Releases: openpgpjs/openpgpjs
v6.1.1 - Security Patch
- Address CVE-2025-47934 (Message signature verification could be spoofed)
v5.11.3 - Security Patch
- Address CVE-2025-47934 (Message signature verification could be spoofed)
v6.1.0
What's Changed
- Fix decryption support for non-standard, legacy AEAD-encrypted messages and keys that used
experimentalGCMfrom OpenPGP.js v5 (#1811) - Throw on encryption using the non-standard
experimentalGCMAEAD algorithm
(Theenums.aead.gcmID standardized by RFC9580 should be used instead.) - Improve internal tree-shaking and lazy load md5 (#1812)
- Fix signing using keys without preferred hash algorithms (#1820)
Full Changelog: v6.0.1...v6.1.0
v6.0.1
What's Changed
- Fix ES imports for webpack: declare
exports.browserentrypoint as higher priority thanimport - Fix
openpgp.verify/decryptwithexpectSigned: trueandformat: 'binary'(#1805) - TS: fix
generateKey(options.type) andPrivateKey.getDecryptionKeys()type declarations (#1807) - Update hash algorithm preferences order by (#1804)
Full Changelog: v6.0.0...v6.0.1
v6.0.0
What's Changed
OpenPGP.js v6 adds support for the new version of the OpenPGP specification, RFC 9580. It also increases compliance with the specification, as demonstrated by the OpenPGP interoperability test suite.
OpenPGP.js v6 only makes minor API changes.
This is the first stable release of OpenPGP.js v6: no more breaking changes to the high-level API will be made until the next major release.
For the changes since the previous pre-release (v6.0.0-beta.3.patch.1), see the end of this message.
Here we list a summary of the main changes since v5:
Platform support changes
- The library is now declared as a
module(type: modulein package.json), and declares exports, alongside the legacy package.json entrypoints, which should ensure backwards compatibility. Still, bundlers might be affected by the package.json changes depending on how they load the library. - Node.js:
- Drop support for Node.js versions below 18 (OpenPGP.js v5 supported Node.js v14 and above).
- Streaming: drop support for native Node Readable stream: require passing Node Web Streams (#1716)
- Web:
- Require availability of the Web Crypto API's
SubtleCrypto(insecure contexts are no longer supported, asSubtleCryptois not available there) - Require availability of the Web Streams API, since it's now supported in all browsers (applications can load a polyfill if they need to support older browser versions: see README)
- Require availability of native
BigInts (not supported by e.g. Safari 13 and below, see full compatibility table) - Argon2 has been added as S2K algorithm (on all platforms). For performance reasons, the implementation relies on a WASM module, thus web apps might need to make changes to their CSP policy in order to use the feature. Alternatively, since the Argon2 WASM module is only loaded if needed, apps can manually reject password-encrypted messages and private keys which use Argon2 by checking e.g.
SymEncryptedSessionKeyPacket.s2k?.type === 'argon2'orSecretKeyPacket|SecretSubkeyPacket.keyPacket.s2k?.type === 'argon2'.
- Require availability of the Web Crypto API's
Breaking API changes
- Ensure primary key meets strength and algo requirements when encrypting/verifying/signing using subkeys (#1719)
read[Private]Key: support parsing key blocks (return first parsable key); previously, parsing would fail if a block with more than one key was given in input (#1755)PrivateKey.getDecryptionKeyswill now throw if no decryption key is found (#1789). Previously, an empty array was returned. As a consequence of this change, someopenpgp.decrypterrors will be more specific.- Refuse to use keys without key flags (see
config.allowMissingKeyFlagsbelow) - Randomize v4 and v5 signatures via custom notation (#1737): while this notation solution is interoperable, it will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases. For this reason, the option
config.nonDeterministicSignaturesViaNotation(defaulting to true) has been added to turn off the feature. - AEAD-encrypted v4 keys from OpenPGP.js v5 or older (namely keys generated without
.v5Keysflag and encrypted withconfig.aeadProtect = true) cannot be decrypted by OpenPGP.js v6 (viadecryptKey) out-of-the-box (seeconfig.parseAEADEncryptedV4KeysAsLegacybelow) (#1672) - Parsing of v5 keys and v5 signatures now requires turning on the corresponding config flag (see
config.enableParsingV5Entitiesbelow). The affected entities are non-standard, and in the RFC 9580 they have been superseded by v6 keys, v6 signatures and SEIPDv2 encrypted data, respectively. However, generation of v5 entities was supported behind config flags in OpenPGP.js v5, and some other libraries, hence parsing them might be necessary in some cases. (#1774 , #1779)
Configuration changes
- RFC 9580 has updated parts of the draft RFC 4880bis as implemented by OpenPGP.js v4 and v5. Related changes in v6 are:
- Drop the
config.v5Keysflag and corresponding key generation. The flag is replaced by.v6Keys, and results in a different key format. - The
config.aeadProtectflag has a different effect than in v5:- for private keys, a new encryption mechanism is used;
- for password-encrypted messages, a new message format is used;
- when encrypting messages to public keys, the flag is ignored (see #1678).
- Add
config.parseAEADEncryptedV4KeysAsLegacyto allow decrypting AEAD-encrypted v4 keys from OpenPGP.js v5 or older (namely keys generated without.v5Keys flag and encrypted withconfig.aeadProtect = true) (#1672). - Add
config.enableParsingV5Entitiesto enable parsing support for v5 entities (#1774 , #1779)
- Drop the
- Add
config.allowMissingKeyFlagsto bypass the missing key flag check (see #1677) - Drop
config.minBytesForWebCrypto, and always use WebCrypto if available, since there is no longer a performance overhead for small messages. - Rename EdDSA-related enums following the standardization of new key formats:
- Drop
enums.publicKey.eddsain favour ofenums.publicKey.eddsaLegacy - Rename string value of
enums.curve.ed25519Legacyto'ed25519Legacy'(was:'ed25519') - Rename string value of
enums.curve.curve25519Legacyto'curve25519Legacy'(was:'curve25519')
- Drop
- Rename
config.useIndutnyEllipticto.useEllipticFallback, to reflect the change of underlying library. - Remove
enums.symmetric.plaintext(internally unused) - Rename NIST curves to disambiguate the names with the Brainpool curves (#1721).:
- the identifiers
enums.curve.p256,.p384,.p521are now marked as@deprecated(to be dropped in the main release) - the new identifiers are, respectively:
enums.curve.nistP256,.nistP384,.nistP521. - the corresponding values have been changed from
'p256','p384','p521'to'nistP256','nistP384','nistP521'(these new values are expected bygenerateKey, for theoptions.curveargument).
- the identifiers
- Remove
config.deflateLevel(#1717) - Drop
config.revocationsExpire, always honor revocation expiration (#1736): the option used to default to false, and ignore revocation expirations. We now honor those expirations, namely match the behavior resulting from setting the option to true. - Change the default preferred hash algorithm (
config.preferredHashAlgorithm) to SHA512 (#1801)
New API options
- In
openpgp.sign,recipientKeysandrecipientUserIDsoptions have been added. These can be used to influence the selection of the hash algorithm via the algorithm preferences of the recipient keys, to ensure that the recipients will support the selected hash algorithm.
Similarly, when signing+encrypting usingopenpgp.encrypt, theencryptionKeysare now used to determine the preferred hash algorithms, instead of thesigningKeys. (#1802)
Full Changelog: v5.11.0...v6.0.0.
For additional context about the changes introduced by OpenPGP.js v6, you can also refer to the changelog of the various prereleases, starting from v6.0.0-alpha.0.
Changes since v6.0.0-beta.3.patch.1: the main changes since the previous pre-release are the changes to the handling of preferred hash algorithms mentioned above (#1801 and #1802). For the full changelog, see v6.0.0-beta.3.patch.1...v6.0.0.
v6.0.0-beta.3.patch.1
What's Changed
Revert to not using the WebCrypto for X25519 (reverting part of #1782): due to missing support in WebKit and Chrome (without experimental flags), and issues in Firefox v130+ (resulting in errors on decryption and key generation), for now we go back to using a JS implementation.
NB: this change only affects encryption and decryption using X25519. For signing and verification using Ed25519 we keep relying on
WebCrypto when available (namely in WebKit, Firefox, and Node).
Full Changelog: v6.0.0-beta.3.patch.0...v6.0.0-beta.3.patch.1
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.
v6.0.0-beta.3.patch.0
What's Changed
This patch fixes a minor regression in x25519 (legacy) key generation, introduced in v6.0.0.-beta.3 following the changes in #1782, as the spec requires that legacy x25519 keys should store the secret scalar already clamped.
Keys generated using v6.0.0-beta.3 are still expected to be functional, since the scalar is to be clamped before computing the ECDH shared secret.
Full Changelog: v6.0.0-beta.3...v6.0.0-beta.3.patch.0
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.
v6.0.0-beta.3
What's Changed
The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.
Breaking changes:
PrivateKey.getDecryptionKeyswill now throw if no decryption key is found (#1789). Previously, an empty array was returned. As a consequence of this change, someopenpgp.decrypterrors will be more specific.
Main non-breaking changes:
- Use WebCrypto for ed25519 and x25519 when available (#1782)
- Try more AEAD ciphersuites for SEIPDv2 (#1781)
- Drop asmcrypto.js for AES fallbacks in favor of noble-ciphers (#1785)
Full Changelog: v6.0.0-beta.2...v6.0.0-beta.3
v6.0.0-beta.2
What's Changed
The following only lists the changes from the previous v6 prerelease.
For more context about the crypto-refresh changes introduced by OpenPGP.js v6, refer to the changelog of the initial prerelease.
Breaking changes:
-
Fix ECDH encryption when using v6 keys (#1771): messages encrypted by OpenPGP.js v6 (up to beta.1) using v6 keys of type 'ecc', are not compliant with the crypto-refresh and will fail to decrypt in libraries other than OpenPGP.js v6 (up to beta.1) and gopenpgp v3. For a message to be affected, it must have been encrypted with keys generated using the
config.v6Keysoption, and manually settingtype: 'ecc'andcurveto a NIST or Brainpool curve option. x25519/x448 keys are not affected. -
Delay checking unknown critical signature subpackets (#1766): throw when verifying signatures with unknown critical subpackets, instead of when parsing them.
-
Disallow using forbidden S2K modes (#1777)
-
Disable support for parsing v5 entities by default (add
config.enableParsingV5Entities) (#1774 and #1779) -
Fix legacy AEAD secret key encryption of v5 keys (#1775)
Main non-breaking changes:
- Use preferred AEAD mode for secret key encryption (#1776): previously, EAX mode was always used.
openpgp.verify: fix bug preventing verification of detached signatures over streamed data (#1762)- Better error messages for unexpected ECDSA, EdDSALegacy, ECDH param encodings in keys and PKESK (#1756)
Full Changelog: v6.0.0-beta.1...v6.0.0-beta.2