v5.9.0

• Add support for verifying User Attributes in verifyAllUsers (#1637)
• Allow email addresses with trailing numbers in domain (#1642)
  
  
• TS: add declaration for verify with CleartextMessage input (#1640)
• Add revoke to Subkey in type definition (#1639)

v5.8.0

• Add additionalAllowedPackets config option, to allow parsing packets that are not usually expected/allowed in a given context (#1618)
• Fix shorthand check on user revoked status in getPrimaryUser method (#1623)
• Run Sequoia's OpenPGP interoperability test suite in CI, to catch interoperability regressions (#1603)

v5.7.0

• Add support for creating critical signature subpackets (#1599)
  • Most subpackets are now assigned a criticality based on whether failing to interpret their meaning would negatively impact security.
  • If subpackets that are now marked as critical (such as signature creation date, issuer Key ID, key expiration time if set, etc.) are not supported by another OpenPGP implementation, it will now be considered invalid by the implementation rather than ignored. However, since these subpackets are fundamental to the functioning of OpenPGP, they should indeed never be ignored. If an implementation doesn't support them, please upgrade or report it to the relevant implementation as well as or instead of here.
  • For Notation Data subpackets, the caller can now set their criticality using the signatureNotations[*].critical property. When set to critical, if the OpenPGP implementation reading the signature doesn't understand their meaning, they will be rejected rather than ignored. This is useful if the notation is indeed critical (:slightly_smiling_face:) to the functioning of the signature or the key that contains it.
• Remove default known notations (#1600)
  • Since OpenPGP.js doesn't interpret any notations, we shouldn't consider any of them "known" by default. Rather, we let the calling application indicate the known notations, and it is then responsible for handling them.
  • Specifically, signatures with a critical notation named "preferred-email-encoding@pgp.com" or "pka-address@gnupg.org" will now be rejected by default. We believe that these are not common "in the wild", but if you encounter them, you can add them to the config.knownNotations array, or (preferably) pass a knownNotations array in the config property when verifying a signature, and then handle the preference indicated by the notation data afterwards by inspecting the signaturePacket.notations or rawNotations property.
• TypeScript: added selfCertification property to the PrimaryUser interface definition (#1594)
• Docs: mark global generateSessionKeys's encryptionKeys parameter as optional (#1596)
• CI: Update browser targets (#1549)
• Update ESLint and other minor dependencies; clean up linting rules (#1602)

v5.6.0

• Allow use of Brainpool curves by default (#1563)
  • These curves were added back to the crypto refresh of the OpenPGP standard, so we allow them by default again, but please note that their implementation is not constant-time (#720), so their use is still discouraged in favor of Curve25519.
• Add revoke method to User (#1584)
• Add support for creating Notation Data subpackets when signing or encrypting messages (#1598)
• Add RawNotations Type to type definitions (#1571)
• Adding missing functions in SubKey class type definition (#1588)
• TypeScript: fix signature of armor function (#1576, #1585)
• TypeScript: fix SymEncryptedSessionKeyPacket type name (#1583)
• Docs: add typescript setup notice (#1586)
• Docs: clarify Key.clone() behaviour (#1589)
• CI: move away from Node.js v12 (#1568)
• Remove internal, unused RandomBuffer (#1593)

v5.5.0

• Remove leading newline from clearsigned messages armoring (#1560)
• Ignore improperly formatted armor headers (#1557)
• Leave unhashed subpackets as-is when re-serializing signatures (#1561)
• Hash all signature subpackets (#1562)
• printDebug: add label to identify source of the log (#1555)

v5.4.0

• Fix CleartextMessage signature generation over text with trailing whitespace and \r\n line endings (#1548)
• Throw in encryptSessionKey if no keys or passwords are provided (#1547)
• TypeScript: add missing allowInsecureVerificationWithReformattedKeys field to Config (#1551)

v5.3.1

• Fix error handling when parsing malformed armor (#1541)
• Add support for Node.js 18 (#1542)

v5.3.0

• Throw on empty passphrase in encryptKey and SecretKeyPacket.encrypt (#1508)
• Throw on decryption of messages that don't contain any encrypted data packet (#1529)
• Add UnparseablePacket to properly deal with key blocks that include malformed/unsupported packets (#1522)
• Throw UnsupportedError on unknown algorithm in keys, signatures and encrypted session keys (#1523)
• Add memory benchmark tests for streamed decryption of large files (#1462)
• Fix loading browser built in JSDom environment (#1518)

v5.2.1

• Fix AES encryption error in browsers for messages larger than 3MB (#1506)
• TS: Rely on new web-stream-tools types, fix SignOptions (#1502)
• Lint: error if imported name is not found in module (#1507)

v5.2.0

• Drop MS Edge Legacy support (#1474)
• Check existence of navigator before using it (#1475)
• Fix Key.isRevoked() and SignaturePacket.verify() TypeScript definitions, and remove SignaturePacket.verified from Typescript declarations (#1486, #1494)
• CI: Update mocha (#1503)