The golang.org/x/crypto/openpgp package is unsafe by design, has numerous known security issues, is not maintained, and should not be used. If you are required to interoperate with OpenPGP systems and need a maintained package, consider github.com/ProtonMail/go-crypto/openpgp which is a maintained fork that aims to be a drop-in replacement for this package.
$ go mod why golang.org/x/crypto/openpgp
# golang.org/x/crypto/openpgp
github.com/containerd/nerdctl/v2/pkg/cmd/image
github.com/containerd/imgcrypt/v2/images/encryption
github.com/containers/ocicrypt
golang.org/x/crypto/openpgp
https://pkg.go.dev/vuln/GO-2026-5932
Being fixed in: