Add InsecureGenerateNonCriticalSignatureCreationTime option to generate non-critical signature creation time subpackets

[KSerrania]

Overview

Adds a new option to openpgp/packet.Config,InsecureGenerateNonCriticalSignatureCreationTime, to force the Sign method to not add the critical flag to the signature creation date subpacket.

Use-case

Hello again from Datadog - this is kind of a follow-up to #291.

After this change, we were able to have rpm --import commands work on the affected rpm versions contained in openSUSE 15.1 to 15.4.

However, a new problem arose. yum in CentOS 7 and AmazonLinux 2 (version 3.4.3-168.el7.centos and 3.4.3-158.amzn2.0.6, respectively) does not manage to read a key specified in the gpgkey field of a repository definition, if that key only has a critical bit on the signature creation time subpacket (it worked fine when both the key flags and signature creation time had critical bits).

Since the keys we generate must support all these OSes at the same time, we'd like to add another opt-in configuration to force the Sign method to not add the critical bit to the signature creation time subpacket of a signature. In our case, we'd activate this option when adding a user id to the key to ensure the self-signature does not contain the offending critical subpacket.

Testing

Tested the exported public key output with the option set to true (the signature creation time subpacket is not critical) and false (all expected subpackets are critical).
Added unit test for the option.

[twiss]

However, a new problem arose. yum in CentOS 7 and AmazonLinux 2 (version 3.4.3-168.el7.centos and 3.4.3-158.amzn2.0.6, respectively) does not manage to read a key specified in the gpgkey field of a repository definition, if that key only has a critical bit on the signature creation time subpacket (it worked fine when both the key flags and signature creation time had critical bits).

Insanity, but OK. Thanks for the PR! Tiny nitpicks below.

Just to make sure that this is really the issue, have you tested that a key generated with this patch works for you on all OSes?

[KSerrania]

Just to make sure that this is really the issue, have you tested that a key generated with this patch works for you on all OSes?

Yes, this time I re-tested with this + the previous change on the entire suite of OSes we test (Debian 9 to 12, Ubuntu 14 to 24, CentOS/RHEL 6 to 9, openSUSE 42 to 15, and Amazon Linux 2 to 2023).

[twiss]

Great, thanks!