLPatterns []string) *GPGK
 				return err
 			}
 			for _, e := range el {
-				//Don't import expired keys.
-				if !e.PrimaryKey.KeyExpired(e.PrimaryIdentity().SelfSignature, time.Now().UTC()) {
-					entityList = append(entityList, e)
-					if LogIndividualTransfers {
-						logg.Info("reusing cached GPG key: %s", obj.FullName())
-					}
+				entityList = append(entityList, e)
+				if LogIndividualTransfers {
+					logg.Info("reusing cached GPG key: %s", obj.FullName())
 				}
 			}
 			return nil
@@ -140,11 +136,16 @@ func (k *GPGKeyRing) verifyGPGSignature(message []byte, signature *armor.Block)
 			return err
 		}
 
-		sig, ok := p.(*packet.Signature)
-		if !ok {
+		var issuerKeyID uint64
+		switch sig := p.(type) {
+		case *packet.Signature:
+			issuerKeyID = *sig.IssuerKeyId
+		case *packet.SignatureV3:
+			issuerKeyID = sig.IssuerKeyId
+		default:
 			return fmt.Errorf("invalid OpenPGP packet type: expected %q, got %T", "*packet.Signature", p)
 		}
-		issuerKeyID := *sig.IssuerKeyId
+
 		//only download the public key if not found in the existing key ring
 		k.Mux.RLock()
 		foundKeys := k.EntityList.KeysById(issuerKeyID)
@@ -170,7 +171,7 @@ func (k *GPGKeyRing) verifyGPGSignature(message []byte, signature *armor.Block)
 	}
 
 	k.Mux.RLock()
-	_, err = openpgp.CheckDetachedSignature(k.EntityList, bytes.NewReader(message), bytes.NewReader(signatureBytes), nil)
+	_, err = openpgp.CheckDetachedSignature(k.EntityList, bytes.NewReader(message), bytes.NewReader(signatureBytes))
 	k.Mux.RUnlock()
 
 	return err