@protontech/openpgp 6.0.0-alpha.1.patch.1 → 6.0.0-beta.0.patch.0

package/dist/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-alpha.1.patch.1 - 2024-03-11 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.0.patch.0 - 2024-04-19 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -1465,6 +1465,14 @@ var config = {
    * @property {Boolean} aeadProtect
    */
   aeadProtect: false,
+  /**
+   * Whether to disable encrypton using SEIPDv2 even if the encryption keys include the SEIPDv2 feature flag.
+   * If true, SEIPDv1 (i.e. no AEAD) packets are always used instead.
+   * SEIPDv2 is a more secure and faster choice, but it is not necessarily compatible with other libs and our mobile apps.
+   * @memberof module:config
+   * @property {Boolean} ignoreSEIPDv2FeatureFlag
+   */
+  ignoreSEIPDv2FeatureFlag: false,
   /**
    * When reading OpenPGP v4 private keys (e.g. those generated in OpenPGP.js when not setting `config.v5Keys = true`)
    * which were encrypted by OpenPGP.js v5 (or older) using `config.aeadProtect = true`,
@@ -1577,11 +1585,6 @@ var config = {
    * @property {Boolean} passwordCollisionCheck
    */
   passwordCollisionCheck: false,
-  /**
-   * @memberof module:config
-   * @property {Boolean} revocationsExpire If true, expired revocation signatures are ignored
-   */
-  revocationsExpire: false,
   /**
    * Allow decryption using RSA keys without `encrypt` flag.
    * This setting is potentially insecure, but it is needed to get around an old openpgpjs bug
@@ -1657,7 +1660,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0-alpha.1.patch.1',
+  versionString: 'OpenPGP.js 6.0.0-beta.0.patch.0',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -1677,6 +1680,14 @@ var config = {
    * @property {Array} knownNotations
    */
   knownNotations: [],
+  /**
+   * If true, a salt notation is used to randomize signatures generated by v4 and v5 keys (v6 signatures are always non-deterministic, by design).
+   * This protects EdDSA signatures from potentially leaking the secret key in case of faults (i.e. bitflips) which, in principle, could occur
+   * during the signing computation. It is added to signatures of any algo for simplicity, and as it may also serve as protection in case of
+   * weaknesses in the hash algo, potentially hindering e.g. some chosen-prefix attacks.
+   * NOTE: the notation is interoperable, but will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases.
+   */
+  nonDeterministicSignaturesViaNotation: true,
   /**
    * Whether to use the the noble-curves library for curves (other than Curve25519) that are not supported by the available native crypto API.
    * When false, certain standard curves will not be supported (depending on the platform).
@@ -1707,14 +1718,7 @@ var config = {
    * @memberof module:config
    * @property {Set<String>} rejectCurves {@link module:enums.curve}
    */
-  rejectCurves: new Set([enums.curve.secp256k1]),
-  /**
-   * Whether to validate generated EdDSA signatures before returning them, to ensure they are not faulty signatures.
-   * This check will make signing 2-3 times slower.
-   * Faulty signatures may be generated (in principle) if random bitflips occur at specific points in the signature
-   * computation, and could be used to recover the signer's secret key given a second signature over the same data.
-   */
-  checkEdDSAFaultySignatures: true
+  rejectCurves: new Set([enums.curve.secp256k1])
 };
 
 /**
@@ -2200,16 +2204,19 @@ const util = {
   },
 
   /**
-   * Test email format based on W3C HTML5 specification.
-   * This check is not exaustive, and does not match RFC 5322 exactly
-   * (see https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)),
-   * but is commonly used for email address validation.
+   * Test email format to ensure basic compliance:
+   * - must include a single @
+   * - no control or space unicode chars allowed
+   * - no backslash and square brackets (as the latter can mess with the userID parsing)
+   * - cannot end with a punctuation char
+   * These checks are not meant to be exhaustive; applications are strongly encouraged to implement stricter validation,
+   * e.g. based on the W3C HTML spec (https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)).
    */
   isEmailAddress: function(data) {
     if (!util.isString(data)) {
       return false;
     }
-    const re = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+    const re = /^[^\p{C}\p{Z}@<>\\]+@[^\p{C}\p{Z}@<>\\]+[^\p{C}\p{Z}\p{P}]$/u;
     return re.test(data);
   },
 
@@ -2615,6 +2622,78 @@ function addheader(customComment, config) {
   return result;
 }
 
+/**
+ * Calculates a checksum over the given data and returns it base64 encoded
+ * @param {String | ReadableStream<String>} data - Data to create a CRC-24 checksum for
+ * @returns {String | ReadableStream<String>} Base64 encoded checksum.
+ * @private
+ */
+function getCheckSum(data) {
+  const crc = createcrc24(data);
+  return encode$1(crc);
+}
+
+// https://create.stephan-brumme.com/crc32/#slicing-by-8-overview
+
+const crc_table = [
+  new Array(0xFF),
+  new Array(0xFF),
+  new Array(0xFF),
+  new Array(0xFF)
+];
+
+for (let i = 0; i <= 0xFF; i++) {
+  let crc = i << 16;
+  for (let j = 0; j < 8; j++) {
+    crc = (crc << 1) ^ ((crc & 0x800000) !== 0 ? 0x864CFB : 0);
+  }
+  crc_table[0][i] =
+    ((crc & 0xFF0000) >> 16) |
+    (crc & 0x00FF00) |
+    ((crc & 0x0000FF) << 16);
+}
+for (let i = 0; i <= 0xFF; i++) {
+  crc_table[1][i] = (crc_table[0][i] >> 8) ^ crc_table[0][crc_table[0][i] & 0xFF];
+}
+for (let i = 0; i <= 0xFF; i++) {
+  crc_table[2][i] = (crc_table[1][i] >> 8) ^ crc_table[0][crc_table[1][i] & 0xFF];
+}
+for (let i = 0; i <= 0xFF; i++) {
+  crc_table[3][i] = (crc_table[2][i] >> 8) ^ crc_table[0][crc_table[2][i] & 0xFF];
+}
+
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView#Endianness
+const isLittleEndian$1 = (function() {
+  const buffer = new ArrayBuffer(2);
+  new DataView(buffer).setInt16(0, 0xFF, true /* littleEndian */);
+  // Int16Array uses the platform's endianness.
+  return new Int16Array(buffer)[0] === 0xFF;
+}());
+
+/**
+ * Internal function to calculate a CRC-24 checksum over a given string (data)
+ * @param {String | ReadableStream<String>} input - Data to create a CRC-24 checksum for
+ * @returns {Uint8Array | ReadableStream<Uint8Array>} The CRC-24 checksum.
+ * @private
+ */
+function createcrc24(input) {
+  let crc = 0xCE04B7;
+  return transform(input, value => {
+    const len32 = isLittleEndian$1 ? Math.floor(value.length / 4) : 0;
+    const arr32 = new Uint32Array(value.buffer, value.byteOffset, len32);
+    for (let i = 0; i < len32; i++) {
+      crc ^= arr32[i];
+      crc =
+        crc_table[0][(crc >> 24) & 0xFF] ^
+        crc_table[1][(crc >> 16) & 0xFF] ^
+        crc_table[2][(crc >> 8) & 0xFF] ^
+        crc_table[3][(crc >> 0) & 0xFF];
+    }
+    for (let i = len32 * 4; i < value.length; i++) {
+      crc = (crc >> 8) ^ crc_table[0][(crc & 0xFF) ^ value[i]];
+    }
+  }, () => new Uint8Array([crc, crc >> 8, crc >> 16]));
+}
 
 /**
  * Verify armored headers. crypto-refresh-06, section 6.2:
@@ -2770,10 +2849,13 @@ function unarmor(input) {
  * @param {Integer} [partIndex]
  * @param {Integer} [partTotal]
  * @param {String} [customComment] - Additional comment to add to the armored string
+ * @param {Boolean} [emitChecksum] - Whether to compute and include the CRC checksum
+ *  (NB: some types of data must not include it, but compliance is left as responsibility of the caller: this function does not carry out any checks)
+ * @param {Object} [config] - Full configuration, defaults to openpgp.config
  * @returns {String | ReadableStream<String>} Armored text.
  * @static
  */
-function armor(messageType, body, partIndex, partTotal, customComment, config$1 = config) {
+function armor(messageType, body, partIndex, partTotal, customComment, emitChecksum = false, config$1 = config) {
   let text;
   let hash;
   if (messageType === enums.armor.signed) {
@@ -2781,18 +2863,24 @@ function armor(messageType, body, partIndex, partTotal, customComment, config$1
     hash = body.hash;
     body = body.data;
   }
+  // unless explicitly forbidden by the spec, we need to include the checksum to work around a GnuPG bug
+  // where data fails to be decoded if the base64 ends with no padding chars (=) (see https://dev.gnupg.org/T7071)
+  const maybeBodyClone = emitChecksum && passiveClone(body);
+
   const result = [];
   switch (messageType) {
     case enums.armor.multipartSection:
       result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\n');
       break;
     case enums.armor.multipartLast:
       result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP MESSAGE, PART ' + partIndex + '-----\n');
       break;
     case enums.armor.signed:
@@ -2802,30 +2890,35 @@ function armor(messageType, body, partIndex, partTotal, customComment, config$1
       result.push('\n-----BEGIN PGP SIGNATURE-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP SIGNATURE-----\n');
       break;
     case enums.armor.message:
       result.push('-----BEGIN PGP MESSAGE-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP MESSAGE-----\n');
       break;
     case enums.armor.publicKey:
       result.push('-----BEGIN PGP PUBLIC KEY BLOCK-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP PUBLIC KEY BLOCK-----\n');
       break;
     case enums.armor.privateKey:
       result.push('-----BEGIN PGP PRIVATE KEY BLOCK-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP PRIVATE KEY BLOCK-----\n');
       break;
     case enums.armor.signature:
       result.push('-----BEGIN PGP SIGNATURE-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP SIGNATURE-----\n');
       break;
   }
@@ -9352,20 +9445,6 @@ async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   }
   const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
   const signature = nacl.sign.detached(hashed, secretKey);
-  if (config.checkEdDSAFaultySignatures && !nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1))) {
-    /**
-     * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
-     * if two signatures over the same message are obtained.
-     * See https://github.com/jedisct1/libsodium/issues/170.
-     * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
-     * then the generated signature is always safe, and the verification step is skipped.
-     * Otherwise, we need to verify the generated to ensure that no bitflip occured:
-     * - in M between the computation of `r` and `h`.
-     * - in the public key before computing `h`
-     * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
-     */
-    throw new Error('Transient signing failure');
-  }
   // EdDSA signature params are returned in little-endian format
   return {
     r: signature.subarray(0, 32),
@@ -9486,20 +9565,6 @@ async function sign$4(algo, hashAlgo, message, publicKey, privateKey, hashed) {
     case enums.publicKey.ed25519: {
       const secretKey = util.concatUint8Array([privateKey, publicKey]);
       const signature = nacl.sign.detached(hashed, secretKey);
-      if (config.checkEdDSAFaultySignatures && !nacl.sign.detached.verify(hashed, signature, publicKey)) {
-        /**
-         * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
-         * if two signatures over the same message are obtained.
-         * See https://github.com/jedisct1/libsodium/issues/170.
-         * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
-         * then the generated signature is always safe, and the verification step is skipped.
-         * Otherwise, we need to verify the generated to ensure that no bitflip occured:
-         * - in M between the computation of `r` and `h`.
-         * - in the public key before computing `h`
-         * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
-         */
-        throw new Error('Transient signing failure');
-      }
       return { RS: signature };
     }
     case enums.publicKey.ed448: {
@@ -11232,7 +11297,7 @@ class ECDHXSymmetricKey {
  * Encrypts data using specified algorithm and public key parameters.
  * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
  * @param {module:enums.publicKey} keyAlgo - Public key algorithm
- * @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
+ * @param {module:enums.symmetric|null} symmetricAlgo - Cipher algorithm (v3 only)
  * @param {Object} publicParams - Algorithm-specific public key parameters
  * @param {Object} privateParams - Algorithm-specific private key parameters
  * @param {Uint8Array} data - Data to be encrypted
@@ -11260,7 +11325,7 @@ async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privatePar
     }
     case enums.publicKey.x25519:
     case enums.publicKey.x448: {
-      if (!util.isAES(symmetricAlgo)) {
+      if (symmetricAlgo && !util.isAES(symmetricAlgo)) {
         // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
         throw new Error('X25519 and X448 keys can only encrypt AES session keys');
       }
@@ -11892,9 +11957,26 @@ class Argon2OutOfMemoryError extends Error {
 let loadArgonWasmModule;
 let argon2Promise;
 // reload wasm module above this treshold, to deallocated used memory
-const ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;
+// (cannot be declared as a simple `static` field as its not supported by Safari 14)
+let ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;
 
 class Argon2S2K {
+  static get ARGON2_WASM_MEMORY_THRESHOLD_RELOAD() {
+    return ARGON2_WASM_MEMORY_THRESHOLD_RELOAD;
+  }
+
+  static set ARGON2_WASM_MEMORY_THRESHOLD_RELOAD(memoryThreshold) {
+    ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = memoryThreshold;
+  }
+
+  static reloadWasmModule() {
+    if (!loadArgonWasmModule) return;
+
+    // it will be awaited if needed at the next `produceKey` invocation
+    argon2Promise = loadArgonWasmModule();
+    argon2Promise.catch(() => {});
+  }
+
   /**
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   */
@@ -11982,10 +12064,8 @@ class Argon2S2K {
       });
 
       // a lot of memory was used, reload to deallocate
-      if (decodedM > ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {
-        // it will be awaited if needed at the next `produceKey` invocation
-        argon2Promise = loadArgonWasmModule();
-        argon2Promise.catch(() => {});
+      if (decodedM > Argon2S2K.ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {
+        Argon2S2K.reloadWasmModule();
       }
       return hash;
     } catch (e) {
@@ -14234,6 +14314,14 @@ class KeyID {
 // Symbol to store cryptographic validity of the signature, to avoid recomputing multiple times on verification.
 const verified = Symbol('verified');
 
+// A salt notation is used to randomize signatures.
+// This is to protect EdDSA signatures in particular, which are known to be vulnerable to fault attacks
+// leading to secret key extraction if two signatures over the same data can be collected (see https://github.com/jedisct1/libsodium/issues/170).
+// For simplicity, we add the salt to all algos, as it may also serve as protection in case of weaknesses in the hash algo, potentially hindering e.g.
+// some chosen-prefix attacks.
+// v6 signatures do not need to rely on this notation, as they already include a separate, built-in salt.
+const SALT_NOTATION_NAME = 'salt@notations.openpgpjs.org';
+
 // GPG puts the Issuer and Signature subpackets in the unhashed area.
 // Tampering with those invalidates the signature, so we still trust them and parse them.
 // All other unhashed subpackets are ignored.
@@ -14403,7 +14491,7 @@ class SignaturePacket {
    * @throws {Error} if signing failed
    * @async
    */
-  async sign(key, data, date = new Date(), detached = false) {
+  async sign(key, data, date = new Date(), detached = false, config) {
     this.version = key.version;
 
     this.created = util.normalizeDate(date);
@@ -14413,6 +14501,31 @@ class SignaturePacket {
 
     const arr = [new Uint8Array([this.version, this.signatureType, this.publicKeyAlgorithm, this.hashAlgorithm])];
 
+    // add randomness to the signature
+    if (this.version === 6) {
+      const saltLength = saltLengthForHash(this.hashAlgorithm);
+      if (this.salt === null) {
+        this.salt = mod$1.random.getRandomBytes(saltLength);
+      } else if (saltLength !== this.salt.length) {
+        throw new Error('Provided salt does not have the required length');
+      }
+    } else if (config.nonDeterministicSignaturesViaNotation) {
+      const saltNotations = this.rawNotations.filter(({ name }) => (name === SALT_NOTATION_NAME));
+      // since re-signing the same object is not supported, it's not expected to have multiple salt notations,
+      // but we guard against it as a sanity check
+      if (saltNotations.length === 0) {
+        const saltValue = mod$1.random.getRandomBytes(saltLengthForHash(this.hashAlgorithm));
+        this.rawNotations.push({
+          name: SALT_NOTATION_NAME,
+          value: saltValue,
+          humanReadable: false,
+          critical: false
+        });
+      } else {
+        throw new Error('Unexpected existing salt notation');
+      }
+    }
+
     // Add hashed subpackets
     arr.push(this.writeHashedSubPackets());
 
@@ -14423,14 +14536,6 @@ class SignaturePacket {
 
     this.signatureData = util.concat(arr);
 
-    if (this.version === 6) {
-      const saltLength = saltLengthForHash(this.hashAlgorithm);
-      if (this.salt === null) {
-        this.salt = mod$1.random.getRandomBytes(saltLength);
-      } else if (saltLength !== this.salt.length) {
-        throw new Error('Provided salt does not have the required length');
-      }
-    }
     const toHash = this.toHash(this.signatureType, data, detached);
     const hash = await this.hash(this.signatureType, data, toHash, detached);
 
@@ -16232,9 +16337,12 @@ class PublicKeyEncryptedSessionKeyPacket {
     }
     this.publicKeyAlgorithm = bytes[offset++];
     this.encrypted = mod$1.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(offset));
-    if (this.version === 3 && (
-      this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448)) {
-      this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+    if (this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448) {
+      if (this.version === 3) {
+        this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+      } else if (this.encrypted.C.algorithm !== null) {
+        throw new Error('Unexpected cleartext symmetric algorithm');
+      }
     }
   }
 
@@ -16278,10 +16386,13 @@ class PublicKeyEncryptedSessionKeyPacket {
    */
   async encrypt(key) {
     const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
-    const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
+    // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a
+    // v6 PKESK packet, as it is included in the v2 SEIPD packet.
+    const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;
+    const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod$1.publicKeyEncrypt(
-      algo, this.sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
+      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
   }
 
   /**
@@ -16380,6 +16491,7 @@ function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
       return {
+        sessionKeyAlgorithm: null,
         sessionKey: decryptedData
       };
     default:
@@ -18067,7 +18179,9 @@ class Signature {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, config$1);
+    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);
+    return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, emitChecksum, config$1);
   }
 
   /**
@@ -18280,7 +18394,7 @@ async function getPreferredCompressionAlgo(keys = [], date = new Date(), userIDs
 async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [], config$1 = config) {
   const selfSigs = await Promise.all(keys.map((key, i) => key.getPrimarySelfSignature(date, userIDs[i], config$1)));
   const withAEAD = keys.length ?
-    selfSigs.every(selfSig => selfSig.features[0] & enums.features.seipdv2) :
+    !config$1.ignoreSEIPDv2FeatureFlag && selfSigs.every(selfSig => selfSig.features && (selfSig.features[0] & enums.features.seipdv2)) :
     config$1.aeadProtect;
 
   if (withAEAD) {
@@ -18327,8 +18441,8 @@ async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, s
   Object.assign(signaturePacket, signatureProperties);
   signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
   signaturePacket.hashAlgorithm = await getPreferredHashAlgo(privateKey, signingKeyPacket, date, userID, config);
-  signaturePacket.rawNotations = notations;
-  await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached);
+  signaturePacket.rawNotations = [...notations];
+  await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached, config);
   return signaturePacket;
 }
 
@@ -18391,7 +18505,7 @@ async function isDataRevoked(primaryKey, signatureType, dataToVerify, revocation
         !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)
       ) {
         await revocationSignature.verify(
-          key, signatureType, dataToVerify, config.revocationsExpire ? date : null, false, config
+          key, signatureType, dataToVerify, date, false, config
         );
 
         // TODO get an identifier of the revoked object instead
@@ -19661,7 +19775,9 @@ class Key {
     const revocationSignature = await getLatestValidSignature(this.revocationSignatures, this.keyPacket, enums.signature.keyRevocation, dataToVerify, date, config$1);
     const packetlist = new PacketList();
     packetlist.push(revocationSignature);
-    return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate');
+    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.keyPacket.version !== 6;
+    return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate', emitChecksum, config$1);
   }
 
   /**
@@ -19851,7 +19967,9 @@ class PublicKey extends Key {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.publicKey, this.toPacketList().write(), undefined, undefined, undefined, config$1);
+    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.keyPacket.version !== 6;
+    return armor(enums.armor.publicKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config$1);
   }
 }
 
@@ -19924,7 +20042,9 @@ class PrivateKey extends PublicKey {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.privateKey, this.toPacketList().write(), undefined, undefined, undefined, config$1);
+    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.keyPacket.version !== 6;
+    return armor(enums.armor.privateKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config$1);
   }
 
   /**
@@ -21243,7 +21363,13 @@ class Message {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.message, this.write(), null, null, null, config$1);
+    const trailingPacket = this.packets[this.packets.length - 1];
+    // An ASCII-armored Encrypted Message packet sequence that ends in an v2 SEIPD packet MUST NOT contain a CRC24 footer.
+    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+    const emitChecksum = trailingPacket.constructor.tag === SymEncryptedIntegrityProtectedDataPacket.tag ?
+      trailingPacket.version !== 2 :
+      this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);
+    return armor(enums.armor.message, this.write(), null, null, null, emitChecksum, config$1);
   }
 }
 
@@ -21578,9 +21704,9 @@ class CleartextMessage {
    * @returns {String | ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    // emit header if one of the signatures has a version not 6
-    const emitHeader = this.signature.packets.some(packet => packet.version !== 6);
-    const hash = emitHeader ?
+    // emit header and checksum if one of the signatures has a version not 6
+    const emitHeaderAndChecksum = this.signature.packets.some(packet => packet.version !== 6);
+    const hash = emitHeaderAndChecksum ?
       Array.from(new Set(this.signature.packets.map(
         packet => enums.read(enums.hash, packet.hashAlgorithm).toUpperCase()
       ))).join() :
@@ -21591,7 +21717,9 @@ class CleartextMessage {
       text: this.text,
       data: this.signature.packets.write()
     };
-    return armor(enums.armor.signed, body, undefined, undefined, undefined, config$1);
+
+    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+    return armor(enums.armor.signed, body, undefined, undefined, undefined, emitHeaderAndChecksum, config$1);
   }
 }
 

package/openpgp.d.ts

@@ -324,12 +324,12 @@ interface Config {
   showVersion: boolean;
   showComment: boolean;
   aeadProtect: boolean;
+  ignoreSEIPDv2FeatureFlag: boolean;
   allowUnauthenticatedMessages: boolean;
   allowUnauthenticatedStream: boolean;
   allowForwardedMessages: boolean;
   minRSABits: number;
   passwordCollisionCheck: boolean;
-  revocationsExpire: boolean;
   ignoreUnsupportedPackets: boolean;
   ignoreMalformedPackets: boolean;
   versionString: string;
@@ -353,7 +353,7 @@ interface Config {
   rejectPublicKeyAlgorithms: Set<enums.publicKey>;
   rejectCurves: Set<enums.curve>;
 }
-export var config: Config & { checkEdDSAFaultySignatures: boolean }; // option only supported if set at the global openpgp.config level
+export var config: Config;
 
 // PartialConfig has the same properties as Config, but declared as optional.
 // This interface is relevant for top-level functions, which accept a subset of configuration options
@@ -738,7 +738,7 @@ export interface VerifyMessageResult<T extends MaybeStream<Data> = MaybeStream<D
 /**
  * Armor an OpenPGP binary packet block
  */
-export function armor(messagetype: enums.armor, body: object, partindex?: number, parttotal?: number, customComment?: string, config?: Config): string;
+export function armor(messagetype: enums.armor, body: object, partindex?: number, parttotal?: number, customComment?: string, emitChecksum?: boolean, config?: Config): string;
 
 /**
  * DeArmor an OpenPGP armored message; verify the checksum and return the encoded bytes
@@ -938,6 +938,8 @@ export namespace enums {
 }
 
 export declare class Argon2S2K {
+  static reloadWasmModule(): void;
+  static ARGON2_WASM_MEMORY_THRESHOLD_RELOAD: number;
   constructor(config: Config);
   salt: Uint8Array;
   /** @throws Argon2OutOfMemoryError */

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@protontech/openpgp",
   "description": "OpenPGP.js is a Javascript implementation of the OpenPGP protocol. This is defined in RFC 4880.",
-  "version": "6.0.0-alpha.1.patch.1",
+  "version": "6.0.0-beta.0.patch.0",
   "license": "LGPL-3.0+",
   "homepage": "https://openpgpjs.org/",
   "engines": {
@@ -75,7 +75,7 @@
     "@rollup/plugin-replace": "^5.0.5",
     "@rollup/plugin-terser": "^0.4.4",
     "@rollup/plugin-wasm": "^6.2.2",
-    "@types/chai": "^4.3.12",
+    "@types/chai": "^4.3.14",
     "argon2id": "^1.0.1",
     "benchmark": "^2.1.4",
     "c8": "^8.0.1",
@@ -93,17 +93,17 @@
     "karma": "^6.4.3",
     "karma-browserstack-launcher": "^1.6.0",
     "karma-chrome-launcher": "^3.2.0",
-    "karma-firefox-launcher": "^2.1.2",
+    "karma-firefox-launcher": "^2.1.3",
     "karma-mocha": "^2.0.1",
     "karma-mocha-reporter": "^2.2.5",
     "karma-webkit-launcher": "^2.4.0",
-    "mocha": "^10.3.0",
-    "playwright": "^1.42.0",
-    "rollup": "^4.12.0",
-    "sinon": "^15.2.0",
+    "mocha": "^10.4.0",
+    "playwright": "^1.43.0",
+    "rollup": "^4.14.1",
+    "sinon": "^17.0.1",
     "ts-node": "^10.9.2",
-    "tsx": "^4.7.1",
-    "typescript": "^5.3.3",
+    "tsx": "^4.7.2",
+    "typescript": "^5.4.4",
     "web-streams-polyfill": "^3.3.3"
   },
   "repository": {