fix: only encrypt to subkeys that are marked for encryption

Comment about expiration dates is removed, we will take expiration dates into account when we start merging subkeys.
2026-04-17 13:36:30 +03:00 · 2026-03-27 23:26:42 +01:00
parent 6095971f67
commit 06fbb33ab3
1 changed files with 7 additions and 5 deletions
--- a/src/pgp.rs
+++ b/src/pgp.rs
@@ -84,12 +84,14 @@ pub(crate) fn create_keypair(addr: EmailAddress) -> Result<SignedSecretKey> {
 /// Selects a subkey of the public key to use for encryption.
 ///
 /// Returns `None` if the public key cannot be used for encryption.
-///
-/// TODO: take key flags and expiration dates into account
 fn select_pk_for_encryption(key: &SignedPublicKey) -> Option<&SignedPublicSubKey> {
-    key.public_subkeys
-        .iter()
-        .find(|subkey| subkey.algorithm().can_encrypt())
+    key.public_subkeys.iter().find(|subkey| {
+        subkey.algorithm().can_encrypt()
+            && subkey
+                .signatures
+                .iter()
+                .any(|signature| signature.key_flags().encrypt_comms())
+    })
 }

 /// Version of SEIPD packet to use.