v6 key generation fails in fips only mode

[kruskall]

trying to generate v6 keys fails in a fips only environment (GODEBUG=fips140=only on gotip or go 1.24)

code:

openpgp.NewEntity("somekey", "", "", &packet.Config{V6Keys: true})

stacktrace:

	panic: crypto/sha1: use of weak SHA-1 is not allowed in FIPS 140-only mode

goroutine 7 [running]:
panic()
	runtime/panic.go:787
crypto/sha1.New(...)
	crypto/sha1/sha1.go:115
github.com/ProtonMail/go-crypto/openpgp/packet.(*PublicKey).setFingerprintAndKeyId
	github.com/ProtonMail/[email protected]/openpgp/packet/public_key.go:306
github.com/ProtonMail/go-crypto/openpgp/packet.NewRSAPublicKey
	github.com/ProtonMail/[email protected]/openpgp/packet/public_key.go:91
github.com/ProtonMail/go-crypto/openpgp/packet.NewSignerPrivateKey
	github.com/ProtonMail/[email protected]/openpgp/packet/private_key.go:150
github.com/ProtonMail/go-crypto/openpgp.NewEntity
	github.com/ProtonMail/[email protected]/openpgp/key_generation.go:42

Seems to be caused by the fact the method is generating a v4 key and then upgrading to v6:

go-crypto/openpgp/key_generation.go

Lines 44 to 46 in 3de0301

	if err := primary.UpgradeToV6(); err != nil {
	return nil, err
	}

Is there a way to generate a v6 key directly ?

[twiss]

No, it's currently not possible. Probably the easiest thing to do is to (create a fork in order to) make v6 the default, and then downgrade to v4 when that's requested (if you still need that functionality as well).