@protontech/openpgp 6.0.0-beta.3.patch.0 → 6.0.0

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-beta.3.patch.0 - 2024-09-09 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0 - 2024-11-06 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -1455,7 +1455,7 @@ var config = {
    * @memberof module:config
    * @property {Integer} preferredHashAlgorithm Default hash algorithm {@link module:enums.hash}
    */
-  preferredHashAlgorithm: enums.hash.sha256,
+  preferredHashAlgorithm: enums.hash.sha512,
   /**
    * @memberof module:config
    * @property {Integer} preferredSymmetricAlgorithm Default encryption cipher {@link module:enums.symmetric}
@@ -1682,7 +1682,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0-beta.3.patch.0',
+  versionString: 'OpenPGP.js 6.0.0',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -1883,6 +1883,9 @@ const util = {
    * @returns {Uint8Array} Padded bytes.
    */
   leftPad(bytes, length) {
+    if (bytes.length > length) {
+      throw new Error('Input array too long');
+    }
     const padded = new Uint8Array(length);
     const offset = length - bytes.length;
     padded.set(bytes, offset);
@@ -2458,7 +2461,7 @@ function encode$1(data) {
  * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary array version of input string.
  * @static
  */
-function decode$2(data) {
+function decode$1(data) {
   let buf = '';
   return transform(data, value => {
     buf += value;
@@ -2494,7 +2497,7 @@ function decode$2(data) {
  * @returns {Uint8Array} An array of 8-bit integers.
  */
 function b64ToUint8Array(base64) {
-  return decode$2(base64.replace(/-/g, '+').replace(/_/g, '/'));
+  return decode$1(base64.replace(/-/g, '+').replace(/_/g, '/'));
 }
 
 /**
@@ -2747,7 +2750,7 @@ function unarmor(input) {
       let headersDone;
       let text = [];
       let textDone;
-      const data = decode$2(transformPair(input, async (readable, writable) => {
+      const data = decode$1(transformPair(input, async (readable, writable) => {
         const reader = getReader(readable);
         try {
           while (true) {
@@ -4004,14 +4007,14 @@ function validatePCKS(data, pcks5) {
         return data;
     const len = data.length;
     if (!len)
-        throw new Error(`aes/pcks5: empty ciphertext not allowed`);
+        throw new Error('aes/pcks5: empty ciphertext not allowed');
     const lastByte = data[len - 1];
     if (lastByte <= 0 || lastByte > 16)
-        throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`);
+        throw new Error('aes/pcks5: wrong padding');
     const out = data.subarray(0, -lastByte);
     for (let i = 0; i < lastByte; i++)
         if (data[len - i - 1] !== lastByte)
-            throw new Error(`aes/pcks5: wrong padding`);
+            throw new Error('aes/pcks5: wrong padding');
     return out;
 }
 function padPCKS(left) {
@@ -4152,17 +4155,21 @@ function computeTag(fn, isLE, key, data, AAD) {
 }
 /**
  * GCM: Galois/Counter Mode.
- * Good, modern version of CTR, parallel, with MAC.
+ * Modern, parallel version of CTR, with MAC.
  * Be careful: MACs can be forged.
+ * Unsafe to use random nonces under the same key, due to collision chance.
+ * As for nonce size, prefer 12-byte, instead of 8-byte.
  */
 const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) {
     bytes(key);
     bytes(nonce);
     if (AAD !== undefined)
         bytes(AAD);
-    // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure.
-    if (nonce.length === 0)
-        throw new Error('aes/gcm: empty nonce');
+    // NIST 800-38d doesn't enforce minimum nonce length.
+    // We enforce 8 bytes for compat with openssl.
+    // 12 bytes are recommended. More than 12 bytes would be converted into 12.
+    if (nonce.length < 8)
+        throw new Error('aes/gcm: invalid nonce length');
     const tagLength = 16;
     function _computeTag(authKey, tagMask, data) {
         const tag = computeTag(ghash, false, authKey, data, AAD);
@@ -4175,12 +4182,11 @@ const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, functi
         const authKey = EMPTY_BLOCK.slice();
         const counter = EMPTY_BLOCK.slice();
         ctr32(xk, false, counter, counter, authKey);
+        // NIST 800-38d, page 15: different behavior for 96-bit and non-96-bit nonces
         if (nonce.length === 12) {
             counter.set(nonce);
         }
         else {
-            // Spec (NIST 800-38d) supports variable size nonce.
-            // Not supported for now, but can be useful.
             const nonceLen = EMPTY_BLOCK.slice();
             const view = createView(nonceLen);
             setBigUint64(view, 8, BigInt(nonce.length * 8), false);
@@ -4331,7 +4337,7 @@ const aeskw = wrapCipher({ blockSize: 8 }, (kek) => ({
     encrypt(plaintext) {
         bytes(plaintext);
         if (!plaintext.length || plaintext.length % 8 !== 0)
-            throw new Error('plaintext length must be non-empty and a multiple of 8 bytes');
+            throw new Error('invalid plaintext length');
         if (plaintext.length === 8)
             throw new Error('8-byte keys not allowed in AESKW, use AESKWP instead');
         const out = concatBytes$1(AESKW_IV, plaintext);
@@ -4340,10 +4346,11 @@ const aeskw = wrapCipher({ blockSize: 8 }, (kek) => ({
     },
     decrypt(ciphertext) {
         bytes(ciphertext);
+        // ciphertext must be at least 24 bytes and a multiple of 8 bytes
         // 24 because should have at least two block (1 iv + 2).
         // Replace with 16 to enable '8-byte keys'
         if (ciphertext.length % 8 !== 0 || ciphertext.length < 3 * 8)
-            throw new Error('ciphertext must be at least 24 bytes and a multiple of 8 bytes');
+            throw new Error('invalid ciphertext length');
         const out = copyBytes(ciphertext);
         AESW.decrypt(kek, out);
         if (!equalBytes$1(out.subarray(0, 8), AESKW_IV))
@@ -5617,16 +5624,13 @@ const nodeCrypto$6 = util.getNodeCrypto();
  * @returns {Uint8Array} Random byte array.
  */
 function getRandomBytes(length) {
-  const buf = new Uint8Array(length);
-  if (nodeCrypto$6) {
-    const bytes = nodeCrypto$6.randomBytes(buf.length);
-    buf.set(bytes);
-  } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-    crypto.getRandomValues(buf);
+  const webcrypto = typeof crypto !== 'undefined' ? crypto : nodeCrypto$6?.webcrypto;
+  if (webcrypto?.getRandomValues) {
+    const buf = new Uint8Array(length);
+    return webcrypto.getRandomValues(buf);
   } else {
     throw new Error('No secure random number generator available.');
   }
-  return buf;
 }
 
 /**
@@ -6092,6 +6096,14 @@ const _1n$3 = BigInt(1);
  * @async
  */
 async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
+  if (hash.getHashByteLength(hashAlgo) >= n.length) {
+    // Throw here instead of `emsaEncode` below, to provide a clearer and consistent error
+    // e.g. if a 512-bit RSA key is used with a SHA-512 digest.
+    // The size limit is actually slightly different but here we only care about throwing
+    // on common key sizes.
+    throw new Error('Digest size cannot exceed key modulus size');
+  }
+
   if (data && !util.isStream(data)) {
     if (util.getWebCrypto()) {
       try {
@@ -6311,9 +6323,6 @@ async function bnSign(hashAlgo, n, d, hashed) {
   n = uint8ArrayToBigInt(n);
   const m = uint8ArrayToBigInt(emsaEncode(hashAlgo, hashed, byteLength(n)));
   d = uint8ArrayToBigInt(d);
-  if (m >= n) {
-    throw new Error('Message size cannot exceed modulus size');
-  }
   return bigIntToUint8Array(modExp(m, d, n), 'be', byteLength(n));
 }
 
@@ -9280,13 +9289,16 @@ async function generate$4(algo) {
  */
 async function sign$6(algo, hashAlgo, message, publicKey, privateKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$2(algo))) {
+    // Enforce digest sizes:
+    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const jwk = privateKeyToJWK$1(algo, publicKey, privateKey);
+        const jwk = privateKeyToJWK(algo, publicKey, privateKey);
         const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['sign']);
 
         const signature = new Uint8Array(
@@ -9327,13 +9339,16 @@ async function sign$6(algo, hashAlgo, message, publicKey, privateKey, hashed) {
  */
 async function verify$6(algo, hashAlgo, { RS }, m, publicKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$2(algo))) {
+    // Enforce digest sizes:
+    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const jwk = publicKeyToJWK$1(algo, publicKey);
+        const jwk = publicKeyToJWK(algo, publicKey);
         const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['verify']);
         const verified = await webCrypto.verify('Ed25519', key, RS, hashed);
         return verified;
@@ -9408,7 +9423,7 @@ function getPreferredHashAlgo$2(algo) {
   }
 }
 
-const publicKeyToJWK$1 = (algo, publicKey) => {
+const publicKeyToJWK = (algo, publicKey) => {
   switch (algo) {
     case enums.publicKey.ed25519: {
       const jwk = {
@@ -9424,10 +9439,10 @@ const publicKeyToJWK$1 = (algo, publicKey) => {
   }
 };
 
-const privateKeyToJWK$1 = (algo, publicKey, privateKey) => {
+const privateKeyToJWK = (algo, publicKey, privateKey) => {
   switch (algo) {
     case enums.publicKey.ed25519: {
-      const jwk = publicKeyToJWK$1(algo, publicKey);
+      const jwk = publicKeyToJWK(algo, publicKey);
       jwk.d = uint8ArrayToB64(privateKey);
       return jwk;
     }
@@ -9576,27 +9591,12 @@ const HKDF_INFO = {
  */
 async function generate$3(algo) {
   switch (algo) {
-    case enums.publicKey.x25519:
-      try {
-        const webCrypto = util.getWebCrypto();
-        const webCryptoKey = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits']);
-
-        const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
-        const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
-
-        return {
-          A: new Uint8Array(b64ToUint8Array(publicKey.x)),
-          k: b64ToUint8Array(privateKey.d, true)
-        };
-      } catch (err) {
-        if (err.name !== 'NotSupportedError') {
-          throw err;
-        }
-        // k stays in little-endian, unlike legacy ECDH over curve25519
-        const k = getRandomBytes(32);
-        const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
-        return { A, k };
-      }
+    case enums.publicKey.x25519: {
+      // k stays in little-endian, unlike legacy ECDH over curve25519
+      const k = getRandomBytes(32);
+      const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
+      return { A, k };
+    }
 
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
@@ -9738,36 +9738,18 @@ function getPayloadSize(algo) {
  */
 async function generateEphemeralEncryptionMaterial(algo, recipientA) {
   switch (algo) {
-    case enums.publicKey.x25519:
-      try {
-        const webCrypto = util.getWebCrypto();
-        const jwk = publicKeyToJWK(algo, recipientA);
-        const ephemeralKeyPair = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits']);
-        const recipientPublicKey = await webCrypto.importKey('jwk', jwk, 'X25519', false, []);
-        const sharedSecretBuffer = await webCrypto.deriveBits(
-          { name: 'X25519', public: recipientPublicKey },
-          ephemeralKeyPair.privateKey,
-          getPayloadSize(algo) * 8 // in bits
-        );
-        const ephemeralPublicKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.publicKey);
-        return {
-          sharedSecret: new Uint8Array(sharedSecretBuffer),
-          ephemeralPublicKey: new Uint8Array(b64ToUint8Array(ephemeralPublicKeyJwt.x))
-        };
-      } catch (err) {
-        if (err.name !== 'NotSupportedError') {
-          throw err;
-        }
-        const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
-        const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
-        const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
-
-        return { ephemeralPublicKey, sharedSecret };
-      }
+    case enums.publicKey.x25519: {
+      const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
+      const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
+      assertNonZeroArray(sharedSecret);
+      const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
+      return { ephemeralPublicKey, sharedSecret };
+    }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const ephemeralSecretKey = x448.utils.randomPrivateKey();
       const sharedSecret = x448.getSharedSecret(ephemeralSecretKey, recipientA);
+      assertNonZeroArray(sharedSecret);
       const ephemeralPublicKey = x448.getPublicKey(ephemeralSecretKey);
       return { ephemeralPublicKey, sharedSecret };
     }
@@ -9778,28 +9760,15 @@ async function generateEphemeralEncryptionMaterial(algo, recipientA) {
 
 async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
   switch (algo) {
-    case enums.publicKey.x25519:
-      try {
-        const webCrypto = util.getWebCrypto();
-        const privateKeyJWK = privateKeyToJWK(algo, A, k);
-        const ephemeralPublicKeyJWK = publicKeyToJWK(algo, ephemeralPublicKey);
-        const privateKey = await webCrypto.importKey('jwk', privateKeyJWK, 'X25519', false, ['deriveKey', 'deriveBits']);
-        const ephemeralPublicKeyReference = await webCrypto.importKey('jwk', ephemeralPublicKeyJWK, 'X25519', false, []);
-        const sharedSecretBuffer = await webCrypto.deriveBits(
-          { name: 'X25519', public: ephemeralPublicKeyReference },
-          privateKey,
-          getPayloadSize(algo) * 8 // in bits
-        );
-        return new Uint8Array(sharedSecretBuffer);
-      } catch (err) {
-        if (err.name !== 'NotSupportedError') {
-          throw err;
-        }
-        return nacl.scalarMult(k, ephemeralPublicKey);
-      }
+    case enums.publicKey.x25519: {
+      const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
+      assertNonZeroArray(sharedSecret);
+      return sharedSecret;
+    }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const sharedSecret = x448.getSharedSecret(k, ephemeralPublicKey);
+      assertNonZeroArray(sharedSecret);
       return sharedSecret;
     }
     default:
@@ -9807,32 +9776,19 @@ async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
   }
 }
 
-
-function publicKeyToJWK(algo, publicKey) {
-  switch (algo) {
-    case enums.publicKey.x25519: {
-      const jwk = {
-        kty: 'OKP',
-        crv: 'X25519',
-        x: uint8ArrayToB64(publicKey),
-        ext: true
-      };
-      return jwk;
-    }
-    default:
-      throw new Error('Unsupported ECDH algorithm');
+/**
+ * x25519 and x448 produce an all-zero value when given as input a point with small order.
+ * This does not lead to a security issue in the context of ECDH, but it is still unexpected,
+ * hence we throw.
+ * @param {Uint8Array} sharedSecret
+ */
+function assertNonZeroArray(sharedSecret) {
+  let acc = 0;
+  for (let i = 0; i < sharedSecret.length; i++) {
+    acc |= sharedSecret[i];
   }
-}
-
-function privateKeyToJWK(algo, publicKey, privateKey) {
-  switch (algo) {
-    case enums.publicKey.x25519: {
-      const jwk = publicKeyToJWK(algo, publicKey);
-      jwk.d = uint8ArrayToB64(privateKey);
-      return jwk;
-    }
-    default:
-      throw new Error('Unsupported ECDH algorithm');
+  if (acc === 0) {
+    throw new Error('Unexpected low order point');
   }
 }
 
@@ -10544,7 +10500,9 @@ async function sign$4(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const { RS: signature } = await sign$6(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
@@ -10571,6 +10529,9 @@ async function verify$4(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const RS = util.concatUint8Array([r, s]);
@@ -10649,7 +10610,7 @@ function encode(message) {
  * @param {Uint8Array} message - message to remove padding from
  * @returns {Uint8Array} Message without padding.
  */
-function decode$1(message) {
+function decode(message) {
   const len = message.length;
   if (len > 0) {
     const c = message[len - 1];
@@ -10666,7 +10627,7 @@ function decode$1(message) {
 
 var pkcs5 = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decode: decode$1,
+  decode: decode,
   encode: encode
 });
 
@@ -10859,7 +10820,7 @@ async function decrypt$1(oid, kdfParams, V, C, Q, d, fingerprint) {
     try {
       // Work around old go crypto bug and old OpenPGP.js bug, respectively.
       const Z = await kdf(kdfParams.hash, sharedKey, keySize, param, i === 1, i === 2);
-      return decode$1(await unwrap(kdfParams.cipher, Z, C));
+      return decode(await unwrap(kdfParams.cipher, Z, C));
     } catch (e) {
       err = e;
     }
@@ -11406,6 +11367,8 @@ function parseSignatureParams(algo, signature) {
     case enums.publicKey.dsa:
     case enums.publicKey.ecdsa:
     {
+      // If the signature payload sizes are unexpected, we will throw on verification,
+      // where we also have access to the OID curve from the key.
       const r = util.readMPI(signature.subarray(read)); read += r.length + 2;
       const s = util.readMPI(signature.subarray(read)); read += s.length + 2;
       return { read, signatureParams: { r, s } };
@@ -11414,12 +11377,11 @@ function parseSignatureParams(algo, signature) {
     // -  MPI of an EC point r.
     // -  EdDSA value s, in MPI, in the little endian representation
     case enums.publicKey.eddsaLegacy: {
-      // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
-      // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
-      let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
-      r = util.leftPad(r, 32);
-      let s = util.readMPI(signature.subarray(read)); read += s.length + 2;
-      s = util.leftPad(s, 32);
+      // Only Curve25519Legacy is supported (no Curve448Legacy), but the relevant checks are done on key parsing and signature
+      // verification: if the signature payload sizes are unexpected, we will throw on verification,
+      // where we also have access to the OID curve from the key.
+      const r = util.readMPI(signature.subarray(read)); read += r.length + 2;
+      const s = util.readMPI(signature.subarray(read)); read += s.length + 2;
       return { read, signatureParams: { r, s } };
     }
     // Algorithm-Specific Fields for Ed25519 signatures:
@@ -11480,8 +11442,12 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
     }
     case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicParams;
-      // signature already padded on parsing
-      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
+      const curveSize = new publicKey.elliptic.CurveWithOID(oid).payloadSize;
+      // When dealing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
+      // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
+      const r = util.leftPad(signature.r, curveSize);
+      const s = util.leftPad(signature.s, curveSize);
+      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448: {
@@ -12536,13 +12502,25 @@ class Argon2S2K {
     const { passes, parallelism, memoryExponent } = config$1.s2kArgon2Params;
 
     this.type = 'argon2';
-    /**  @type {Uint8Array} 16 bytes of salt */
+    /**
+     * 16 bytes of salt
+     * @type {Uint8Array}
+     */
     this.salt = null;
-    /** @type {Integer} number of passes */
+    /**
+     * number of passes
+     * @type {Integer}
+     */
     this.t = passes;
-    /** @type {Integer} degree of parallelism (lanes) */
+    /**
+     * degree of parallelism (lanes)
+     * @type {Integer}
+     */
     this.p = parallelism;
-    /** @type {Integer} exponent indicating memory size */
+    /**
+     * exponent indicating memory size
+     * @type {Integer}
+     */
     this.encodedM = memoryExponent;
   }
 
@@ -13734,849 +13712,6 @@ try {
 }
 catch (e) { }
 
-/*
-node-bzip - a pure-javascript Node.JS module for decoding bzip2 data
-
-Copyright (C) 2012 Eli Skeggs
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, see
-http://www.gnu.org/licenses/lgpl-2.1.html
-
-Adapted from bzip2.js, copyright 2011 antimatter15 (antimatter15@gmail.com).
-
-Based on micro-bunzip by Rob Landley (rob@landley.net).
-
-Based on bzip2 decompression code by Julian R Seward (jseward@acm.org),
-which also acknowledges contributions by Mike Burrows, David Wheeler,
-Peter Fenwick, Alistair Moffat, Radford Neal, Ian H. Witten,
-Robert Sedgewick, and Jon L. Bentley.
-*/
-
-var BITMASK = [0x00, 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3F, 0x7F, 0xFF];
-
-// offset in bytes
-var BitReader$1 = function(stream) {
-  this.stream = stream;
-  this.bitOffset = 0;
-  this.curByte = 0;
-  this.hasByte = false;
-};
-
-BitReader$1.prototype._ensureByte = function() {
-  if (!this.hasByte) {
-    this.curByte = this.stream.readByte();
-    this.hasByte = true;
-  }
-};
-
-// reads bits from the buffer
-BitReader$1.prototype.read = function(bits) {
-  var result = 0;
-  while (bits > 0) {
-    this._ensureByte();
-    var remaining = 8 - this.bitOffset;
-    // if we're in a byte
-    if (bits >= remaining) {
-      result <<= remaining;
-      result |= BITMASK[remaining] & this.curByte;
-      this.hasByte = false;
-      this.bitOffset = 0;
-      bits -= remaining;
-    } else {
-      result <<= bits;
-      var shift = remaining - bits;
-      result |= (this.curByte & (BITMASK[bits] << shift)) >> shift;
-      this.bitOffset += bits;
-      bits = 0;
-    }
-  }
-  return result;
-};
-
-// seek to an arbitrary point in the buffer (expressed in bits)
-BitReader$1.prototype.seek = function(pos) {
-  var n_bit = pos % 8;
-  var n_byte = (pos - n_bit) / 8;
-  this.bitOffset = n_bit;
-  this.stream.seek(n_byte);
-  this.hasByte = false;
-};
-
-// reads 6 bytes worth of data using the read method
-BitReader$1.prototype.pi = function() {
-  var buf = new Uint8Array(6), i;
-  for (i = 0; i < buf.length; i++) {
-    buf[i] = this.read(8);
-  }
-  return bufToHex(buf);
-};
-
-function bufToHex(buf) {
-  return Array.prototype.map.call(buf, x => ('00' + x.toString(16)).slice(-2)).join('');
-}
-
-var bitreader = BitReader$1;
-
-/* very simple input/output stream interface */
-
-var Stream$1 = function() {
-};
-
-// input streams //////////////
-/** Returns the next byte, or -1 for EOF. */
-Stream$1.prototype.readByte = function() {
-  throw new Error("abstract method readByte() not implemented");
-};
-/** Attempts to fill the buffer; returns number of bytes read, or
- *  -1 for EOF. */
-Stream$1.prototype.read = function(buffer, bufOffset, length) {
-  var bytesRead = 0;
-  while (bytesRead < length) {
-    var c = this.readByte();
-    if (c < 0) { // EOF
-      return (bytesRead===0) ? -1 : bytesRead;
-    }
-    buffer[bufOffset++] = c;
-    bytesRead++;
-  }
-  return bytesRead;
-};
-Stream$1.prototype.seek = function(new_pos) {
-  throw new Error("abstract method seek() not implemented");
-};
-
-// output streams ///////////
-Stream$1.prototype.writeByte = function(_byte) {
-  throw new Error("abstract method readByte() not implemented");
-};
-Stream$1.prototype.write = function(buffer, bufOffset, length) {
-  var i;
-  for (i=0; i<length; i++) {
-    this.writeByte(buffer[bufOffset++]);
-  }
-  return length;
-};
-Stream$1.prototype.flush = function() {
-};
-
-var stream = Stream$1;
-
-/* CRC32, used in Bzip2 implementation.
- * This is a port of CRC32.java from the jbzip2 implementation at
- *   https://code.google.com/p/jbzip2
- * which is:
- *   Copyright (c) 2011 Matthew Francis
- *
- *   Permission is hereby granted, free of charge, to any person
- *   obtaining a copy of this software and associated documentation
- *   files (the "Software"), to deal in the Software without
- *   restriction, including without limitation the rights to use,
- *   copy, modify, merge, publish, distribute, sublicense, and/or sell
- *   copies of the Software, and to permit persons to whom the
- *   Software is furnished to do so, subject to the following
- *   conditions:
- *
- *   The above copyright notice and this permission notice shall be
- *   included in all copies or substantial portions of the Software.
- *
- *   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- *   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- *   OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- *   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- *   HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- *   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- *   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- *   OTHER DEALINGS IN THE SOFTWARE.
- * This JavaScript implementation is:
- *   Copyright (c) 2013 C. Scott Ananian
- * with the same licensing terms as Matthew Francis' original implementation.
- */
-
-var crc32 = (function() {
-
-  /**
-   * A static CRC lookup table
-   */
-  var crc32Lookup = new Uint32Array([
-    0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc, 0x17c56b6b, 0x1a864db2, 0x1e475005,
-    0x2608edb8, 0x22c9f00f, 0x2f8ad6d6, 0x2b4bcb61, 0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd,
-    0x4c11db70, 0x48d0c6c7, 0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75,
-    0x6a1936c8, 0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3, 0x709f7b7a, 0x745e66cd,
-    0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039, 0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5,
-    0xbe2b5b58, 0xbaea46ef, 0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d,
-    0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb, 0xceb42022, 0xca753d95,
-    0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1, 0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d,
-    0x34867077, 0x30476dc0, 0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072,
-    0x128e9dcf, 0x164f8078, 0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4, 0x0808d07d, 0x0cc9cdca,
-    0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde, 0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02,
-    0x5e9f46bf, 0x5a5e5b08, 0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d, 0x40d816ba,
-    0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc, 0xb6238b25, 0xb2e29692,
-    0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6, 0x99a95df3, 0x9d684044, 0x902b669d, 0x94ea7b2a,
-    0xe0b41de7, 0xe4750050, 0xe9362689, 0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2,
-    0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683, 0xd1799b34, 0xdc3abded, 0xd8fba05a,
-    0x690ce0ee, 0x6dcdfd59, 0x608edb80, 0x644fc637, 0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb,
-    0x4f040d56, 0x4bc510e1, 0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53,
-    0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5, 0x3f9b762c, 0x3b5a6b9b,
-    0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff, 0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623,
-    0xf12f560e, 0xf5ee4bb9, 0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2, 0xe6ea3d65, 0xeba91bbc, 0xef68060b,
-    0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd, 0xcda1f604, 0xc960ebb3,
-    0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7, 0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b,
-    0x9b3660c6, 0x9ff77d71, 0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3,
-    0x5d8a9099, 0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2, 0x470cdd2b, 0x43cdc09c,
-    0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8, 0x68860bfd, 0x6c47164a, 0x61043093, 0x65c52d24,
-    0x119b4be9, 0x155a565e, 0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b, 0x0fdc1bec,
-    0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d, 0x2056cd3a, 0x2d15ebe3, 0x29d4f654,
-    0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0, 0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c,
-    0xe3a1cbc1, 0xe760d676, 0xea23f0af, 0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4,
-    0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662, 0x933eb0bb, 0x97ffad0c,
-    0xafb010b1, 0xab710d06, 0xa6322bdf, 0xa2f33668, 0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4
-  ]);
-
-  var CRC32 = function() {
-    /**
-     * The current CRC
-     */
-    var crc = 0xffffffff;
-
-    /**
-     * @return The current CRC
-     */
-    this.getCRC = function() {
-      return (~crc) >>> 0; // return an unsigned value
-    };
-
-    /**
-     * Update the CRC with a single byte
-     * @param value The value to update the CRC with
-     */
-    this.updateCRC = function(value) {
-      crc = (crc << 8) ^ crc32Lookup[((crc >>> 24) ^ value) & 0xff];
-    };
-
-    /**
-     * Update the CRC with a sequence of identical bytes
-     * @param value The value to update the CRC with
-     * @param count The number of bytes
-     */
-    this.updateCRCRun = function(value, count) {
-      while (count-- > 0) {
-        crc = (crc << 8) ^ crc32Lookup[((crc >>> 24) ^ value) & 0xff];
-      }
-    };
-  };
-  return CRC32;
-})();
-
-/*
-seek-bzip - a pure-javascript module for seeking within bzip2 data
-
-Copyright (C) 2013 C. Scott Ananian
-Copyright (C) 2012 Eli Skeggs
-Copyright (C) 2011 Kevin Kwok
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, see
-http://www.gnu.org/licenses/lgpl-2.1.html
-
-Adapted from node-bzip, copyright 2012 Eli Skeggs.
-Adapted from bzip2.js, copyright 2011 Kevin Kwok (antimatter15@gmail.com).
-
-Based on micro-bunzip by Rob Landley (rob@landley.net).
-
-Based on bzip2 decompression code by Julian R Seward (jseward@acm.org),
-which also acknowledges contributions by Mike Burrows, David Wheeler,
-Peter Fenwick, Alistair Moffat, Radford Neal, Ian H. Witten,
-Robert Sedgewick, and Jon L. Bentley.
-*/
-
-var BitReader = bitreader;
-var Stream = stream;
-var CRC32 = crc32;
-
-var MAX_HUFCODE_BITS = 20;
-var MAX_SYMBOLS = 258;
-var SYMBOL_RUNA = 0;
-var SYMBOL_RUNB = 1;
-var MIN_GROUPS = 2;
-var MAX_GROUPS = 6;
-var GROUP_SIZE = 50;
-
-var WHOLEPI = "314159265359";
-var SQRTPI = "177245385090";
-
-var mtf = function(array, index) {
-  var src = array[index], i;
-  for (i = index; i > 0; i--) {
-    array[i] = array[i-1];
-  }
-  array[0] = src;
-  return src;
-};
-
-var Err = {
-  OK: 0,
-  LAST_BLOCK: -1,
-  NOT_BZIP_DATA: -2,
-  UNEXPECTED_INPUT_EOF: -3,
-  UNEXPECTED_OUTPUT_EOF: -4,
-  DATA_ERROR: -5,
-  OUT_OF_MEMORY: -6,
-  OBSOLETE_INPUT: -7,
-  END_OF_BLOCK: -8
-};
-var ErrorMessages = {};
-ErrorMessages[Err.LAST_BLOCK] =            "Bad file checksum";
-ErrorMessages[Err.NOT_BZIP_DATA] =         "Not bzip data";
-ErrorMessages[Err.UNEXPECTED_INPUT_EOF] =  "Unexpected input EOF";
-ErrorMessages[Err.UNEXPECTED_OUTPUT_EOF] = "Unexpected output EOF";
-ErrorMessages[Err.DATA_ERROR] =            "Data error";
-ErrorMessages[Err.OUT_OF_MEMORY] =         "Out of memory";
-ErrorMessages[Err.OBSOLETE_INPUT] = "Obsolete (pre 0.9.5) bzip format not supported.";
-
-var _throw = function(status, optDetail) {
-  var msg = ErrorMessages[status] || 'unknown error';
-  if (optDetail) { msg += ': '+optDetail; }
-  var e = new TypeError(msg);
-  e.errorCode = status;
-  throw e;
-};
-
-var Bunzip = function(inputStream, outputStream) {
-  this.writePos = this.writeCurrent = this.writeCount = 0;
-
-  this._start_bunzip(inputStream, outputStream);
-};
-Bunzip.prototype._init_block = function() {
-  var moreBlocks = this._get_next_block();
-  if ( !moreBlocks ) {
-    this.writeCount = -1;
-    return false; /* no more blocks */
-  }
-  this.blockCRC = new CRC32();
-  return true;
-};
-/* XXX micro-bunzip uses (inputStream, inputBuffer, len) as arguments */
-Bunzip.prototype._start_bunzip = function(inputStream, outputStream) {
-  /* Ensure that file starts with "BZh['1'-'9']." */
-  var buf = new Uint8Array(4);
-  if (inputStream.read(buf, 0, 4) !== 4 ||
-      String.fromCharCode(buf[0], buf[1], buf[2]) !== 'BZh')
-    _throw(Err.NOT_BZIP_DATA, 'bad magic');
-
-  var level = buf[3] - 0x30;
-  if (level < 1 || level > 9)
-    _throw(Err.NOT_BZIP_DATA, 'level out of range');
-
-  this.reader = new BitReader(inputStream);
-
-  /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
-     uncompressed data.  Allocate intermediate buffer for block. */
-  this.dbufSize = 100000 * level;
-  this.nextoutput = 0;
-  this.outputStream = outputStream;
-  this.streamCRC = 0;
-};
-Bunzip.prototype._get_next_block = function() {
-  var i, j, k;
-  var reader = this.reader;
-  // this is get_next_block() function from micro-bunzip:
-  /* Read in header signature and CRC, then validate signature.
-     (last block signature means CRC is for whole file, return now) */
-  var h = reader.pi();
-  if (h === SQRTPI) { // last block
-    return false; /* no more blocks */
-  }
-  if (h !== WHOLEPI)
-    _throw(Err.NOT_BZIP_DATA);
-  this.targetBlockCRC = reader.read(32) >>> 0; // (convert to unsigned)
-  this.streamCRC = (this.targetBlockCRC ^
-                    ((this.streamCRC << 1) | (this.streamCRC>>>31))) >>> 0;
-  /* We can add support for blockRandomised if anybody complains.  There was
-     some code for this in busybox 1.0.0-pre3, but nobody ever noticed that
-     it didn't actually work. */
-  if (reader.read(1))
-    _throw(Err.OBSOLETE_INPUT);
-  var origPointer = reader.read(24);
-  if (origPointer > this.dbufSize)
-    _throw(Err.DATA_ERROR, 'initial position out of bounds');
-  /* mapping table: if some byte values are never used (encoding things
-     like ascii text), the compression code removes the gaps to have fewer
-     symbols to deal with, and writes a sparse bitfield indicating which
-     values were present.  We make a translation table to convert the symbols
-     back to the corresponding bytes. */
-  var t = reader.read(16);
-  var symToByte = new Uint8Array(256), symTotal = 0;
-  for (i = 0; i < 16; i++) {
-    if (t & (1 << (0xF - i))) {
-      var o = i * 16;
-      k = reader.read(16);
-      for (j = 0; j < 16; j++)
-        if (k & (1 << (0xF - j)))
-          symToByte[symTotal++] = o + j;
-    }
-  }
-
-  /* How many different huffman coding groups does this block use? */
-  var groupCount = reader.read(3);
-  if (groupCount < MIN_GROUPS || groupCount > MAX_GROUPS)
-    _throw(Err.DATA_ERROR);
-  /* nSelectors: Every GROUP_SIZE many symbols we select a new huffman coding
-     group.  Read in the group selector list, which is stored as MTF encoded
-     bit runs.  (MTF=Move To Front, as each value is used it's moved to the
-     start of the list.) */
-  var nSelectors = reader.read(15);
-  if (nSelectors === 0)
-    _throw(Err.DATA_ERROR);
-
-  var mtfSymbol = new Uint8Array(256);
-  for (i = 0; i < groupCount; i++)
-    mtfSymbol[i] = i;
-
-  var selectors = new Uint8Array(nSelectors); // was 32768...
-
-  for (i = 0; i < nSelectors; i++) {
-    /* Get next value */
-    for (j = 0; reader.read(1); j++)
-      if (j >= groupCount) _throw(Err.DATA_ERROR);
-    /* Decode MTF to get the next selector */
-    selectors[i] = mtf(mtfSymbol, j);
-  }
-
-  /* Read the huffman coding tables for each group, which code for symTotal
-     literal symbols, plus two run symbols (RUNA, RUNB) */
-  var symCount = symTotal + 2;
-  var groups = [], hufGroup;
-  for (j = 0; j < groupCount; j++) {
-    var length = new Uint8Array(symCount), temp = new Uint16Array(MAX_HUFCODE_BITS + 1);
-    /* Read huffman code lengths for each symbol.  They're stored in
-       a way similar to mtf; record a starting value for the first symbol,
-       and an offset from the previous value for everys symbol after that. */
-    t = reader.read(5); // lengths
-    for (i = 0; i < symCount; i++) {
-      for (;;) {
-        if (t < 1 || t > MAX_HUFCODE_BITS) _throw(Err.DATA_ERROR);
-        /* If first bit is 0, stop.  Else second bit indicates whether
-           to increment or decrement the value. */
-        if(!reader.read(1))
-          break;
-        if(!reader.read(1))
-          t++;
-        else
-          t--;
-      }
-      length[i] = t;
-    }
-
-    /* Find largest and smallest lengths in this group */
-    var minLen,  maxLen;
-    minLen = maxLen = length[0];
-    for (i = 1; i < symCount; i++) {
-      if (length[i] > maxLen)
-        maxLen = length[i];
-      else if (length[i] < minLen)
-        minLen = length[i];
-    }
-
-    /* Calculate permute[], base[], and limit[] tables from length[].
-     *
-     * permute[] is the lookup table for converting huffman coded symbols
-     * into decoded symbols.  base[] is the amount to subtract from the
-     * value of a huffman symbol of a given length when using permute[].
-     *
-     * limit[] indicates the largest numerical value a symbol with a given
-     * number of bits can have.  This is how the huffman codes can vary in
-     * length: each code with a value>limit[length] needs another bit.
-     */
-    hufGroup = {};
-    groups.push(hufGroup);
-    hufGroup.permute = new Uint16Array(MAX_SYMBOLS);
-    hufGroup.limit = new Uint32Array(MAX_HUFCODE_BITS + 2);
-    hufGroup.base = new Uint32Array(MAX_HUFCODE_BITS + 1);
-    hufGroup.minLen = minLen;
-    hufGroup.maxLen = maxLen;
-    /* Calculate permute[].  Concurently, initialize temp[] and limit[]. */
-    var pp = 0;
-    for (i = minLen; i <= maxLen; i++) {
-      temp[i] = hufGroup.limit[i] = 0;
-      for (t = 0; t < symCount; t++)
-        if (length[t] === i)
-          hufGroup.permute[pp++] = t;
-    }
-    /* Count symbols coded for at each bit length */
-    for (i = 0; i < symCount; i++)
-      temp[length[i]]++;
-    /* Calculate limit[] (the largest symbol-coding value at each bit
-     * length, which is (previous limit<<1)+symbols at this level), and
-     * base[] (number of symbols to ignore at each bit length, which is
-     * limit minus the cumulative count of symbols coded for already). */
-    pp = t = 0;
-    for (i = minLen; i < maxLen; i++) {
-      pp += temp[i];
-      /* We read the largest possible symbol size and then unget bits
-         after determining how many we need, and those extra bits could
-         be set to anything.  (They're noise from future symbols.)  At
-         each level we're really only interested in the first few bits,
-         so here we set all the trailing to-be-ignored bits to 1 so they
-         don't affect the value>limit[length] comparison. */
-      hufGroup.limit[i] = pp - 1;
-      pp <<= 1;
-      t += temp[i];
-      hufGroup.base[i + 1] = pp - t;
-    }
-    hufGroup.limit[maxLen + 1] = Number.MAX_VALUE; /* Sentinal value for reading next sym. */
-    hufGroup.limit[maxLen] = pp + temp[maxLen] - 1;
-    hufGroup.base[minLen] = 0;
-  }
-  /* We've finished reading and digesting the block header.  Now read this
-     block's huffman coded symbols from the file and undo the huffman coding
-     and run length encoding, saving the result into dbuf[dbufCount++]=uc */
-
-  /* Initialize symbol occurrence counters and symbol Move To Front table */
-  var byteCount = new Uint32Array(256);
-  for (i = 0; i < 256; i++)
-    mtfSymbol[i] = i;
-  /* Loop through compressed symbols. */
-  var runPos = 0, dbufCount = 0, selector = 0, uc;
-  var dbuf = this.dbuf = new Uint32Array(this.dbufSize);
-  symCount = 0;
-  for (;;) {
-    /* Determine which huffman coding group to use. */
-    if (!(symCount--)) {
-      symCount = GROUP_SIZE - 1;
-      if (selector >= nSelectors) { _throw(Err.DATA_ERROR); }
-      hufGroup = groups[selectors[selector++]];
-    }
-    /* Read next huffman-coded symbol. */
-    i = hufGroup.minLen;
-    j = reader.read(i);
-    for (;;i++) {
-      if (i > hufGroup.maxLen) { _throw(Err.DATA_ERROR); }
-      if (j <= hufGroup.limit[i])
-        break;
-      j = (j << 1) | reader.read(1);
-    }
-    /* Huffman decode value to get nextSym (with bounds checking) */
-    j -= hufGroup.base[i];
-    if (j < 0 || j >= MAX_SYMBOLS) { _throw(Err.DATA_ERROR); }
-    var nextSym = hufGroup.permute[j];
-    /* We have now decoded the symbol, which indicates either a new literal
-       byte, or a repeated run of the most recent literal byte.  First,
-       check if nextSym indicates a repeated run, and if so loop collecting
-       how many times to repeat the last literal. */
-    if (nextSym === SYMBOL_RUNA || nextSym === SYMBOL_RUNB) {
-      /* If this is the start of a new run, zero out counter */
-      if (!runPos){
-        runPos = 1;
-        t = 0;
-      }
-      /* Neat trick that saves 1 symbol: instead of or-ing 0 or 1 at
-         each bit position, add 1 or 2 instead.  For example,
-         1011 is 1<<0 + 1<<1 + 2<<2.  1010 is 2<<0 + 2<<1 + 1<<2.
-         You can make any bit pattern that way using 1 less symbol than
-         the basic or 0/1 method (except all bits 0, which would use no
-         symbols, but a run of length 0 doesn't mean anything in this
-         context).  Thus space is saved. */
-      if (nextSym === SYMBOL_RUNA)
-        t += runPos;
-      else
-        t += 2 * runPos;
-      runPos <<= 1;
-      continue;
-    }
-    /* When we hit the first non-run symbol after a run, we now know
-       how many times to repeat the last literal, so append that many
-       copies to our buffer of decoded symbols (dbuf) now.  (The last
-       literal used is the one at the head of the mtfSymbol array.) */
-    if (runPos){
-      runPos = 0;
-      if (dbufCount + t > this.dbufSize) { _throw(Err.DATA_ERROR); }
-      uc = symToByte[mtfSymbol[0]];
-      byteCount[uc] += t;
-      while (t--)
-        dbuf[dbufCount++] = uc;
-    }
-    /* Is this the terminating symbol? */
-    if (nextSym > symTotal)
-      break;
-    /* At this point, nextSym indicates a new literal character.  Subtract
-       one to get the position in the MTF array at which this literal is
-       currently to be found.  (Note that the result can't be -1 or 0,
-       because 0 and 1 are RUNA and RUNB.  But another instance of the
-       first symbol in the mtf array, position 0, would have been handled
-       as part of a run above.  Therefore 1 unused mtf position minus
-       2 non-literal nextSym values equals -1.) */
-    if (dbufCount >= this.dbufSize) { _throw(Err.DATA_ERROR); }
-    i = nextSym - 1;
-    uc = mtf(mtfSymbol, i);
-    uc = symToByte[uc];
-    /* We have our literal byte.  Save it into dbuf. */
-    byteCount[uc]++;
-    dbuf[dbufCount++] = uc;
-  }
-  /* At this point, we've read all the huffman-coded symbols (and repeated
-     runs) for this block from the input stream, and decoded them into the
-     intermediate buffer.  There are dbufCount many decoded bytes in dbuf[].
-     Now undo the Burrows-Wheeler transform on dbuf.
-     See http://dogma.net/markn/articles/bwt/bwt.htm
-  */
-  if (origPointer < 0 || origPointer >= dbufCount) { _throw(Err.DATA_ERROR); }
-  /* Turn byteCount into cumulative occurrence counts of 0 to n-1. */
-  j = 0;
-  for (i = 0; i < 256; i++) {
-    k = j + byteCount[i];
-    byteCount[i] = j;
-    j = k;
-  }
-  /* Figure out what order dbuf would be in if we sorted it. */
-  for (i = 0; i < dbufCount; i++) {
-    uc = dbuf[i] & 0xff;
-    dbuf[byteCount[uc]] |= (i << 8);
-    byteCount[uc]++;
-  }
-  /* Decode first byte by hand to initialize "previous" byte.  Note that it
-     doesn't get output, and if the first three characters are identical
-     it doesn't qualify as a run (hence writeRunCountdown=5). */
-  var pos = 0, current = 0, run = 0;
-  if (dbufCount) {
-    pos = dbuf[origPointer];
-    current = (pos & 0xff);
-    pos >>= 8;
-    run = -1;
-  }
-  this.writePos = pos;
-  this.writeCurrent = current;
-  this.writeCount = dbufCount;
-  this.writeRun = run;
-
-  return true; /* more blocks to come */
-};
-/* Undo burrows-wheeler transform on intermediate buffer to produce output.
-   If start_bunzip was initialized with out_fd=-1, then up to len bytes of
-   data are written to outbuf.  Return value is number of bytes written or
-   error (all errors are negative numbers).  If out_fd!=-1, outbuf and len
-   are ignored, data is written to out_fd and return is RETVAL_OK or error.
-*/
-Bunzip.prototype._read_bunzip = function(outputBuffer, len) {
-    var copies, previous, outbyte;
-    /* james@jamestaylor.org: writeCount goes to -1 when the buffer is fully
-       decoded, which results in this returning RETVAL_LAST_BLOCK, also
-       equal to -1... Confusing, I'm returning 0 here to indicate no
-       bytes written into the buffer */
-  if (this.writeCount < 0) { return 0; }
-  var dbuf = this.dbuf, pos = this.writePos, current = this.writeCurrent;
-  var dbufCount = this.writeCount; this.outputsize;
-  var run = this.writeRun;
-
-  while (dbufCount) {
-    dbufCount--;
-    previous = current;
-    pos = dbuf[pos];
-    current = pos & 0xff;
-    pos >>= 8;
-    if (run++ === 3){
-      copies = current;
-      outbyte = previous;
-      current = -1;
-    } else {
-      copies = 1;
-      outbyte = current;
-    }
-    this.blockCRC.updateCRCRun(outbyte, copies);
-    while (copies--) {
-      this.outputStream.writeByte(outbyte);
-      this.nextoutput++;
-    }
-    if (current != previous)
-      run = 0;
-  }
-  this.writeCount = dbufCount;
-  // check CRC
-  if (this.blockCRC.getCRC() !== this.targetBlockCRC) {
-    _throw(Err.DATA_ERROR, "Bad block CRC "+
-           "(got "+this.blockCRC.getCRC().toString(16)+
-           " expected "+this.targetBlockCRC.toString(16)+")");
-  }
-  return this.nextoutput;
-};
-
-var coerceInputStream = function(input) {
-  if ('readByte' in input) { return input; }
-  var inputStream = new Stream();
-  inputStream.pos = 0;
-  inputStream.readByte = function() { return input[this.pos++]; };
-  inputStream.seek = function(pos) { this.pos = pos; };
-  inputStream.eof = function() { return this.pos >= input.length; };
-  return inputStream;
-};
-var coerceOutputStream = function(output) {
-  var outputStream = new Stream();
-  var resizeOk = true;
-  if (output) {
-    if (typeof(output)==='number') {
-      outputStream.buffer = new Uint8Array(output);
-      resizeOk = false;
-    } else if ('writeByte' in output) {
-      return output;
-    } else {
-      outputStream.buffer = output;
-      resizeOk = false;
-    }
-  } else {
-    outputStream.buffer = new Uint8Array(16384);
-  }
-  outputStream.pos = 0;
-  outputStream.writeByte = function(_byte) {
-    if (resizeOk && this.pos >= this.buffer.length) {
-      var newBuffer = new Uint8Array(this.buffer.length*2);
-      newBuffer.set(this.buffer);
-      this.buffer = newBuffer;
-    }
-    this.buffer[this.pos++] = _byte;
-  };
-  outputStream.getBuffer = function() {
-    // trim buffer
-    if (this.pos !== this.buffer.length) {
-      if (!resizeOk)
-        throw new TypeError('outputsize does not match decoded input');
-      var newBuffer = new Uint8Array(this.pos);
-      newBuffer.set(this.buffer.subarray(0, this.pos));
-      this.buffer = newBuffer;
-    }
-    return this.buffer;
-  };
-  outputStream._coerced = true;
-  return outputStream;
-};
-
-/* Static helper functions */
-// 'input' can be a stream or a buffer
-// 'output' can be a stream or a buffer or a number (buffer size)
-const decode = function(input, output, multistream) {
-  // make a stream from a buffer, if necessary
-  var inputStream = coerceInputStream(input);
-  var outputStream = coerceOutputStream(output);
-
-  var bz = new Bunzip(inputStream, outputStream);
-  while (true) {
-    if ('eof' in inputStream && inputStream.eof()) break;
-    if (bz._init_block()) {
-      bz._read_bunzip();
-    } else {
-      var targetStreamCRC = bz.reader.read(32) >>> 0; // (convert to unsigned)
-      if (targetStreamCRC !== bz.streamCRC) {
-        _throw(Err.DATA_ERROR, "Bad stream CRC "+
-               "(got "+bz.streamCRC.toString(16)+
-               " expected "+targetStreamCRC.toString(16)+")");
-      }
-      if (multistream &&
-          'eof' in inputStream &&
-          !inputStream.eof()) {
-        // note that start_bunzip will also resync the bit reader to next byte
-        bz._start_bunzip(inputStream, outputStream);
-      } else break;
-    }
-  }
-  if ('getBuffer' in outputStream)
-    return outputStream.getBuffer();
-};
-const decodeBlock = function(input, pos, output) {
-  // make a stream from a buffer, if necessary
-  var inputStream = coerceInputStream(input);
-  var outputStream = coerceOutputStream(output);
-  var bz = new Bunzip(inputStream, outputStream);
-  bz.reader.seek(pos);
-  /* Fill the decode buffer for the block */
-  var moreBlocks = bz._get_next_block();
-  if (moreBlocks) {
-    /* Init the CRC for writing */
-    bz.blockCRC = new CRC32();
-
-    /* Zero this so the current byte from before the seek is not written */
-    bz.writeCopies = 0;
-
-    /* Decompress the block and write to stdout */
-    bz._read_bunzip();
-    // XXX keep writing?
-  }
-  if ('getBuffer' in outputStream)
-    return outputStream.getBuffer();
-};
-/* Reads bzip2 file from stream or buffer `input`, and invoke
- * `callback(position, size)` once for each bzip2 block,
- * where position gives the starting position (in *bits*)
- * and size gives uncompressed size of the block (in *bytes*). */
-const table = function(input, callback, multistream) {
-  // make a stream from a buffer, if necessary
-  var inputStream = new Stream();
-  inputStream.delegate = coerceInputStream(input);
-  inputStream.pos = 0;
-  inputStream.readByte = function() {
-    this.pos++;
-    return this.delegate.readByte();
-  };
-  if (inputStream.delegate.eof) {
-    inputStream.eof = inputStream.delegate.eof.bind(inputStream.delegate);
-  }
-  var outputStream = new Stream();
-  outputStream.pos = 0;
-  outputStream.writeByte = function() { this.pos++; };
-
-  var bz = new Bunzip(inputStream, outputStream);
-  var blockSize = bz.dbufSize;
-  while (true) {
-    if ('eof' in inputStream && inputStream.eof()) break;
-
-    var position = inputStream.pos*8 + bz.reader.bitOffset;
-    if (bz.reader.hasByte) { position -= 8; }
-
-    if (bz._init_block()) {
-      var start = outputStream.pos;
-      bz._read_bunzip();
-      callback(position, outputStream.pos - start);
-    } else {
-      bz.reader.read(32); // (but we ignore the crc)
-      if (multistream &&
-          'eof' in inputStream &&
-          !inputStream.eof()) {
-        // note that start_bunzip will also resync the bit reader to next byte
-        bz._start_bunzip(inputStream, outputStream);
-        console.assert(bz.dbufSize === blockSize,
-                       "shouldn't change block size within multistream file");
-      } else break;
-    }
-  }
-};
-
-var lib = {
-  Bunzip,
-  Stream,
-  Err,
-  decode,
-  decodeBlock,
-  table
-};
-
 // GPG4Browsers - An OpenPGP implementation in javascript
 // Copyright (C) 2011 Recurity Labs GmbH
 //
@@ -16229,12 +15364,12 @@ class CompressedDataPacket {
    */
   async decompress(config$1 = config) {
     const compressionName = enums.read(enums.compression, this.algorithm);
-    const decompressionFn = decompress_fns[compressionName];
+    const decompressionFn = decompress_fns[compressionName]; // bzip decompression is async
     if (!decompressionFn) {
       throw new Error(`${compressionName} decompression not supported`);
     }
 
-    this.packets = await PacketList.fromBinary(decompressionFn(this.compressed), allowedPackets$5, config$1);
+    this.packets = await PacketList.fromBinary(await decompressionFn(this.compressed), allowedPackets$5, config$1);
   }
 
   /**
@@ -16321,9 +15456,10 @@ function zlib(compressionStreamInstantiator, ZlibStreamedConstructor) {
   };
 }
 
-function bzip2(func) {
-  return function(data) {
-    return fromAsync(async () => func(await readToEnd(data)));
+function bzip2Decompress() {
+  return async function(data) {
+    const { decode: bunzipDecode } = await import('./seek-bzip.mjs').then(function (n) { return n.i; });
+    return fromAsync(async () => bunzipDecode(await readToEnd(data)));
   };
 }
 
@@ -16348,7 +15484,7 @@ const decompress_fns = {
   uncompressed: data => data,
   zip: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate-raw').decompressor, Inflate),
   zlib: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate').decompressor, Unzlib),
-  bzip2: /*#__PURE__*/ bzip2(lib.decode)
+  bzip2: /*#__PURE__*/ bzip2Decompress() // NB: async due to dynamic lib import
 };
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -16468,6 +15604,16 @@ class SymEncryptedIntegrityProtectedDataPacket {
    * @async
    */
   async encrypt(sessionKeyAlgorithm, key, config$1 = config) {
+    // We check that the session key size matches the one expected by the symmetric algorithm.
+    // This is especially important for SEIPDv2 session keys, as a key derivation step is run where the resulting key will always match the expected cipher size,
+    // but we want to ensure that the input key isn't e.g. too short.
+    // The check is done here, instead of on encrypted session key (ESK) encryption, because v6 ESK packets do not store the session key algorithm,
+    // which is instead included in the SEIPDv2 data.
+    const { blockSize, keySize } = mod.getCipherParams(sessionKeyAlgorithm);
+    if (key.length !== keySize) {
+      throw new Error('Unexpected session key size');
+    }
+
     let bytes = this.packets.write();
     if (isArrayStream(bytes)) bytes = await readToEnd(bytes);
 
@@ -16478,8 +15624,6 @@ class SymEncryptedIntegrityProtectedDataPacket {
       this.chunkSizeByte = config$1.aeadChunkSizeByte;
       this.encrypted = await runAEAD(this, 'encrypt', key, bytes);
     } else {
-      const { blockSize } = mod.getCipherParams(sessionKeyAlgorithm);
-
       const prefix = await mod.getPrefixRandom(sessionKeyAlgorithm);
       const mdc = new Uint8Array([0xD3, 0x14]); // modification detection code packet
 
@@ -16502,11 +15646,24 @@ class SymEncryptedIntegrityProtectedDataPacket {
    * @async
    */
   async decrypt(sessionKeyAlgorithm, key, config$1 = config) {
+    // We check that the session key size matches the one expected by the symmetric algorithm.
+    // This is especially important for SEIPDv2 session keys, as a key derivation step is run where the resulting key will always match the expected cipher size,
+    // but we want to ensure that the input key isn't e.g. too short.
+    // The check is done here, instead of on encrypted session key (ESK) decryption, because v6 ESK packets do not store the session key algorithm,
+    // which is instead included in the SEIPDv2 data.
+    if (key.length !== mod.getCipherParams(sessionKeyAlgorithm).keySize) {
+      throw new Error('Unexpected session key size');
+    }
+
     let encrypted = clone(this.encrypted);
     if (isArrayStream(encrypted)) encrypted = await readToEnd(encrypted);
 
     let packetbytes;
     if (this.version === 2) {
+      if (this.cipherAlgorithm !== sessionKeyAlgorithm) {
+        // sanity check
+        throw new Error('Unexpected session key algorithm');
+      }
       packetbytes = await runAEAD(this, 'decrypt', key, encrypted);
     } else {
       const { blockSize } = mod.getCipherParams(sessionKeyAlgorithm);
@@ -16974,11 +16131,14 @@ class PublicKeyEncryptedSessionKeyPacket {
 
     const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
 
-    // v3 Montgomery curves have cleartext cipher algo
-    if (this.version === 3 && (
-      this.publicKeyAlgorithm !== enums.publicKey.x25519 && this.publicKeyAlgorithm !== enums.publicKey.x448)
-    ) {
-      this.sessionKeyAlgorithm = sessionKeyAlgorithm;
+    if (this.version === 3) {
+      // v3 Montgomery curves have cleartext cipher algo
+      const hasEncryptedAlgo = this.publicKeyAlgorithm !== enums.publicKey.x25519 && this.publicKeyAlgorithm !== enums.publicKey.x448;
+      this.sessionKeyAlgorithm = hasEncryptedAlgo ? sessionKeyAlgorithm : this.sessionKeyAlgorithm;
+
+      if (sessionKey.length !== mod.getCipherParams(this.sessionKeyAlgorithm).keySize) {
+        throw new Error('Unexpected session key size');
+      }
     }
     this.sessionKey = sessionKey;
   }
@@ -17108,7 +16268,7 @@ class SymEncryptedSessionKeyPacket {
      * Algorithm to encrypt the message with
      * @type {enums.symmetric}
      */
-    this.sessionKeyAlgorithm = enums.symmetric.aes256;
+    this.sessionKeyAlgorithm = null;
     /**
      * AEAD mode to encrypt the session key with (if AEAD protection is enabled)
      * @type {enums.aead}
@@ -17229,7 +16389,11 @@ class SymEncryptedSessionKeyPacket {
 
       this.sessionKeyAlgorithm = enums.write(enums.symmetric, decrypted[0]);
       this.sessionKey = decrypted.subarray(1, decrypted.length);
+      if (this.sessionKey.length !== mod.getCipherParams(this.sessionKeyAlgorithm).keySize) {
+        throw new Error('Unexpected session key size');
+      }
     } else {
+      // session key size is checked as part of SEIPDv2 decryption, where we know the expected symmetric algo
       this.sessionKey = key;
     }
   }
@@ -18878,7 +18042,7 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
   const signatureProperties = { signatureType: enums.signature.subkeyBinding };
   if (options.sign) {
     signatureProperties.keyFlags = [enums.keyFlags.signData];
-    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
+    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, [], subkey, {
       signatureType: enums.signature.keyBinding
     }, options.date, undefined, undefined, undefined, config);
   } else {
@@ -18890,41 +18054,95 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
     signatureProperties.keyExpirationTime = options.keyExpirationTime;
     signatureProperties.keyNeverExpires = false;
   }
-  const subkeySignaturePacket = await createSignaturePacket(dataToSign, null, primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
+  const subkeySignaturePacket = await createSignaturePacket(dataToSign, [], primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
   return subkeySignaturePacket;
 }
 
 /**
- * Returns the preferred signature hash algorithm of a key
- * @param {Key} [key] - The key to get preferences from
- * @param {SecretKeyPacket|SecretSubkeyPacket} keyPacket - key packet used for signing
+ * Returns the preferred signature hash algorithm for a set of keys.
+ * @param {Array<Key>} [targetKeys] - The keys to get preferences from
+ * @param {SecretKeyPacket|SecretSubkeyPacket} signingKeyPacket - key packet used for signing
  * @param {Date} [date] - Use the given date for verification instead of the current time
- * @param {Object} [userID] - User ID
+ * @param {Object} [targetUserID] - User IDs corresponding to `targetKeys` to get preferences from
  * @param {Object} config - full configuration
  * @returns {Promise<enums.hash>}
  * @async
  */
-async function getPreferredHashAlgo(key, keyPacket, date = new Date(), userID = {}, config) {
-  let hashAlgo = config.preferredHashAlgorithm;
-  let prefAlgo = hashAlgo;
-  if (key) {
-    const selfCertification = await key.getPrimarySelfSignature(date, userID, config);
-    if (selfCertification.preferredHashAlgorithms) {
-      [prefAlgo] = selfCertification.preferredHashAlgorithms;
-      hashAlgo = mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
-        prefAlgo : hashAlgo;
+async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Date(), targetUserIDs = [], config) {
+  /**
+   * If `preferredSenderAlgo` appears in the prefs of all recipients, we pick it; otherwise, we use the
+   * strongest supported algo (`defaultAlgo` is always implicitly supported by all keys).
+   * if no keys are available, `preferredSenderAlgo` is returned.
+   * For ECC signing key, the curve preferred hash is taken into account as well (see logic below).
+   */
+  const defaultAlgo = enums.hash.sha256; // MUST implement
+  const preferredSenderAlgo = config.preferredHashAlgorithm;
+
+  const supportedAlgosPerTarget = await Promise.all(targetKeys.map(async (key, i) => {
+    const selfCertification = await key.getPrimarySelfSignature(date, targetUserIDs[i], config);
+    const targetPrefs = selfCertification.preferredHashAlgorithms;
+    return targetPrefs;
+  }));
+  const supportedAlgosMap = new Map(); // use Map over object to preserve numeric keys
+  for (const supportedAlgos of supportedAlgosPerTarget) {
+    for (const hashAlgo of supportedAlgos) {
+      try {
+        // ensure that `hashAlgo` is recognized/implemented by us, otherwise e.g. `getHashByteLength` will throw later on
+        const supportedAlgo = enums.write(enums.hash, hashAlgo);
+        supportedAlgosMap.set(
+          supportedAlgo,
+          supportedAlgosMap.has(supportedAlgo) ? supportedAlgosMap.get(supportedAlgo) + 1 : 1
+        );
+      } catch {}
     }
   }
-  switch (keyPacket.algorithm) {
-    case enums.publicKey.ecdsa:
-    case enums.publicKey.eddsaLegacy:
-    case enums.publicKey.ed25519:
-    case enums.publicKey.ed448:
-      prefAlgo = mod.getPreferredCurveHashAlgo(keyPacket.algorithm, keyPacket.publicParams.oid);
+  const isSupportedHashAlgo = hashAlgo => targetKeys.length === 0 || supportedAlgosMap.get(hashAlgo) === targetKeys.length || hashAlgo === defaultAlgo;
+  const getStrongestSupportedHashAlgo = () => {
+    if (supportedAlgosMap.size === 0) {
+      return defaultAlgo;
+    }
+    const sortedHashAlgos = Array.from(supportedAlgosMap.keys())
+      .filter(hashAlgo => isSupportedHashAlgo(hashAlgo))
+      .sort((algoA, algoB) => mod.hash.getHashByteLength(algoA) - mod.hash.getHashByteLength(algoB));
+    const strongestHashAlgo = sortedHashAlgos[0];
+    // defaultAlgo is always implicilty supported, and might be stronger than the rest
+    return mod.hash.getHashByteLength(strongestHashAlgo) >= mod.hash.getHashByteLength(defaultAlgo) ? strongestHashAlgo : defaultAlgo;
+  };
+
+  const eccAlgos = new Set([
+    enums.publicKey.ecdsa,
+    enums.publicKey.eddsaLegacy,
+    enums.publicKey.ed25519,
+    enums.publicKey.ed448
+  ]);
+
+  if (eccAlgos.has(signingKeyPacket.algorithm)) {
+    // For ECC, the returned hash algo MUST be at least as strong as `preferredCurveHashAlgo`, see:
+    // - ECDSA: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.2-5
+    // - EdDSALegacy: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+    // Hence, we return the `preferredHashAlgo` as long as it's supported and strong enough;
+    // Otherwise, we look at the strongest supported algo, and ultimately fallback to the curve
+    // preferred algo, even if not supported by all targets.
+    const preferredCurveAlgo = mod.getPreferredCurveHashAlgo(signingKeyPacket.algorithm, signingKeyPacket.publicParams.oid);
+
+    const preferredSenderAlgoIsSupported = isSupportedHashAlgo(preferredSenderAlgo);
+    const preferredSenderAlgoStrongerThanCurveAlgo = mod.hash.getHashByteLength(preferredSenderAlgo) >= mod.hash.getHashByteLength(preferredCurveAlgo);
+
+    if (preferredSenderAlgoIsSupported && preferredSenderAlgoStrongerThanCurveAlgo) {
+      return preferredSenderAlgo;
+    } else {
+      const strongestSupportedAlgo = getStrongestSupportedHashAlgo();
+      return mod.hash.getHashByteLength(strongestSupportedAlgo) >= mod.hash.getHashByteLength(preferredCurveAlgo) ?
+        strongestSupportedAlgo :
+        preferredCurveAlgo;
+    }
   }
 
-  return mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
-    prefAlgo : hashAlgo;
+  // `preferredSenderAlgo` may be weaker than the default, but we do not guard against this,
+  // since it was manually set by the sender.
+  return isSupportedHashAlgo(preferredSenderAlgo) ? preferredSenderAlgo : getStrongestSupportedHashAlgo();
 }
 
 /**
@@ -18995,7 +18213,7 @@ async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [
 /**
  * Create signature packet
  * @param {Object} dataToSign - Contains packets to be signed
- * @param {PrivateKey} privateKey - key to get preferences from
+ * @param {Array<Key>} recipientKeys - keys to get preferences from
  * @param  {SecretKeyPacket|
  *          SecretSubkeyPacket}              signingKeyPacket secret key packet for signing
  * @param {Object} [signatureProperties] - Properties to write on the signature packet before signing
@@ -19006,7 +18224,7 @@ async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [
  * @param {Object} config - full configuration
  * @returns {Promise<SignaturePacket>} Signature packet.
  */
-async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, signatureProperties, date, userID, notations = [], detached = false, config) {
+async function createSignaturePacket(dataToSign, recipientKeys, signingKeyPacket, signatureProperties, date, recipientUserIDs, notations = [], detached = false, config) {
   if (signingKeyPacket.isDummy()) {
     throw new Error('Cannot sign with a gnu-dummy key.');
   }
@@ -19016,7 +18234,7 @@ async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, s
   const signaturePacket = new SignaturePacket();
   Object.assign(signaturePacket, signatureProperties);
   signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
-  signaturePacket.hashAlgorithm = await getPreferredHashAlgo(privateKey, signingKeyPacket, date, userID, config);
+  signaturePacket.hashAlgorithm = await getPreferredHashAlgo(recipientKeys, signingKeyPacket, date, recipientUserIDs, config);
   signaturePacket.rawNotations = [...notations];
   await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached, config);
   return signaturePacket;
@@ -19353,7 +18571,7 @@ class User {
         throw new Error("The user's own key can only be used for self-certifications");
       }
       const signingKey = await privateKey.getSigningKey(undefined, date, undefined, config);
-      return createSignaturePacket(dataToSign, privateKey, signingKey.keyPacket, {
+      return createSignaturePacket(dataToSign, [privateKey], signingKey.keyPacket, {
         // Most OpenPGP implementations use generic certification (0x10)
         signatureType: enums.signature.certGeneric,
         keyFlags: [enums.keyFlags.certifyKeys | enums.keyFlags.signData]
@@ -19541,7 +18759,7 @@ class User {
       key: primaryKey
     };
     const user = new User(dataToSign.userID || dataToSign.userAttribute, this.mainKey);
-    user.revocationSignatures.push(await createSignaturePacket(dataToSign, null, primaryKey, {
+    user.revocationSignatures.push(await createSignaturePacket(dataToSign, [], primaryKey, {
       signatureType: enums.signature.certRevocation,
       reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
       reasonForRevocationString
@@ -19734,7 +18952,7 @@ class Subkey {
   ) {
     const dataToSign = { key: primaryKey, bind: this.keyPacket };
     const subkey = new Subkey(this.keyPacket, this.mainKey);
-    subkey.revocationSignatures.push(await createSignaturePacket(dataToSign, null, primaryKey, {
+    subkey.revocationSignatures.push(await createSignaturePacket(dataToSign, [], primaryKey, {
       signatureType: enums.signature.subkeyRevocation,
       reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
       reasonForRevocationString
@@ -20767,7 +19985,7 @@ class PrivateKey extends PublicKey {
     }
     const dataToSign = { key: this.keyPacket };
     const key = this.clone();
-    key.revocationSignatures.push(await createSignaturePacket(dataToSign, null, this.keyPacket, {
+    key.revocationSignatures.push(await createSignaturePacket(dataToSign, [], this.keyPacket, {
       signatureType: enums.signature.keyRevocation,
       reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
       reasonForRevocationString
@@ -21080,7 +20298,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
     const signatureProperties = getKeySignatureProperties();
     signatureProperties.signatureType = enums.signature.key;
 
-    const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
+    const signaturePacket = await createSignaturePacket(dataToSign, [], secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
     packetlist.push(signaturePacket);
   }
 
@@ -21096,7 +20314,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
       signatureProperties.isPrimaryUserID = true;
     }
 
-    const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
+    const signaturePacket = await createSignaturePacket(dataToSign, [], secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
 
     return { userIDPacket, signaturePacket };
   })).then(list => {
@@ -21120,7 +20338,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
   // Add revocation signature packet for creating a revocation certificate.
   // This packet should be removed before returning the key.
   const dataToSign = { key: secretKeyPacket };
-  packetlist.push(await createSignaturePacket(dataToSign, null, secretKeyPacket, {
+  packetlist.push(await createSignaturePacket(dataToSign, [], secretKeyPacket, {
     signatureType: enums.signature.keyRevocation,
     reasonForRevocationFlag: enums.reasonForRevocation.noReason,
     reasonForRevocationString: ''
@@ -21795,16 +21013,18 @@ class Message {
   /**
    * Sign the message (the literal data packet of the message)
    * @param {Array<PrivateKey>} signingKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from
    * @param {Signature} [signature] - Any existing detached signature to add to the message
    * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
    * @param {Date} [date] - Override the creation time of the signature
-   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [signingUserIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
    * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {Promise<Message>} New message with signed content.
    * @async
    */
-  async sign(signingKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
+  async sign(signingKeys = [], recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], config$1 = config) {
     const packetlist = new PacketList();
 
     const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
@@ -21812,7 +21032,7 @@ class Message {
       throw new Error('No literal data packet to sign.');
     }
 
-    const signaturePackets = await createSignaturePackets(literalDataPacket, signingKeys, signature, signingKeyIDs, date, userIDs, notations, false, config$1); // this returns the existing signature packets as well
+    const signaturePackets = await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, date, signingUserIDs, recipientUserIDs, notations, false, config$1); // this returns the existing signature packets as well
     const onePassSignaturePackets = signaturePackets.map(
       (signaturePacket, i) => OnePassSignaturePacket.fromSignaturePacket(signaturePacket, i === 0))
       .reverse(); // innermost OPS refers to the first signature packet
@@ -21848,21 +21068,23 @@ class Message {
   /**
    * Create a detached signature for the message (the literal data packet of the message)
    * @param {Array<PrivateKey>} signingKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from
    * @param {Signature} [signature] - Any existing detached signature
    * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
    * @param {Date} [date] - Override the creation time of the signature
-   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [signingUserIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
    * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {Promise<Signature>} New detached signature of message content.
    * @async
    */
-  async signDetached(signingKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
+  async signDetached(signingKeys = [], recipientKeys = [], signature = null, signingKeyIDs = [], recipientKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
     const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
     if (!literalDataPacket) {
       throw new Error('No literal data packet to sign.');
     }
-    return new Signature(await createSignaturePackets(literalDataPacket, signingKeys, signature, signingKeyIDs, date, userIDs, notations, true, config$1));
+    return new Signature(await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, recipientKeyIDs, date, userIDs, notations, true, config$1));
   }
 
   /**
@@ -21997,10 +21219,12 @@ class Message {
  * Create signature packets for the message
  * @param {LiteralDataPacket} literalDataPacket - the literal data packet to sign
  * @param {Array<PrivateKey>} [signingKeys] - private keys with decrypted secret key data for signing
+ * @param {Array<Key>} [recipientKeys] - recipient keys to get the signing preferences from
  * @param {Signature} [signature] - Any existing detached signature to append
  * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
  * @param {Date} [date] - Override the creationtime of the signature
- * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+ * @param {Array<UserID>} [signingUserIDs] - User IDs to sign to, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+ * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
  * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
  * @param {Array} [signatureSalts] - A list of signature salts matching the number of signingKeys that should be used for v6 signatures
  * @param {Boolean} [detached] - Whether to create detached signature packets
@@ -22009,7 +21233,7 @@ class Message {
  * @async
  * @private
  */
-async function createSignaturePackets(literalDataPacket, signingKeys, signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], detached = false, config$1 = config) {
+async function createSignaturePackets(literalDataPacket, signingKeys, recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], detached = false, config$1 = config) {
   const packetlist = new PacketList();
 
   // If data packet was created from Uint8Array, use binary, otherwise use text
@@ -22017,12 +21241,12 @@ async function createSignaturePackets(literalDataPacket, signingKeys, signature
     enums.signature.binary : enums.signature.text;
 
   await Promise.all(signingKeys.map(async (primaryKey, i) => {
-    const userID = userIDs[i];
+    const signingUserID = signingUserIDs[i];
     if (!primaryKey.isPrivate()) {
       throw new Error('Need private key for signing');
     }
-    const signingKey = await primaryKey.getSigningKey(signingKeyIDs[i], date, userID, config$1);
-    return createSignaturePacket(literalDataPacket, primaryKey, signingKey.keyPacket, { signatureType }, date, userID, notations, detached, config$1);
+    const signingKey = await primaryKey.getSigningKey(signingKeyIDs[i], date, signingUserID, config$1);
+    return createSignaturePacket(literalDataPacket, recipientKeys.length ? recipientKeys : [primaryKey], signingKey.keyPacket, { signatureType }, date, recipientUserIDs, notations, detached, config$1);
   })).then(signatureList => {
     packetlist.push(...signatureList);
   });
@@ -22272,20 +21496,22 @@ class CleartextMessage {
 
   /**
    * Sign the cleartext message
-   * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} signingKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from
    * @param {Signature} [signature] - Any existing detached signature
    * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]
    * @param {Date} [date] - The creation time of the signature that should be created
-   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array} [signingKeyIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
    * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {Promise<CleartextMessage>} New cleartext message with signed content.
    * @async
    */
-  async sign(privateKeys, signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
+  async sign(signingKeys, recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], config$1 = config) {
     const literalDataPacket = new LiteralDataPacket();
     literalDataPacket.setText(this.text);
-    const newSignature = new Signature(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIDs, date, userIDs, notations, true, config$1));
+    const newSignature = new Signature(await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, date, signingUserIDs, recipientUserIDs, notations, true, config$1));
     return new CleartextMessage(this.text, newSignature);
   }
 
@@ -22721,7 +21947,7 @@ async function encrypt({ message, encryptionKeys, signingKeys, passwords, sessio
 
   try {
     if (signingKeys.length || signature) { // sign the message only if signing keys or signature is specified
-      message = await message.sign(signingKeys, signature, signingKeyIDs, date, signingUserIDs, signatureNotations, config$1);
+      message = await message.sign(signingKeys, encryptionKeys, signature, signingKeyIDs, date, signingUserIDs, encryptionKeyIDs, signatureNotations, config$1);
     }
     message = message.compress(
       await getPreferredCompressionAlgo(encryptionKeys, date, encryptionUserIDs, config$1),
@@ -22823,21 +22049,23 @@ async function decrypt({ message, decryptionKeys, passwords, sessionKeys, verifi
  * @param {Object} options
  * @param {CleartextMessage|Message} options.message - (cleartext) message to be signed
  * @param {PrivateKey|PrivateKey[]} options.signingKeys - Array of keys or single key with decrypted secret key data to sign cleartext
+ * @param {Key|Key[]} options.recipientKeys - Array of keys or single to get the signing preferences from
  * @param {'armored'|'binary'|'object'} [options.format='armored'] - Format of the returned message
  * @param {Boolean} [options.detached=false] - If the return value should contain a detached signature
  * @param {KeyID|KeyID[]} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
  * @param {Date} [options.date=current date] - Override the creation date of the signature
  * @param {Object|Object[]} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
+ * @param {Object|Object[]} [options.recipientUserIDs=primary user IDs] - Array of user IDs to get the signing preferences from, one per key in `recipientKeys`
  * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]`
  * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
  * @returns {Promise<MaybeStream<String|Uint8Array>>} Signed message (string if `armor` was true, the default; Uint8Array if `armor` was false).
  * @async
  * @static
  */
-async function sign({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function sign({ message, signingKeys, recipientKeys = [], format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); checkOutputMessageFormat(format);
-  signingKeys = toArray(signingKeys); signingKeyIDs = toArray(signingKeyIDs); signingUserIDs = toArray(signingUserIDs); signatureNotations = toArray(signatureNotations);
+  signingKeys = toArray(signingKeys); signingKeyIDs = toArray(signingKeyIDs); signingUserIDs = toArray(signingUserIDs); recipientKeys = toArray(recipientKeys); recipientUserIDs = toArray(recipientUserIDs); signatureNotations = toArray(signatureNotations);
 
   if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.sign, pass `signingKeys` instead');
   if (rest.armor !== undefined) throw new Error('The `armor` option has been removed from openpgp.sign, pass `format` instead.');
@@ -22853,9 +22081,9 @@ async function sign({ message, signingKeys, format = 'armored', detached = false
   try {
     let signature;
     if (detached) {
-      signature = await message.signDetached(signingKeys, undefined, signingKeyIDs, date, signingUserIDs, signatureNotations, config$1);
+      signature = await message.signDetached(signingKeys, recipientKeys, undefined, signingKeyIDs, date, signingUserIDs, recipientUserIDs, signatureNotations, config$1);
     } else {
-      signature = await message.sign(signingKeys, undefined, signingKeyIDs, date, signingUserIDs, signatureNotations, config$1);
+      signature = await message.sign(signingKeys, recipientKeys, undefined, signingKeyIDs, date, signingUserIDs, recipientUserIDs, signatureNotations, config$1);
     }
     if (format === 'object') return signature;