Hash algorithm in signature.Signer/Verifier ignored #249
Description
The signature.Signer and signature.Verifier types are structured in a way that allows the caller to specify the hash algorithm that will be used to sign/verify. For example, once can use signature.LoadSigner to obtain a signature.Signer, and must specify a crypto.Hash.
The current implementation of the integrity package always uses the crypto.SHA256 algorithm when signing, and the algorithm specified in the signature descriptor when verifying. This is reasonable when signing with PGP, since the arguments to OptSignWithEntity/OptVerifyWithKeyRing do not have a way to express a desired hash algorithm. On the other hand, the arguments to OptSignWithSigner/OptVerifyWithVerifier are able to express a desired hash algorithm, but the current implementation ignores those values.
When OptSignWithSigner/OptVerifyWithVerifier are specified, I propose that we utilize the hash algorithm specified in the arguments, and store the value used in the signature descriptor.