#6046 Update global OpenPGP.js config (#6047)

martgil · web-flow · commit 5e1882caf6db · 2025-07-18T12:39:15.000+03:00
* refactor: update openpgp.js config

* test: fix failing test

* test: fix failing test

* refactor: update rejectHashAlgorithms set
diff --git a/extension/js/common/core/crypto/pgp/openpgp-key.ts b/extension/js/common/core/crypto/pgp/openpgp-key.ts
@@ -529,7 +529,7 @@ export class OpenPGPKey {
       if (verifyErr instanceof Error && verifyErr.message === 'Can only verify message with one literal data packet.') {
         verifyRes.error = 'FlowCrypt is not equipped to verify this message';
         verifyRes.isErrFatal = true; // don't try to re-fetch the message from API
-      } else if (verifyErr instanceof Error && verifyErr.message.startsWith('Insecure message hash algorithm:')) {
+      } else if (verifyErr instanceof Error && verifyErr.message.startsWith('Insecure hash algorithm:')) {
         verifyRes.error = `${verifyErr.message}. Sender is using old, insecure OpenPGP software.`;
         verifyRes.isErrFatal = true; // don't try to re-fetch the message from API
       } else if (verifyErr instanceof Error && verifyErr.message === 'Signature is expired') {
diff --git a/extension/js/common/core/crypto/pgp/openpgpjs-custom.ts b/extension/js/common/core/crypto/pgp/openpgpjs-custom.ts
@@ -13,6 +13,7 @@ if (typeof opgp !== 'undefined') {
   opgp.config.showVersion = true;
   opgp.config.commentString = 'Seamlessly send and receive encrypted email';
   opgp.config.showComment = true;
+  opgp.config.rejectHashAlgorithms = new Set([...opgp.config.rejectHashAlgorithms, opgp.enums.hash.sha1]);
   opgp.config.allowUnauthenticatedMessages = true; // we manually check for missing MDC and show loud warning to user (no auto-decrypt)
   opgp.config.allowInsecureDecryptionWithSigningKeys = false; // may get later over-written using ClientConfiguration for some clients
   // openpgp.config.require_uid_self_cert = false;
diff --git a/test/source/tests/decrypt.ts b/test/source/tests/decrypt.ts
@@ -2158,7 +2158,7 @@ XZ8r4OC6sguP/yozWlkG+7dDxsgKQVBENeG6Lw==
           {
             content: ['test'],
             encryption: 'not encrypted',
-            signature: 'error verifying signature: Insecure message hash algorithm: SHA1. Sender is using old, insecure OpenPGP software.',
+            signature: 'error verifying signature: Insecure hash algorithm: SHA1. Sender is using old, insecure OpenPGP software.',
           },
           authHdr
         );

Original file line number	Diff line number	Diff line change
`@@ -2158,7 +2158,7 @@ XZ8r4OC6sguP/yozWlkG+7dDxsgKQVBENeG6Lw==`
`2158`	`2158`	`{`
`2159`	`2159`	`content: ['test'],`
`2160`	`2160`	`encryption: 'not encrypted',`
`2161`		`- signature: 'error verifying signature: Insecure message hash algorithm: SHA1. Sender is using old, insecure OpenPGP software.',`
	`2161`	`+ signature: 'error verifying signature: Insecure hash algorithm: SHA1. Sender is using old, insecure OpenPGP software.',`
`2162`	`2162`	`},`
`2163`	`2163`	`authHdr`
`2164`	`2164`	`);`