@protontech/openpgp 6.0.0-alpha.1.patch.1 → 6.0.0-beta.0.patch.0

package/dist/openpgp.js

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-alpha.1.patch.1 - 2024-03-11 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.0.patch.0 - 2024-04-19 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 var openpgp = (function (exports) {
   'use strict';
 
@@ -1468,6 +1468,14 @@ var openpgp = (function (exports) {
      * @property {Boolean} aeadProtect
      */
     aeadProtect: false,
+    /**
+     * Whether to disable encrypton using SEIPDv2 even if the encryption keys include the SEIPDv2 feature flag.
+     * If true, SEIPDv1 (i.e. no AEAD) packets are always used instead.
+     * SEIPDv2 is a more secure and faster choice, but it is not necessarily compatible with other libs and our mobile apps.
+     * @memberof module:config
+     * @property {Boolean} ignoreSEIPDv2FeatureFlag
+     */
+    ignoreSEIPDv2FeatureFlag: false,
     /**
      * When reading OpenPGP v4 private keys (e.g. those generated in OpenPGP.js when not setting `config.v5Keys = true`)
      * which were encrypted by OpenPGP.js v5 (or older) using `config.aeadProtect = true`,
@@ -1580,11 +1588,6 @@ var openpgp = (function (exports) {
      * @property {Boolean} passwordCollisionCheck
      */
     passwordCollisionCheck: false,
-    /**
-     * @memberof module:config
-     * @property {Boolean} revocationsExpire If true, expired revocation signatures are ignored
-     */
-    revocationsExpire: false,
     /**
      * Allow decryption using RSA keys without `encrypt` flag.
      * This setting is potentially insecure, but it is needed to get around an old openpgpjs bug
@@ -1660,7 +1663,7 @@ var openpgp = (function (exports) {
      * @memberof module:config
      * @property {String} versionString A version string to be included in armored messages
      */
-    versionString: 'OpenPGP.js 6.0.0-alpha.1.patch.1',
+    versionString: 'OpenPGP.js 6.0.0-beta.0.patch.0',
     /**
      * @memberof module:config
      * @property {String} commentString A comment string to be included in armored messages
@@ -1680,6 +1683,14 @@ var openpgp = (function (exports) {
      * @property {Array} knownNotations
      */
     knownNotations: [],
+    /**
+     * If true, a salt notation is used to randomize signatures generated by v4 and v5 keys (v6 signatures are always non-deterministic, by design).
+     * This protects EdDSA signatures from potentially leaking the secret key in case of faults (i.e. bitflips) which, in principle, could occur
+     * during the signing computation. It is added to signatures of any algo for simplicity, and as it may also serve as protection in case of
+     * weaknesses in the hash algo, potentially hindering e.g. some chosen-prefix attacks.
+     * NOTE: the notation is interoperable, but will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases.
+     */
+    nonDeterministicSignaturesViaNotation: true,
     /**
      * Whether to use the the noble-curves library for curves (other than Curve25519) that are not supported by the available native crypto API.
      * When false, certain standard curves will not be supported (depending on the platform).
@@ -1710,14 +1721,7 @@ var openpgp = (function (exports) {
      * @memberof module:config
      * @property {Set<String>} rejectCurves {@link module:enums.curve}
      */
-    rejectCurves: new Set([enums.curve.secp256k1]),
-    /**
-     * Whether to validate generated EdDSA signatures before returning them, to ensure they are not faulty signatures.
-     * This check will make signing 2-3 times slower.
-     * Faulty signatures may be generated (in principle) if random bitflips occur at specific points in the signature
-     * computation, and could be used to recover the signer's secret key given a second signature over the same data.
-     */
-    checkEdDSAFaultySignatures: true
+    rejectCurves: new Set([enums.curve.secp256k1])
   };
 
   /**
@@ -2203,16 +2207,19 @@ var openpgp = (function (exports) {
     },
 
     /**
-     * Test email format based on W3C HTML5 specification.
-     * This check is not exaustive, and does not match RFC 5322 exactly
-     * (see https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)),
-     * but is commonly used for email address validation.
+     * Test email format to ensure basic compliance:
+     * - must include a single @
+     * - no control or space unicode chars allowed
+     * - no backslash and square brackets (as the latter can mess with the userID parsing)
+     * - cannot end with a punctuation char
+     * These checks are not meant to be exhaustive; applications are strongly encouraged to implement stricter validation,
+     * e.g. based on the W3C HTML spec (https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)).
      */
     isEmailAddress: function(data) {
       if (!util.isString(data)) {
         return false;
       }
-      const re = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+      const re = /^[^\p{C}\p{Z}@<>\\]+@[^\p{C}\p{Z}@<>\\]+[^\p{C}\p{Z}\p{P}]$/u;
       return re.test(data);
     },
 
@@ -2618,6 +2625,78 @@ var openpgp = (function (exports) {
     return result;
   }
 
+  /**
+   * Calculates a checksum over the given data and returns it base64 encoded
+   * @param {String | ReadableStream<String>} data - Data to create a CRC-24 checksum for
+   * @returns {String | ReadableStream<String>} Base64 encoded checksum.
+   * @private
+   */
+  function getCheckSum(data) {
+    const crc = createcrc24(data);
+    return encode$1(crc);
+  }
+
+  // https://create.stephan-brumme.com/crc32/#slicing-by-8-overview
+
+  const crc_table = [
+    new Array(0xFF),
+    new Array(0xFF),
+    new Array(0xFF),
+    new Array(0xFF)
+  ];
+
+  for (let i = 0; i <= 0xFF; i++) {
+    let crc = i << 16;
+    for (let j = 0; j < 8; j++) {
+      crc = (crc << 1) ^ ((crc & 0x800000) !== 0 ? 0x864CFB : 0);
+    }
+    crc_table[0][i] =
+      ((crc & 0xFF0000) >> 16) |
+      (crc & 0x00FF00) |
+      ((crc & 0x0000FF) << 16);
+  }
+  for (let i = 0; i <= 0xFF; i++) {
+    crc_table[1][i] = (crc_table[0][i] >> 8) ^ crc_table[0][crc_table[0][i] & 0xFF];
+  }
+  for (let i = 0; i <= 0xFF; i++) {
+    crc_table[2][i] = (crc_table[1][i] >> 8) ^ crc_table[0][crc_table[1][i] & 0xFF];
+  }
+  for (let i = 0; i <= 0xFF; i++) {
+    crc_table[3][i] = (crc_table[2][i] >> 8) ^ crc_table[0][crc_table[2][i] & 0xFF];
+  }
+
+  // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView#Endianness
+  const isLittleEndian$1 = (function() {
+    const buffer = new ArrayBuffer(2);
+    new DataView(buffer).setInt16(0, 0xFF, true /* littleEndian */);
+    // Int16Array uses the platform's endianness.
+    return new Int16Array(buffer)[0] === 0xFF;
+  }());
+
+  /**
+   * Internal function to calculate a CRC-24 checksum over a given string (data)
+   * @param {String | ReadableStream<String>} input - Data to create a CRC-24 checksum for
+   * @returns {Uint8Array | ReadableStream<Uint8Array>} The CRC-24 checksum.
+   * @private
+   */
+  function createcrc24(input) {
+    let crc = 0xCE04B7;
+    return transform(input, value => {
+      const len32 = isLittleEndian$1 ? Math.floor(value.length / 4) : 0;
+      const arr32 = new Uint32Array(value.buffer, value.byteOffset, len32);
+      for (let i = 0; i < len32; i++) {
+        crc ^= arr32[i];
+        crc =
+          crc_table[0][(crc >> 24) & 0xFF] ^
+          crc_table[1][(crc >> 16) & 0xFF] ^
+          crc_table[2][(crc >> 8) & 0xFF] ^
+          crc_table[3][(crc >> 0) & 0xFF];
+      }
+      for (let i = len32 * 4; i < value.length; i++) {
+        crc = (crc >> 8) ^ crc_table[0][(crc & 0xFF) ^ value[i]];
+      }
+    }, () => new Uint8Array([crc, crc >> 8, crc >> 16]));
+  }
 
   /**
    * Verify armored headers. crypto-refresh-06, section 6.2:
@@ -2773,10 +2852,13 @@ var openpgp = (function (exports) {
    * @param {Integer} [partIndex]
    * @param {Integer} [partTotal]
    * @param {String} [customComment] - Additional comment to add to the armored string
+   * @param {Boolean} [emitChecksum] - Whether to compute and include the CRC checksum
+   *  (NB: some types of data must not include it, but compliance is left as responsibility of the caller: this function does not carry out any checks)
+   * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {String | ReadableStream<String>} Armored text.
    * @static
    */
-  function armor(messageType, body, partIndex, partTotal, customComment, config$1 = config) {
+  function armor(messageType, body, partIndex, partTotal, customComment, emitChecksum = false, config$1 = config) {
     let text;
     let hash;
     if (messageType === enums.armor.signed) {
@@ -2784,18 +2866,24 @@ var openpgp = (function (exports) {
       hash = body.hash;
       body = body.data;
     }
+    // unless explicitly forbidden by the spec, we need to include the checksum to work around a GnuPG bug
+    // where data fails to be decoded if the base64 ends with no padding chars (=) (see https://dev.gnupg.org/T7071)
+    const maybeBodyClone = emitChecksum && passiveClone(body);
+
     const result = [];
     switch (messageType) {
       case enums.armor.multipartSection:
         result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\n');
         result.push(addheader(customComment, config$1));
         result.push(encode$1(body));
+        maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
         result.push('-----END PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\n');
         break;
       case enums.armor.multipartLast:
         result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '-----\n');
         result.push(addheader(customComment, config$1));
         result.push(encode$1(body));
+        maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
         result.push('-----END PGP MESSAGE, PART ' + partIndex + '-----\n');
         break;
       case enums.armor.signed:
@@ -2805,30 +2893,35 @@ var openpgp = (function (exports) {
         result.push('\n-----BEGIN PGP SIGNATURE-----\n');
         result.push(addheader(customComment, config$1));
         result.push(encode$1(body));
+        maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
         result.push('-----END PGP SIGNATURE-----\n');
         break;
       case enums.armor.message:
         result.push('-----BEGIN PGP MESSAGE-----\n');
         result.push(addheader(customComment, config$1));
         result.push(encode$1(body));
+        maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
         result.push('-----END PGP MESSAGE-----\n');
         break;
       case enums.armor.publicKey:
         result.push('-----BEGIN PGP PUBLIC KEY BLOCK-----\n');
         result.push(addheader(customComment, config$1));
         result.push(encode$1(body));
+        maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
         result.push('-----END PGP PUBLIC KEY BLOCK-----\n');
         break;
       case enums.armor.privateKey:
         result.push('-----BEGIN PGP PRIVATE KEY BLOCK-----\n');
         result.push(addheader(customComment, config$1));
         result.push(encode$1(body));
+        maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
         result.push('-----END PGP PRIVATE KEY BLOCK-----\n');
         break;
       case enums.armor.signature:
         result.push('-----BEGIN PGP SIGNATURE-----\n');
         result.push(addheader(customComment, config$1));
         result.push(encode$1(body));
+        maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
         result.push('-----END PGP SIGNATURE-----\n');
         break;
     }
@@ -9355,20 +9448,6 @@ var openpgp = (function (exports) {
     }
     const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
     const signature = nacl.sign.detached(hashed, secretKey);
-    if (config.checkEdDSAFaultySignatures && !nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1))) {
-      /**
-       * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
-       * if two signatures over the same message are obtained.
-       * See https://github.com/jedisct1/libsodium/issues/170.
-       * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
-       * then the generated signature is always safe, and the verification step is skipped.
-       * Otherwise, we need to verify the generated to ensure that no bitflip occured:
-       * - in M between the computation of `r` and `h`.
-       * - in the public key before computing `h`
-       * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
-       */
-      throw new Error('Transient signing failure');
-    }
     // EdDSA signature params are returned in little-endian format
     return {
       r: signature.subarray(0, 32),
@@ -9489,20 +9568,6 @@ var openpgp = (function (exports) {
       case enums.publicKey.ed25519: {
         const secretKey = util.concatUint8Array([privateKey, publicKey]);
         const signature = nacl.sign.detached(hashed, secretKey);
-        if (config.checkEdDSAFaultySignatures && !nacl.sign.detached.verify(hashed, signature, publicKey)) {
-          /**
-           * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
-           * if two signatures over the same message are obtained.
-           * See https://github.com/jedisct1/libsodium/issues/170.
-           * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
-           * then the generated signature is always safe, and the verification step is skipped.
-           * Otherwise, we need to verify the generated to ensure that no bitflip occured:
-           * - in M between the computation of `r` and `h`.
-           * - in the public key before computing `h`
-           * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
-           */
-          throw new Error('Transient signing failure');
-        }
         return { RS: signature };
       }
       case enums.publicKey.ed448: {
@@ -11235,7 +11300,7 @@ var openpgp = (function (exports) {
    * Encrypts data using specified algorithm and public key parameters.
    * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
    * @param {module:enums.publicKey} keyAlgo - Public key algorithm
-   * @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
+   * @param {module:enums.symmetric|null} symmetricAlgo - Cipher algorithm (v3 only)
    * @param {Object} publicParams - Algorithm-specific public key parameters
    * @param {Object} privateParams - Algorithm-specific private key parameters
    * @param {Uint8Array} data - Data to be encrypted
@@ -11263,7 +11328,7 @@ var openpgp = (function (exports) {
       }
       case enums.publicKey.x25519:
       case enums.publicKey.x448: {
-        if (!util.isAES(symmetricAlgo)) {
+        if (symmetricAlgo && !util.isAES(symmetricAlgo)) {
           // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
           throw new Error('X25519 and X448 keys can only encrypt AES session keys');
         }
@@ -11895,9 +11960,26 @@ var openpgp = (function (exports) {
   let loadArgonWasmModule;
   let argon2Promise;
   // reload wasm module above this treshold, to deallocated used memory
-  const ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;
+  // (cannot be declared as a simple `static` field as its not supported by Safari 14)
+  let ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;
 
   class Argon2S2K {
+    static get ARGON2_WASM_MEMORY_THRESHOLD_RELOAD() {
+      return ARGON2_WASM_MEMORY_THRESHOLD_RELOAD;
+    }
+
+    static set ARGON2_WASM_MEMORY_THRESHOLD_RELOAD(memoryThreshold) {
+      ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = memoryThreshold;
+    }
+
+    static reloadWasmModule() {
+      if (!loadArgonWasmModule) return;
+
+      // it will be awaited if needed at the next `produceKey` invocation
+      argon2Promise = loadArgonWasmModule();
+      argon2Promise.catch(() => {});
+    }
+
     /**
     * @param {Object} [config] - Full configuration, defaults to openpgp.config
     */
@@ -11985,10 +12067,8 @@ var openpgp = (function (exports) {
         });
 
         // a lot of memory was used, reload to deallocate
-        if (decodedM > ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {
-          // it will be awaited if needed at the next `produceKey` invocation
-          argon2Promise = loadArgonWasmModule();
-          argon2Promise.catch(() => {});
+        if (decodedM > Argon2S2K.ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {
+          Argon2S2K.reloadWasmModule();
         }
         return hash;
       } catch (e) {
@@ -14237,6 +14317,14 @@ var openpgp = (function (exports) {
   // Symbol to store cryptographic validity of the signature, to avoid recomputing multiple times on verification.
   const verified = Symbol('verified');
 
+  // A salt notation is used to randomize signatures.
+  // This is to protect EdDSA signatures in particular, which are known to be vulnerable to fault attacks
+  // leading to secret key extraction if two signatures over the same data can be collected (see https://github.com/jedisct1/libsodium/issues/170).
+  // For simplicity, we add the salt to all algos, as it may also serve as protection in case of weaknesses in the hash algo, potentially hindering e.g.
+  // some chosen-prefix attacks.
+  // v6 signatures do not need to rely on this notation, as they already include a separate, built-in salt.
+  const SALT_NOTATION_NAME = 'salt@notations.openpgpjs.org';
+
   // GPG puts the Issuer and Signature subpackets in the unhashed area.
   // Tampering with those invalidates the signature, so we still trust them and parse them.
   // All other unhashed subpackets are ignored.
@@ -14406,7 +14494,7 @@ var openpgp = (function (exports) {
      * @throws {Error} if signing failed
      * @async
      */
-    async sign(key, data, date = new Date(), detached = false) {
+    async sign(key, data, date = new Date(), detached = false, config) {
       this.version = key.version;
 
       this.created = util.normalizeDate(date);
@@ -14416,6 +14504,31 @@ var openpgp = (function (exports) {
 
       const arr = [new Uint8Array([this.version, this.signatureType, this.publicKeyAlgorithm, this.hashAlgorithm])];
 
+      // add randomness to the signature
+      if (this.version === 6) {
+        const saltLength = saltLengthForHash(this.hashAlgorithm);
+        if (this.salt === null) {
+          this.salt = mod$1.random.getRandomBytes(saltLength);
+        } else if (saltLength !== this.salt.length) {
+          throw new Error('Provided salt does not have the required length');
+        }
+      } else if (config.nonDeterministicSignaturesViaNotation) {
+        const saltNotations = this.rawNotations.filter(({ name }) => (name === SALT_NOTATION_NAME));
+        // since re-signing the same object is not supported, it's not expected to have multiple salt notations,
+        // but we guard against it as a sanity check
+        if (saltNotations.length === 0) {
+          const saltValue = mod$1.random.getRandomBytes(saltLengthForHash(this.hashAlgorithm));
+          this.rawNotations.push({
+            name: SALT_NOTATION_NAME,
+            value: saltValue,
+            humanReadable: false,
+            critical: false
+          });
+        } else {
+          throw new Error('Unexpected existing salt notation');
+        }
+      }
+
       // Add hashed subpackets
       arr.push(this.writeHashedSubPackets());
 
@@ -14426,14 +14539,6 @@ var openpgp = (function (exports) {
 
       this.signatureData = util.concat(arr);
 
-      if (this.version === 6) {
-        const saltLength = saltLengthForHash(this.hashAlgorithm);
-        if (this.salt === null) {
-          this.salt = mod$1.random.getRandomBytes(saltLength);
-        } else if (saltLength !== this.salt.length) {
-          throw new Error('Provided salt does not have the required length');
-        }
-      }
       const toHash = this.toHash(this.signatureType, data, detached);
       const hash = await this.hash(this.signatureType, data, toHash, detached);
 
@@ -16235,9 +16340,12 @@ var openpgp = (function (exports) {
       }
       this.publicKeyAlgorithm = bytes[offset++];
       this.encrypted = mod$1.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(offset));
-      if (this.version === 3 && (
-        this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448)) {
-        this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+      if (this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448) {
+        if (this.version === 3) {
+          this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+        } else if (this.encrypted.C.algorithm !== null) {
+          throw new Error('Unexpected cleartext symmetric algorithm');
+        }
       }
     }
 
@@ -16281,10 +16389,13 @@ var openpgp = (function (exports) {
      */
     async encrypt(key) {
       const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
-      const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
+      // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a
+      // v6 PKESK packet, as it is included in the v2 SEIPD packet.
+      const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;
+      const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);
       const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
       this.encrypted = await mod$1.publicKeyEncrypt(
-        algo, this.sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
+        algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
     }
 
     /**
@@ -16383,6 +16494,7 @@ var openpgp = (function (exports) {
       case enums.publicKey.x25519:
       case enums.publicKey.x448:
         return {
+          sessionKeyAlgorithm: null,
           sessionKey: decryptedData
         };
       default:
@@ -18070,7 +18182,9 @@ var openpgp = (function (exports) {
      * @returns {ReadableStream<String>} ASCII armor.
      */
     armor(config$1 = config) {
-      return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, config$1);
+      // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+      const emitChecksum = this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);
+      return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, emitChecksum, config$1);
     }
 
     /**
@@ -18283,7 +18397,7 @@ var openpgp = (function (exports) {
   async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [], config$1 = config) {
     const selfSigs = await Promise.all(keys.map((key, i) => key.getPrimarySelfSignature(date, userIDs[i], config$1)));
     const withAEAD = keys.length ?
-      selfSigs.every(selfSig => selfSig.features[0] & enums.features.seipdv2) :
+      !config$1.ignoreSEIPDv2FeatureFlag && selfSigs.every(selfSig => selfSig.features && (selfSig.features[0] & enums.features.seipdv2)) :
       config$1.aeadProtect;
 
     if (withAEAD) {
@@ -18330,8 +18444,8 @@ var openpgp = (function (exports) {
     Object.assign(signaturePacket, signatureProperties);
     signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
     signaturePacket.hashAlgorithm = await getPreferredHashAlgo(privateKey, signingKeyPacket, date, userID, config);
-    signaturePacket.rawNotations = notations;
-    await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached);
+    signaturePacket.rawNotations = [...notations];
+    await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached, config);
     return signaturePacket;
   }
 
@@ -18394,7 +18508,7 @@ var openpgp = (function (exports) {
           !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)
         ) {
           await revocationSignature.verify(
-            key, signatureType, dataToVerify, config.revocationsExpire ? date : null, false, config
+            key, signatureType, dataToVerify, date, false, config
           );
 
           // TODO get an identifier of the revoked object instead
@@ -19664,7 +19778,9 @@ var openpgp = (function (exports) {
       const revocationSignature = await getLatestValidSignature(this.revocationSignatures, this.keyPacket, enums.signature.keyRevocation, dataToVerify, date, config$1);
       const packetlist = new PacketList();
       packetlist.push(revocationSignature);
-      return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate');
+      // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+      const emitChecksum = this.keyPacket.version !== 6;
+      return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate', emitChecksum, config$1);
     }
 
     /**
@@ -19854,7 +19970,9 @@ var openpgp = (function (exports) {
      * @returns {ReadableStream<String>} ASCII armor.
      */
     armor(config$1 = config) {
-      return armor(enums.armor.publicKey, this.toPacketList().write(), undefined, undefined, undefined, config$1);
+      // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+      const emitChecksum = this.keyPacket.version !== 6;
+      return armor(enums.armor.publicKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config$1);
     }
   }
 
@@ -19927,7 +20045,9 @@ var openpgp = (function (exports) {
      * @returns {ReadableStream<String>} ASCII armor.
      */
     armor(config$1 = config) {
-      return armor(enums.armor.privateKey, this.toPacketList().write(), undefined, undefined, undefined, config$1);
+      // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+      const emitChecksum = this.keyPacket.version !== 6;
+      return armor(enums.armor.privateKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config$1);
     }
 
     /**
@@ -21246,7 +21366,13 @@ var openpgp = (function (exports) {
      * @returns {ReadableStream<String>} ASCII armor.
      */
     armor(config$1 = config) {
-      return armor(enums.armor.message, this.write(), null, null, null, config$1);
+      const trailingPacket = this.packets[this.packets.length - 1];
+      // An ASCII-armored Encrypted Message packet sequence that ends in an v2 SEIPD packet MUST NOT contain a CRC24 footer.
+      // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+      const emitChecksum = trailingPacket.constructor.tag === SymEncryptedIntegrityProtectedDataPacket.tag ?
+        trailingPacket.version !== 2 :
+        this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);
+      return armor(enums.armor.message, this.write(), null, null, null, emitChecksum, config$1);
     }
   }
 
@@ -21581,9 +21707,9 @@ var openpgp = (function (exports) {
      * @returns {String | ReadableStream<String>} ASCII armor.
      */
     armor(config$1 = config) {
-      // emit header if one of the signatures has a version not 6
-      const emitHeader = this.signature.packets.some(packet => packet.version !== 6);
-      const hash = emitHeader ?
+      // emit header and checksum if one of the signatures has a version not 6
+      const emitHeaderAndChecksum = this.signature.packets.some(packet => packet.version !== 6);
+      const hash = emitHeaderAndChecksum ?
         Array.from(new Set(this.signature.packets.map(
           packet => enums.read(enums.hash, packet.hashAlgorithm).toUpperCase()
         ))).join() :
@@ -21594,7 +21720,9 @@ var openpgp = (function (exports) {
         text: this.text,
         data: this.signature.packets.write()
       };
-      return armor(enums.armor.signed, body, undefined, undefined, undefined, config$1);
+
+      // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+      return armor(enums.armor.signed, body, undefined, undefined, undefined, emitHeaderAndChecksum, config$1);
     }
   }