Upgrade to 0.12

10 files changed, 289 insertions, 146 deletions

diff --git a/vendor/golang.org/x/crypto/blowfish/cipher.go b/vendor/golang.org/x/crypto/blowfish/cipher.go
index 2641dad..213bf20 100644
--- a/vendor/golang.org/x/crypto/blowfish/cipher.go
+++ b/vendor/golang.org/x/crypto/blowfish/cipher.go
@@ -3,6 +3,14 @@
 // license that can be found in the LICENSE file.
 
 // Package blowfish implements Bruce Schneier's Blowfish encryption algorithm.
+//
+// Blowfish is a legacy cipher and its short block size makes it vulnerable to
+// birthday bound attacks (see https://sweet32.info). It should only be used
+// where compatibility with legacy systems, not security, is the goal.
+//
+// Deprecated: any new system should use AES (from crypto/aes, if necessary in
+// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
+// golang.org/x/crypto/chacha20poly1305).
 package blowfish // import "golang.org/x/crypto/blowfish"
 
 // The code is a port of Bruce Schneier's C implementation.
diff --git a/vendor/golang.org/x/crypto/cast5/cast5.go b/vendor/golang.org/x/crypto/cast5/cast5.go
index 0b4af37..ddcbeb6 100644
--- a/vendor/golang.org/x/crypto/cast5/cast5.go
+++ b/vendor/golang.org/x/crypto/cast5/cast5.go
@@ -2,8 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package cast5 implements CAST5, as defined in RFC 2144. CAST5 is a common
-// OpenPGP cipher.
+// Package cast5 implements CAST5, as defined in RFC 2144.
+//
+// CAST5 is a legacy cipher and its short block size makes it vulnerable to
+// birthday bound attacks (see https://sweet32.info). It should only be used
+// where compatibility with legacy systems, not security, is the goal.
+//
+// Deprecated: any new system should use AES (from crypto/aes, if necessary in
+// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
+// golang.org/x/crypto/chacha20poly1305).
 package cast5 // import "golang.org/x/crypto/cast5"
 
 import "errors"
diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go
index 744e293..3e25186 100644
--- a/vendor/golang.org/x/crypto/openpgp/keys.go
+++ b/vendor/golang.org/x/crypto/openpgp/keys.go
@@ -333,7 +333,6 @@ func ReadEntity(packets *packet.Reader) (*Entity, error) {
                 return nil, errors.StructuralError("primary key cannot be used for signatures")
         }
 
-        var current *Identity
         var revocations []*packet.Signature
 EachPacket:
         for {
@@ -346,32 +345,8 @@ EachPacket:
 
                 switch pkt := p.(type) {
                 case *packet.UserId:
-                        current = new(Identity)
-                        current.Name = pkt.Id
-                        current.UserId = pkt
-                        e.Identities[pkt.Id] = current
-
-                        for {
-                                p, err = packets.Next()
-                                if err == io.EOF {
-                                        return nil, io.ErrUnexpectedEOF
-                                } else if err != nil {
-                                        return nil, err
-                                }
-
-                                sig, ok := p.(*packet.Signature)
-                                if !ok {
-                                        return nil, errors.StructuralError("user ID packet not followed by self-signature")
-                                }
-
-                                if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
-                                        if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
-                                                return nil, errors.StructuralError("user ID self-signature invalid: " + err.Error())
-                                        }
-                                        current.SelfSignature = sig
-                                        break
-                                }
-                                current.Signatures = append(current.Signatures, sig)
+                        if err := addUserID(e, packets, pkt); err != nil {
+                                return nil, err
                         }
                 case *packet.Signature:
                         if pkt.SigType == packet.SigTypeKeyRevocation {
@@ -380,11 +355,9 @@ EachPacket:
                                 // TODO: RFC4880 5.2.1 permits signatures
                                 // directly on keys (eg. to bind additional
                                 // revocation keys).
-                        } else if current == nil {
-                                return nil, errors.StructuralError("signature packet found before user id packet")
-                        } else {
-                                current.Signatures = append(current.Signatures, pkt)
                         }
+                        // Else, ignoring the signature as it does not follow anything
+                        // we would know to attach it to.
                 case *packet.PrivateKey:
                         if pkt.IsSubkey == false {
                                 packets.Unread(p)
@@ -425,33 +398,105 @@ EachPacket:
         return e, nil
 }
 
+func addUserID(e *Entity, packets *packet.Reader, pkt *packet.UserId) error {
+        // Make a new Identity object, that we might wind up throwing away.
+        // We'll only add it if we get a valid self-signature over this
+        // userID.
+        identity := new(Identity)
+        identity.Name = pkt.Id
+        identity.UserId = pkt
+
+        for {
+                p, err := packets.Next()
+                if err == io.EOF {
+                        break
+                } else if err != nil {
+                        return err
+                }
+
+                sig, ok := p.(*packet.Signature)
+                if !ok {
+                        packets.Unread(p)
+                        break
+                }
+
+                if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
+                        if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
+                                return errors.StructuralError("user ID self-signature invalid: " + err.Error())
+                        }
+                        identity.SelfSignature = sig
+                        e.Identities[pkt.Id] = identity
+                } else {
+                        identity.Signatures = append(identity.Signatures, sig)
+                }
+        }
+
+        return nil
+}
+
 func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
         var subKey Subkey
         subKey.PublicKey = pub
         subKey.PrivateKey = priv
-        p, err := packets.Next()
-        if err == io.EOF {
-                return io.ErrUnexpectedEOF
-        }
-        if err != nil {
-                return errors.StructuralError("subkey signature invalid: " + err.Error())
+
+        for {
+                p, err := packets.Next()
+                if err == io.EOF {
+                        break
+                } else if err != nil {
+                        return errors.StructuralError("subkey signature invalid: " + err.Error())
+                }
+
+                sig, ok := p.(*packet.Signature)
+                if !ok {
+                        packets.Unread(p)
+                        break
+                }
+
+                if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
+                        return errors.StructuralError("subkey signature with wrong type")
+                }
+
+                if err := e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig); err != nil {
+                        return errors.StructuralError("subkey signature invalid: " + err.Error())
+                }
+
+                switch sig.SigType {
+                case packet.SigTypeSubkeyRevocation:
+                        subKey.Sig = sig
+                case packet.SigTypeSubkeyBinding:
+
+                        if shouldReplaceSubkeySig(subKey.Sig, sig) {
+                                subKey.Sig = sig
+                        }
+                }
         }
-        var ok bool
-        subKey.Sig, ok = p.(*packet.Signature)
-        if !ok {
+
+        if subKey.Sig == nil {
                 return errors.StructuralError("subkey packet not followed by signature")
         }
-        if subKey.Sig.SigType != packet.SigTypeSubkeyBinding && subKey.Sig.SigType != packet.SigTypeSubkeyRevocation {
-                return errors.StructuralError("subkey signature with wrong type")
-        }
-        err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, subKey.Sig)
-        if err != nil {
-                return errors.StructuralError("subkey signature invalid: " + err.Error())
-        }
+
         e.Subkeys = append(e.Subkeys, subKey)
+
         return nil
 }
 
+func shouldReplaceSubkeySig(existingSig, potentialNewSig *packet.Signature) bool {
+        if potentialNewSig == nil {
+                return false
+        }
+
+        if existingSig == nil {
+                return true
+        }
+
+        if existingSig.SigType == packet.SigTypeSubkeyRevocation {
+                return false // never override a revocation signature
+        }
+
+        return potentialNewSig.CreationTime.After(existingSig.CreationTime)
+}
+
 const defaultRSAKeyBits = 2048
 
 // NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
@@ -486,7 +531,7 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
         }
         isPrimaryId := true
         e.Identities[uid.Id] = &Identity{
-                Name:   uid.Name,
+                Name:   uid.Id,
                 UserId: uid,
                 SelfSignature: &packet.Signature{
                         CreationTime: currentTime,
@@ -500,6 +545,10 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
                         IssuerKeyId:  &e.PrimaryKey.KeyId,
                 },
         }
+        err = e.Identities[uid.Id].SelfSignature.SignUserId(uid.Id, e.PrimaryKey, e.PrivateKey, config)
+        if err != nil {
+                return nil, err
+        }
 
         // If the user passes in a DefaultHash via packet.Config,
         // set the PreferredHash for the SelfSignature.
@@ -507,6 +556,11 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
                 e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}
         }
 
+        // Likewise for DefaultCipher.
+        if config != nil && config.DefaultCipher != 0 {
+                e.Identities[uid.Id].SelfSignature.PreferredSymmetric = []uint8{uint8(config.DefaultCipher)}
+        }
+
         e.Subkeys = make([]Subkey, 1)
         e.Subkeys[0] = Subkey{
                 PublicKey:  packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
@@ -524,13 +578,16 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
         }
         e.Subkeys[0].PublicKey.IsSubkey = true
         e.Subkeys[0].PrivateKey.IsSubkey = true
-
+        err = e.Subkeys[0].Sig.SignKey(e.Subkeys[0].PublicKey, e.PrivateKey, config)
+        if err != nil {
+                return nil, err
+        }
         return e, nil
 }
 
-// SerializePrivate serializes an Entity, including private key material, to
-// the given Writer. For now, it must only be used on an Entity returned from
-// NewEntity.
+// SerializePrivate serializes an Entity, including private key material, but
+// excluding signatures from other entities, to the given Writer.
+// Identities and subkeys are re-signed in case they changed since NewEntry.
 // If config is nil, sensible defaults will be used.
 func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
         err = e.PrivateKey.Serialize(w)
@@ -568,8 +625,8 @@ func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error
         return nil
 }
 
-// Serialize writes the public part of the given Entity to w. (No private
-// key material will be output).
+// Serialize writes the public part of the given Entity to w, including
+// signatures from other entities. No private key material will be output.
 func (e *Entity) Serialize(w io.Writer) error {
         err := e.PrimaryKey.Serialize(w)
         if err != nil {
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
index 266840d..02b372c 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
@@ -42,12 +42,18 @@ func (e *EncryptedKey) parse(r io.Reader) (err error) {
         switch e.Algo {
         case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
                 e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
+                if err != nil {
+                        return
+                }
         case PubKeyAlgoElGamal:
                 e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
                 if err != nil {
                         return
                 }
                 e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r)
+                if err != nil {
+                        return
+                }
         }
         _, err = consumeAll(r)
         return
@@ -72,7 +78,8 @@ func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
         // padding oracle attacks.
         switch priv.PubKeyAlgo {
         case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
-                b, err = rsa.DecryptPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), e.encryptedMPI1.bytes)
+                k := priv.PrivateKey.(*rsa.PrivateKey)
+                b, err = rsa.DecryptPKCS1v15(config.Random(), k, padToKeySize(&k.PublicKey, e.encryptedMPI1.bytes))
         case PubKeyAlgoElGamal:
                 c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes)
                 c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes)
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
index 3eded93..5af64c5 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
@@ -11,10 +11,12 @@ import (
         "crypto/aes"
         "crypto/cipher"
         "crypto/des"
-        "golang.org/x/crypto/cast5"
-        "golang.org/x/crypto/openpgp/errors"
+        "crypto/rsa"
         "io"
         "math/big"
+
+        "golang.org/x/crypto/cast5"
+        "golang.org/x/crypto/openpgp/errors"
 )
 
 // readFull is the same as io.ReadFull except that reading zero bytes returns
@@ -402,14 +404,16 @@ const (
 type PublicKeyAlgorithm uint8
 
 const (
-        PubKeyAlgoRSA            PublicKeyAlgorithm = 1
-        PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2
-        PubKeyAlgoRSASignOnly    PublicKeyAlgorithm = 3
-        PubKeyAlgoElGamal        PublicKeyAlgorithm = 16
-        PubKeyAlgoDSA            PublicKeyAlgorithm = 17
+        PubKeyAlgoRSA     PublicKeyAlgorithm = 1
+        PubKeyAlgoElGamal PublicKeyAlgorithm = 16
+        PubKeyAlgoDSA     PublicKeyAlgorithm = 17
         // RFC 6637, Section 5.
         PubKeyAlgoECDH  PublicKeyAlgorithm = 18
         PubKeyAlgoECDSA PublicKeyAlgorithm = 19
+
+        // Deprecated in RFC 4880, Section 13.5. Use key flags instead.
+        PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2
+        PubKeyAlgoRSASignOnly    PublicKeyAlgorithm = 3
 )
 
 // CanEncrypt returns true if it's possible to encrypt a message to a public
@@ -500,19 +504,17 @@ func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) {
         numBytes := (int(bitLength) + 7) / 8
         mpi = make([]byte, numBytes)
         _, err = readFull(r, mpi)
-        return
-}
-
-// mpiLength returns the length of the given *big.Int when serialized as an
-// MPI.
-func mpiLength(n *big.Int) (mpiLengthInBytes int) {
-        mpiLengthInBytes = 2 /* MPI length */
-        mpiLengthInBytes += (n.BitLen() + 7) / 8
+        // According to RFC 4880 3.2. we should check that the MPI has no leading
+        // zeroes (at least when not an encrypted MPI?), but this implementation
+        // does generate leading zeroes, so we keep accepting them.
         return
 }
 
 // writeMPI serializes a big integer to w.
 func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) {
+        // Note that we can produce leading zeroes, in violation of RFC 4880 3.2.
+        // Implementations seem to be tolerant of them, and stripping them would
+        // make it complex to guarantee matching re-serialization.
         _, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)})
         if err == nil {
                 _, err = w.Write(mpiBytes)
@@ -525,6 +527,18 @@ func writeBig(w io.Writer, i *big.Int) error {
         return writeMPI(w, uint16(i.BitLen()), i.Bytes())
 }
 
+// padToKeySize left-pads a MPI with zeroes to match the length of the
+// specified RSA public.
+func padToKeySize(pub *rsa.PublicKey, b []byte) []byte {
+        k := (pub.N.BitLen() + 7) / 8
+        if len(b) >= k {
+                return b
+        }
+        bb := make([]byte, k)
+        copy(bb[len(bb)-len(b):], b)
+        return bb
+}
+
 // CompressionAlgo Represents the different compression algorithms
 // supported by OpenPGP (except for BZIP2, which is not currently
 // supported). See Section 9.3 of RFC 4880.
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
index 34734cc..bd31cce 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
@@ -64,14 +64,19 @@ func NewECDSAPrivateKey(currentTime time.Time, priv *ecdsa.PrivateKey) *PrivateK
         return pk
 }
 
-// NewSignerPrivateKey creates a sign-only PrivateKey from a crypto.Signer that
+// NewSignerPrivateKey creates a PrivateKey from a crypto.Signer that
 // implements RSA or ECDSA.
 func NewSignerPrivateKey(currentTime time.Time, signer crypto.Signer) *PrivateKey {
         pk := new(PrivateKey)
+        // In general, the public Keys should be used as pointers. We still
+        // type-switch on the values, for backwards-compatibility.
         switch pubkey := signer.Public().(type) {
+        case *rsa.PublicKey:
+                pk.PublicKey = *NewRSAPublicKey(currentTime, pubkey)
         case rsa.PublicKey:
                 pk.PublicKey = *NewRSAPublicKey(currentTime, &pubkey)
-                pk.PubKeyAlgo = PubKeyAlgoRSASignOnly
+        case *ecdsa.PublicKey:
+                pk.PublicKey = *NewECDSAPublicKey(currentTime, pubkey)
         case ecdsa.PublicKey:
                 pk.PublicKey = *NewECDSAPublicKey(currentTime, &pubkey)
         default:
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go
index ead2623..fcd5f52 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/public_key.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go
@@ -244,7 +244,12 @@ func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey
         }
 
         pk.ec.p.bytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
-        pk.ec.p.bitLength = uint16(8 * len(pk.ec.p.bytes))
+
+        // The bit length is 3 (for the 0x04 specifying an uncompressed key)
+        // plus two field elements (for x and y), which are rounded up to the
+        // nearest byte. See https://tools.ietf.org/html/rfc6637#section-6
+        fieldBytes := (pub.Curve.Params().BitSize + 7) & ^7
+        pk.ec.p.bitLength = uint16(3 + fieldBytes + fieldBytes)
 
         pk.setFingerPrintAndKeyId()
         return pk
@@ -515,7 +520,7 @@ func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err erro
         switch pk.PubKeyAlgo {
         case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
                 rsaPublicKey, _ := pk.PublicKey.(*rsa.PublicKey)
-                err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes)
+                err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes))
                 if err != nil {
                         return errors.SignatureError("RSA verification failure")
                 }
@@ -566,7 +571,7 @@ func (pk *PublicKey) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err
         switch pk.PubKeyAlgo {
         case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
                 rsaPublicKey := pk.PublicKey.(*rsa.PublicKey)
-                if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil {
+                if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes)); err != nil {
                         return errors.SignatureError("RSA verification failure")
                 }
                 return
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature.go b/vendor/golang.org/x/crypto/openpgp/packet/signature.go
index 6ce0cbe..b2a24a5 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/signature.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/signature.go
@@ -542,7 +542,7 @@ func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err e
                         r, s, err = ecdsa.Sign(config.Random(), pk, digest)
                 } else {
                         var b []byte
-                        b, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, nil)
+                        b, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, sig.Hash)
                         if err == nil {
                                 r, s, err = unwrapECDSASig(b)
                         }
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
index 96a2b38..d19ffbc 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
@@ -80,7 +80,7 @@ func (uat *UserAttribute) Serialize(w io.Writer) (err error) {
 
 // ImageData returns zero or more byte slices, each containing
 // JPEG File Interchange Format (JFIF), for each photo in the
-// the user attribute packet.
+// user attribute packet.
 func (uat *UserAttribute) ImageData() (imageData [][]byte) {
         for _, sp := range uat.Contents {
                 if sp.SubType == UserAttrImageSubpacket && len(sp.Contents) > 16 {
diff --git a/vendor/golang.org/x/crypto/openpgp/write.go b/vendor/golang.org/x/crypto/openpgp/write.go
index 65a304c..4ee7178 100644
--- a/vendor/golang.org/x/crypto/openpgp/write.go
+++ b/vendor/golang.org/x/crypto/openpgp/write.go
@@ -164,12 +164,12 @@ func hashToHashId(h crypto.Hash) uint8 {
         return v
 }
 
-// Encrypt encrypts a message to a number of recipients and, optionally, signs
-// it. hints contains optional information, that is also encrypted, that aids
-// the recipients in processing the message. The resulting WriteCloser must
-// be closed after the contents of the file have been written.
-// If config is nil, sensible defaults will be used.
-func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
+// writeAndSign writes the data as a payload package and, optionally, signs
+// it. hints contains optional information, that is also encrypted,
+// that aids the recipients in processing the message. The resulting
+// WriteCloser must be closed after the contents of the file have been
+// written. If config is nil, sensible defaults will be used.
+func writeAndSign(payload io.WriteCloser, candidateHashes []uint8, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
         var signer *packet.PrivateKey
         if signed != nil {
                 signKey, ok := signed.signingKey(config.Now())
@@ -185,6 +185,83 @@ func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHint
                 }
         }
 
+        var hash crypto.Hash
+        for _, hashId := range candidateHashes {
+                if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() {
+                        hash = h
+                        break
+                }
+        }
+
+        // If the hash specified by config is a candidate, we'll use that.
+        if configuredHash := config.Hash(); configuredHash.Available() {
+                for _, hashId := range candidateHashes {
+                        if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash {
+                                hash = h
+                                break
+                        }
+                }
+        }
+
+        if hash == 0 {
+                hashId := candidateHashes[0]
+                name, ok := s2k.HashIdToString(hashId)
+                if !ok {
+                        name = "#" + strconv.Itoa(int(hashId))
+                }
+                return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)")
+        }
+
+        if signer != nil {
+                ops := &packet.OnePassSignature{
+                        SigType:    packet.SigTypeBinary,
+                        Hash:       hash,
+                        PubKeyAlgo: signer.PubKeyAlgo,
+                        KeyId:      signer.KeyId,
+                        IsLast:     true,
+                }
+                if err := ops.Serialize(payload); err != nil {
+                        return nil, err
+                }
+        }
+
+        if hints == nil {
+                hints = &FileHints{}
+        }
+
+        w := payload
+        if signer != nil {
+                // If we need to write a signature packet after the literal
+                // data then we need to stop literalData from closing
+                // encryptedData.
+                w = noOpCloser{w}
+
+        }
+        var epochSeconds uint32
+        if !hints.ModTime.IsZero() {
+                epochSeconds = uint32(hints.ModTime.Unix())
+        }
+        literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds)
+        if err != nil {
+                return nil, err
+        }
+
+        if signer != nil {
+                return signatureWriter{payload, literalData, hash, hash.New(), signer, config}, nil
+        }
+        return literalData, nil
+}
+
+// Encrypt encrypts a message to a number of recipients and, optionally, signs
+// it. hints contains optional information, that is also encrypted, that aids
+// the recipients in processing the message. The resulting WriteCloser must
+// be closed after the contents of the file have been written.
+// If config is nil, sensible defaults will be used.
+func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
+        if len(to) == 0 {
+                return nil, errors.InvalidArgumentError("no encryption recipient provided")
+        }
+
         // These are the possible ciphers that we'll use for the message.
         candidateCiphers := []uint8{
                 uint8(packet.CipherAES128),
@@ -194,6 +271,7 @@ func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHint
         // These are the possible hash functions that we'll use for the signature.
         candidateHashes := []uint8{
                 hashToHashId(crypto.SHA256),
+                hashToHashId(crypto.SHA384),
                 hashToHashId(crypto.SHA512),
                 hashToHashId(crypto.SHA1),
                 hashToHashId(crypto.RIPEMD160),
@@ -241,33 +319,6 @@ func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHint
                 }
         }
 
-        var hash crypto.Hash
-        for _, hashId := range candidateHashes {
-                if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() {
-                        hash = h
-                        break
-                }
-        }
-
-        // If the hash specified by config is a candidate, we'll use that.
-        if configuredHash := config.Hash(); configuredHash.Available() {
-                for _, hashId := range candidateHashes {
-                        if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash {
-                                hash = h
-                                break
-                        }
-                }
-        }
-
-        if hash == 0 {
-                hashId := candidateHashes[0]
-                name, ok := s2k.HashIdToString(hashId)
-                if !ok {
-                        name = "#" + strconv.Itoa(int(hashId))
-                }
-                return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)")
-        }
-
         symKey := make([]byte, cipher.KeySize())
         if _, err := io.ReadFull(config.Random(), symKey); err != nil {
                 return nil, err
@@ -279,49 +330,38 @@ func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHint
                 }
         }
 
-        encryptedData, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config)
+        payload, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config)
         if err != nil {
                 return
         }
 
-        if signer != nil {
-                ops := &packet.OnePassSignature{
-                        SigType:    packet.SigTypeBinary,
-                        Hash:       hash,
-                        PubKeyAlgo: signer.PubKeyAlgo,
-                        KeyId:      signer.KeyId,
-                        IsLast:     true,
-                }
-                if err := ops.Serialize(encryptedData); err != nil {
-                        return nil, err
-                }
-        }
+        return writeAndSign(payload, candidateHashes, signed, hints, config)
+}
 
-        if hints == nil {
-                hints = &FileHints{}
+// Sign signs a message. The resulting WriteCloser must be closed after the
+// contents of the file have been written.  hints contains optional information
+// that aids the recipients in processing the message.
+// If config is nil, sensible defaults will be used.
+func Sign(output io.Writer, signed *Entity, hints *FileHints, config *packet.Config) (input io.WriteCloser, err error) {
+        if signed == nil {
+                return nil, errors.InvalidArgumentError("no signer provided")
         }
 
-        w := encryptedData
-        if signer != nil {
-                // If we need to write a signature packet after the literal
-                // data then we need to stop literalData from closing
-                // encryptedData.
-                w = noOpCloser{encryptedData}
-
-        }
-        var epochSeconds uint32
-        if !hints.ModTime.IsZero() {
-                epochSeconds = uint32(hints.ModTime.Unix())
-        }
-        literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds)
-        if err != nil {
-                return nil, err
+        // These are the possible hash functions that we'll use for the signature.
+        candidateHashes := []uint8{
+                hashToHashId(crypto.SHA256),
+                hashToHashId(crypto.SHA384),
+                hashToHashId(crypto.SHA512),
+                hashToHashId(crypto.SHA1),
+                hashToHashId(crypto.RIPEMD160),
         }
-
-        if signer != nil {
-                return signatureWriter{encryptedData, literalData, hash, hash.New(), signer, config}, nil
+        defaultHashes := candidateHashes[len(candidateHashes)-1:]
+        preferredHashes := signed.primaryIdentity().SelfSignature.PreferredHash
+        if len(preferredHashes) == 0 {
+                preferredHashes = defaultHashes
         }
-        return literalData, nil
+        candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
+        return writeAndSign(noOpCloser{output}, candidateHashes, signed, hints, config)
 }
 
 // signatureWriter hashes the contents of a message while passing it along to