VerifyRevocationSignature is misnamed

ProtonMail / go-crypto

Fork of go/x/crypto, providing an up-to-date OpenPGP implementation

https://pkg.go.dev/github.com/ProtonMail/go-crypto

BSD 3-Clause "New" or "Revised" License

328 stars 99 forks source link

VerifyRevocationSignature is misnamed #189

Closed andrewgdotcom closed 9 months ago

andrewgdotcom commented 9 months ago

(PublicKey)VerifyRevocationSignature appears also to be able to verify any direct signature. Is this intentional? And can I rely on it always working for direct certifications? :-)

lubux commented 9 months ago

Hi, good question. Yes, it should work since direct-key signatures are computed on the same hash of the key to be signed, and the signature types are not checked. The next update of the go-crypto library includes a dedicated function to verify direct-key signatures although the logic is the same.

andrewgdotcom commented 9 months ago

Thanks, that's what it looked like from the code but I wanted to make sure it wouldn't unexpectedly break at some point in the future if I relied upon it. :-)