Skip to content

refactor(updater): replace deprecated OpenPGP update verification #1067

Description

@wizzomafizzo

govulncheck reports GO-2026-5932 because github.com/creativeprojects/go-selfupdate imports unmaintained golang.org/x/crypto/openpgp. No upstream fixed version exists.

CI has a narrowly scoped exception for this advisory so actionable vulnerabilities still fail builds.

Replace or redesign updater signature verification using a maintained implementation without weakening release authenticity checks.

Reference: https://pkg.go.dev/vuln/GO-2026-5932

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions