Pass down API instance

2025-09-10 02:39:39 +02:00 · 2025-03-18 11:46:31 +01:00 · 2025-03-18 11:46:31 +01:00 · 0e48e94a91
commit 0e48e94a91
parent 1967483984
17 changed files with 157 additions and 112 deletions
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt
@ -217,8 +217,8 @@ class PGPainless(
        fun modifyKeyRing(
            secretKey: PGPSecretKeyRing,
            referenceTime: Date = Date(),
-            policy: Policy = getInstance().algorithmPolicy
+            api: PGPainless = getInstance()
-        ) = SecretKeyRingEditor(secretKey, policy, referenceTime)
+        ) = SecretKeyRingEditor(secretKey, api, referenceTime)
        /**
         * Quickly access information about a [org.bouncycastle.openpgp.PGPPublicKeyRing] /
@ -237,7 +237,7 @@ class PGPainless(
        @JvmStatic
        @JvmOverloads
        fun inspectKeyRing(key: OpenPGPCertificate, referenceTime: Date = Date()) =
-            KeyRingInfo(key, getInstance().algorithmPolicy, referenceTime)
+            KeyRingInfo(key, getInstance(), referenceTime)
        /**
         * Access, and make changes to PGPainless policy on acceptable/default algorithms etc.
@ -255,6 +255,6 @@ class PGPainless(
         *
         * @return builder
         */
-        @JvmStatic fun certify() = CertifyCertificate()
+        @JvmStatic fun certify() = CertifyCertificate(getInstance())
    }
 }
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/certification/CertifyCertificate.kt
@ -34,7 +34,7 @@ import org.pgpainless.signature.subpackets.CertificationSubpackets
 * really belongs to the owner of the certificate. A delegation over a key can be used to delegate
 * trust by marking the certificate as a trusted introducer.
 */
-class CertifyCertificate {
+class CertifyCertificate(private val api: PGPainless) {
    /**
     * Create a certification over a User-Id. By default, this method will use
@ -49,7 +49,7 @@ class CertifyCertificate {
        userId: CharSequence,
        certificate: OpenPGPCertificate,
        certificationType: CertificationType = CertificationType.GENERIC
-    ): CertificationOnUserId = CertificationOnUserId(userId, certificate, certificationType)
+    ): CertificationOnUserId = CertificationOnUserId(userId, certificate, certificationType, api)
    /**
     * Create a certification over a User-Id. By default, this method will use
@ -76,7 +76,7 @@ class CertifyCertificate {
        userId: String,
        certificate: PGPPublicKeyRing,
        certificationType: CertificationType
-    ) = CertificationOnUserId(userId, certificate, certificationType)
+    ) = CertificationOnUserId(userId, certificate, certificationType, api)
    /**
     * Create a delegation (direct key signature) over a certificate. This can be used to mark a
@ -88,7 +88,7 @@ class CertifyCertificate {
     */
    @JvmOverloads
    fun certificate(certificate: OpenPGPCertificate, trustworthiness: Trustworthiness? = null) =
-        DelegationOnCertificate(certificate, trustworthiness)
+        DelegationOnCertificate(certificate, trustworthiness, api)
    /**
     * Create a delegation (direct key signature) over a certificate. This can be used to mark a
@ -113,20 +113,22 @@ class CertifyCertificate {
     */
    @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.")
    fun certificate(certificate: PGPPublicKeyRing, trustworthiness: Trustworthiness?) =
-        DelegationOnCertificate(certificate, trustworthiness)
+        DelegationOnCertificate(certificate, trustworthiness, api)
    class CertificationOnUserId(
        val userId: CharSequence,
        val certificate: OpenPGPCertificate,
-        val certificationType: CertificationType
+        val certificationType: CertificationType,
        private val api: PGPainless
    ) {
        @Deprecated("Use primary constructor instead.")
        constructor(
            userId: String,
            certificate: PGPPublicKeyRing,
-            certificationType: CertificationType
+            certificationType: CertificationType,
-        ) : this(userId, PGPainless.getInstance().toCertificate(certificate), certificationType)
+            api: PGPainless
        ) : this(userId, api.toCertificate(certificate), certificationType, api)
        fun withKey(
            key: OpenPGPKey,
@ -135,7 +137,7 @@ class CertifyCertificate {
            val secretKey = getCertifyingSecretKey(key)
            val sigBuilder =
                ThirdPartyCertificationSignatureBuilder(
-                    certificationType.asSignatureType(), secretKey, protector)
+                    certificationType.asSignatureType(), secretKey, protector, api)
            return CertificationOnUserIdWithSubpackets(certificate, userId, sigBuilder)
        }
@ -166,8 +168,9 @@ class CertifyCertificate {
        constructor(
            certificate: PGPPublicKeyRing,
            userId: String,
-            sigBuilder: ThirdPartyCertificationSignatureBuilder
+            sigBuilder: ThirdPartyCertificationSignatureBuilder,
-        ) : this(PGPainless.getInstance().toCertificate(certificate), userId, sigBuilder)
+            api: PGPainless
        ) : this(api.toCertificate(certificate), userId, sigBuilder)
        /**
         * Apply the given signature subpackets and build the certification.
@ -202,21 +205,23 @@ class CertifyCertificate {
    class DelegationOnCertificate(
        val certificate: OpenPGPCertificate,
-        val trustworthiness: Trustworthiness?
+        val trustworthiness: Trustworthiness?,
        private val api: PGPainless
    ) {
        @Deprecated("Pass in an OpenPGPCertificate instead of PGPPublicKeyRing.")
        constructor(
            certificate: PGPPublicKeyRing,
-            trustworthiness: Trustworthiness?
+            trustworthiness: Trustworthiness?,
-        ) : this(PGPainless.getInstance().toCertificate(certificate), trustworthiness)
+            api: PGPainless
        ) : this(api.toCertificate(certificate), trustworthiness, api)
        fun withKey(
            key: OpenPGPKey,
            protector: SecretKeyRingProtector
        ): DelegationOnCertificateWithSubpackets {
            val secretKey = getCertifyingSecretKey(key)
-            val sigBuilder = ThirdPartyDirectKeySignatureBuilder(secretKey, protector)
+            val sigBuilder = ThirdPartyDirectKeySignatureBuilder(secretKey, protector, api)
            if (trustworthiness != null) {
                sigBuilder.hashedSubpackets.setTrust(
                    true, trustworthiness.depth, trustworthiness.amount)
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/info/KeyRingInfo.kt
@ -19,7 +19,6 @@ import org.pgpainless.exception.KeyException.UnboundUserIdException
 import org.pgpainless.key.OpenPgpFingerprint
 import org.pgpainless.key.SubkeyIdentifier
 import org.pgpainless.key.util.KeyRingUtils
 import org.pgpainless.policy.Policy
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil.Companion.getKeyExpirationTimeAsDate
 import org.pgpainless.util.DateUtil
@ -27,24 +26,24 @@ import org.slf4j.LoggerFactory
 class KeyRingInfo(
    val keys: OpenPGPCertificate,
-    val policy: Policy = PGPainless.getPolicy(),
+    private val api: PGPainless = PGPainless.getInstance(),
-    val referenceDate: Date = Date()
+    private val referenceDate: Date = Date()
 ) {
    constructor(
        keys: PGPKeyRing,
-        policy: Policy = PGPainless.getPolicy(),
+        api: PGPainless = PGPainless.getInstance(),
        referenceDate: Date = Date()
    ) : this(
        if (keys is PGPSecretKeyRing) OpenPGPKey(keys) else OpenPGPCertificate(keys),
-        policy,
+        api,
        referenceDate)
    @JvmOverloads
    constructor(
        keys: PGPKeyRing,
        referenceDate: Date = Date()
-    ) : this(keys, PGPainless.getPolicy(), referenceDate)
+    ) : this(keys, PGPainless.getInstance(), referenceDate)
    /** Primary [OpenPGPCertificate.OpenPGPPrimaryKey]. */
    val primaryKey: OpenPGPCertificate.OpenPGPPrimaryKey = keys.primaryKey
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt
@ -39,7 +39,6 @@ import org.pgpainless.key.util.KeyRingUtils
 import org.pgpainless.key.util.KeyRingUtils.Companion.changePassphrase
 import org.pgpainless.key.util.KeyRingUtils.Companion.injectCertification
 import org.pgpainless.key.util.RevocationAttributes
 import org.pgpainless.policy.Policy
 import org.pgpainless.signature.builder.*
 import org.pgpainless.signature.subpackets.*
 import org.pgpainless.util.Passphrase
@ -47,7 +46,7 @@ import org.pgpainless.util.selection.userid.SelectUserId
 class SecretKeyRingEditor(
    var key: OpenPGPKey,
-    val policy: Policy = PGPainless.getInstance().algorithmPolicy,
+    val api: PGPainless = PGPainless.getInstance(),
    override val referenceTime: Date = Date()
 ) : SecretKeyRingEditorInterface {
@ -56,9 +55,9 @@ class SecretKeyRingEditor(
    @JvmOverloads
    constructor(
        secretKeyRing: PGPSecretKeyRing,
-        policy: Policy = PGPainless.getInstance().algorithmPolicy,
+        api: PGPainless = PGPainless.getInstance(),
        referenceTime: Date = Date()
-    ) : this(PGPainless.getInstance().toKey(secretKeyRing), policy, referenceTime)
+    ) : this(PGPainless.getInstance().toKey(secretKeyRing), api, referenceTime)
    override fun addUserId(
        userId: CharSequence,
@ -298,14 +297,16 @@ class SecretKeyRingEditor(
        SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm)
        val bitStrength = subkey.publicKey.bitStrength
-        require(policy.publicKeyAlgorithmPolicy.isAcceptable(subkeyAlgorithm, bitStrength)) {
+        require(
-            "Public key algorithm policy violation: $subkeyAlgorithm with bit strength $bitStrength is not acceptable."
+            api.algorithmPolicy.publicKeyAlgorithmPolicy.isAcceptable(
-        }
+                subkeyAlgorithm, bitStrength)) {
                "Public key algorithm policy violation: $subkeyAlgorithm with bit strength $bitStrength is not acceptable."
            }
        val primaryKey = secretKeyRing.secretKey
        val info = inspectKeyRing(secretKeyRing, referenceTime)
        val hashAlgorithm =
-            HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(policy)
+            HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(api.algorithmPolicy)
                .negotiateHashAlgorithm(info.preferredHashAlgorithms)
        var secretSubkey =
@ -323,13 +324,15 @@ class SecretKeyRingEditor(
                PGPainless.getInstance().implementation.pbeSecretKeyDecryptorBuilderProvider())
        val skBindingBuilder =
-            SubkeyBindingSignatureBuilder(key.primarySecretKey, primaryKeyProtector, hashAlgorithm)
+            SubkeyBindingSignatureBuilder(
                key.primarySecretKey, primaryKeyProtector, hashAlgorithm, api)
        skBindingBuilder.apply {
            hashedSubpackets.setSignatureCreationTime(referenceTime)
            hashedSubpackets.setKeyFlags(flags)
            if (subkeyAlgorithm.isSigningCapable()) {
                val pkBindingBuilder =
-                    PrimaryKeyBindingSignatureBuilder(componentKey, subkeyProtector, hashAlgorithm)
+                    PrimaryKeyBindingSignatureBuilder(
                        componentKey, subkeyProtector, hashAlgorithm, api)
                pkBindingBuilder.hashedSubpackets.setSignatureCreationTime(referenceTime)
                hashedSubpackets.addEmbeddedSignature(pkBindingBuilder.build(primaryKey.publicKey))
            }
@ -623,7 +626,7 @@ class SecretKeyRingEditor(
            if (revokeeSubkey.isMasterKey) SignatureType.KEY_REVOCATION
            else SignatureType.SUBKEY_REVOCATION
-        return RevocationSignatureBuilder(signatureType, key.primarySecretKey, protector)
+        return RevocationSignatureBuilder(signatureType, key.primarySecretKey, protector, api)
            .apply { applyCallback(callback) }
            .build(revokeeSubkey)
    }
@ -634,7 +637,7 @@ class SecretKeyRingEditor(
        callback: RevocationSignatureSubpackets.Callback?
    ): SecretKeyRingEditorInterface {
        RevocationSignatureBuilder(
-                SignatureType.CERTIFICATION_REVOCATION, key.primarySecretKey, protector)
+                SignatureType.CERTIFICATION_REVOCATION, key.primarySecretKey, protector, api)
            .apply {
                hashedSubpackets.setSignatureCreationTime(referenceTime)
                applyCallback(callback)
@ -663,7 +666,7 @@ class SecretKeyRingEditor(
        prevUserIdSig: PGPSignature
    ): PGPSignature {
        val builder =
-            SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig)
+            SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig, api)
        builder.hashedSubpackets.setSignatureCreationTime(referenceTime)
        builder.applyCallback(
            object : SelfSignatureSubpackets.Callback {
@ -682,7 +685,8 @@ class SecretKeyRingEditor(
        @Nonnull primaryUserId: String,
        @Nonnull prevUserIdSig: PGPSignature
    ): PGPSignature {
-        return SelfSignatureBuilder(key.primarySecretKey, secretKeyRingProtector, prevUserIdSig)
+        return SelfSignatureBuilder(
                key.primarySecretKey, secretKeyRingProtector, prevUserIdSig, api)
            .apply {
                hashedSubpackets.setSignatureCreationTime(referenceTime)
                applyCallback(
@ -710,7 +714,7 @@ class SecretKeyRingEditor(
        prevDirectKeySig: PGPSignature
    ): OpenPGPSignature {
        return DirectKeySelfSignatureBuilder(
-                secretKeyRing, secretKeyRingProtector, prevDirectKeySig)
+                secretKeyRing, secretKeyRingProtector, prevDirectKeySig, api)
            .apply {
                hashedSubpackets.setSignatureCreationTime(referenceTime)
                applyCallback(
@ -741,7 +745,7 @@ class SecretKeyRingEditor(
        val builder =
            SubkeyBindingSignatureBuilder(
-                key.primarySecretKey, protector, prevSubkeyBindingSignature)
+                key.primarySecretKey, protector, prevSubkeyBindingSignature, api)
        builder.hashedSubpackets.apply {
            // set expiration
            setSignatureCreationTime(referenceTime)
@ -761,7 +765,7 @@ class SecretKeyRingEditor(
                    clearEmbeddedSignatures()
                    addEmbeddedSignature(
                        PrimaryKeyBindingSignatureBuilder(
-                                key.getSecretKey(subkey.keyIdentifier), protector)
+                                key.getSecretKey(subkey.keyIdentifier), protector, api)
                            .build(primaryKey))
                }
            }
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/AbstractSignatureBuilder.kt
@ -10,7 +10,6 @@ import org.bouncycastle.openpgp.PGPPublicKey
 import org.bouncycastle.openpgp.PGPSignature
 import org.bouncycastle.openpgp.PGPSignatureGenerator
 import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey
 import org.bouncycastle.openpgp.api.OpenPGPImplementation
 import org.bouncycastle.openpgp.api.OpenPGPKey
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.HashAlgorithm
@ -27,7 +26,8 @@ abstract class AbstractSignatureBuilder<B : AbstractSignatureBuilder<B>>(
    protected var _hashAlgorithm: HashAlgorithm,
    protected var _signatureType: SignatureType,
    protected val _hashedSubpackets: SignatureSubpackets,
-    protected val _unhashedSubpackets: SignatureSubpackets
+    protected val _unhashedSubpackets: SignatureSubpackets,
    protected val api: PGPainless
 ) {
    protected abstract val signatureTypePredicate: Predicate<SignatureType>
@ -45,40 +45,46 @@ abstract class AbstractSignatureBuilder<B : AbstractSignatureBuilder<B>>(
        protector: SecretKeyRingProtector,
        hashAlgorithm: HashAlgorithm,
        hashedSubpackets: SignatureSubpackets,
-        unhashedSubpackets: SignatureSubpackets
+        unhashedSubpackets: SignatureSubpackets,
        api: PGPainless
    ) : this(
        UnlockSecretKey.unlockSecretKey(signingKey, protector),
        hashAlgorithm,
        signatureType,
        hashedSubpackets,
-        unhashedSubpackets)
+        unhashedSubpackets,
        api)
    @Throws(PGPException::class)
    constructor(
        signatureType: SignatureType,
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
        api: PGPainless
    ) : this(
        signatureType,
        signingKey,
        protector,
-        negotiateHashAlgorithm(signingKey),
+        negotiateHashAlgorithm(signingKey, api),
        SignatureSubpackets.createHashedSubpackets(signingKey.pgpSecretKey.publicKey),
-        SignatureSubpackets.createEmptySubpackets())
+        SignatureSubpackets.createEmptySubpackets(),
        api)
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
        protector: SecretKeyRingProtector,
-        archetypeSignature: PGPSignature
+        archetypeSignature: PGPSignature,
        api: PGPainless
    ) : this(
        SignatureType.requireFromCode(archetypeSignature.signatureType),
        signingKey,
        protector,
-        negotiateHashAlgorithm(signingKey),
+        negotiateHashAlgorithm(signingKey, api),
        SignatureSubpackets.refreshHashedSubpackets(
            signingKey.publicKey.pgpPublicKey, archetypeSignature),
-        SignatureSubpackets.refreshUnhashedSubpackets(archetypeSignature))
+        SignatureSubpackets.refreshUnhashedSubpackets(archetypeSignature),
        api)
    val hashAlgorithm = _hashAlgorithm
@ -110,9 +116,8 @@ abstract class AbstractSignatureBuilder<B : AbstractSignatureBuilder<B>>(
    @Throws(PGPException::class)
    protected fun buildAndInitSignatureGenerator(): PGPSignatureGenerator =
        PGPSignatureGenerator(
-                OpenPGPImplementation.getInstance()
+                api.implementation.pgpContentSignerBuilder(
-                    .pgpContentSignerBuilder(
+                    signingKey.keyPair.publicKey.algorithm, hashAlgorithm.algorithmId),
                        signingKey.keyPair.publicKey.algorithm, hashAlgorithm.algorithmId),
                signingKey.keyPair.publicKey)
            .apply {
                setUnhashedSubpackets(SignatureSubpacketsHelper.toVector(_unhashedSubpackets))
@ -129,13 +134,13 @@ abstract class AbstractSignatureBuilder<B : AbstractSignatureBuilder<B>>(
         * @return hash algorithm
         */
        @JvmStatic
-        fun negotiateHashAlgorithm(publicKey: PGPPublicKey): HashAlgorithm =
+        fun negotiateHashAlgorithm(publicKey: PGPPublicKey, api: PGPainless): HashAlgorithm =
-            HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy())
+            HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(api.algorithmPolicy)
                .negotiateHashAlgorithm(
                    OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey))
        @JvmStatic
-        fun negotiateHashAlgorithm(key: OpenPGPComponentKey): HashAlgorithm =
+        fun negotiateHashAlgorithm(key: OpenPGPComponentKey, api: PGPainless): HashAlgorithm =
-            negotiateHashAlgorithm(key.pgpPublicKey)
+            negotiateHashAlgorithm(key.pgpPublicKey, api)
    }
 }
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.kt
@ -29,24 +29,24 @@ class DirectKeySelfSignatureBuilder : AbstractSignatureBuilder<DirectKeySelfSign
    constructor(
        signingKeyRing: PGPSecretKeyRing,
        protector: SecretKeyRingProtector,
-        archetypeSignature: PGPSignature
+        archetypeSignature: PGPSignature,
-    ) : this(
+        api: PGPainless
-        PGPainless.getInstance().toKey(signingKeyRing).primarySecretKey,
+    ) : this(api.toKey(signingKeyRing).primarySecretKey, protector, archetypeSignature, api)
        protector,
        archetypeSignature)
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
        protector: SecretKeyRingProtector,
-        archetypeSignature: PGPSignature
+        archetypeSignature: PGPSignature,
-    ) : super(signingKey, protector, archetypeSignature)
+        api: PGPainless
    ) : super(signingKey, protector, archetypeSignature, api)
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(SignatureType.DIRECT_KEY, signingKey, protector)
+        api: PGPainless
    ) : super(SignatureType.DIRECT_KEY, signingKey, protector, api)
    val hashedSubpackets: SelfSignatureSubpackets = _hashedSubpackets
    val unhashedSubpackets: SelfSignatureSubpackets = _unhashedSubpackets
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.kt
@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException
 import org.bouncycastle.openpgp.PGPPublicKey
 import org.bouncycastle.openpgp.PGPSignature
 import org.bouncycastle.openpgp.api.OpenPGPKey
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.HashAlgorithm
 import org.pgpainless.algorithm.SignatureType
 import org.pgpainless.key.protection.SecretKeyRingProtector
@ -29,21 +30,24 @@ class PrimaryKeyBindingSignatureBuilder :
    @Throws(PGPException::class)
    constructor(
        signingSubkey: OpenPGPKey.OpenPGPSecretKey,
-        subkeyProtector: SecretKeyRingProtector
+        subkeyProtector: SecretKeyRingProtector,
-    ) : super(SignatureType.PRIMARYKEY_BINDING, signingSubkey, subkeyProtector)
+        api: PGPainless
    ) : super(SignatureType.PRIMARYKEY_BINDING, signingSubkey, subkeyProtector, api)
    @Throws(PGPException::class)
    constructor(
        signingSubkey: OpenPGPKey.OpenPGPSecretKey,
        subkeyProtector: SecretKeyRingProtector,
-        hashAlgorithm: HashAlgorithm
+        hashAlgorithm: HashAlgorithm,
        api: PGPainless
    ) : super(
        SignatureType.PRIMARYKEY_BINDING,
        signingSubkey,
        subkeyProtector,
        hashAlgorithm,
        SignatureSubpackets.createHashedSubpackets(signingSubkey.publicKey.pgpPublicKey),
-        SignatureSubpackets.createEmptySubpackets())
+        SignatureSubpackets.createEmptySubpackets(),
        api)
    val hashedSubpackets: SelfSignatureSubpackets = _hashedSubpackets
    val unhashedSubpackets: SelfSignatureSubpackets = _unhashedSubpackets
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/RevocationSignatureBuilder.kt
@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException
 import org.bouncycastle.openpgp.PGPPublicKey
 import org.bouncycastle.openpgp.PGPSignature
 import org.bouncycastle.openpgp.api.OpenPGPKey
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.SignatureType
 import org.pgpainless.key.protection.SecretKeyRingProtector
 import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets
@ -19,8 +20,11 @@ class RevocationSignatureBuilder
 constructor(
    signatureType: SignatureType,
    signingKey: OpenPGPKey.OpenPGPSecretKey,
-    protector: SecretKeyRingProtector
+    protector: SecretKeyRingProtector,
-) : AbstractSignatureBuilder<RevocationSignatureBuilder>(signatureType, signingKey, protector) {
+    api: PGPainless
 ) :
    AbstractSignatureBuilder<RevocationSignatureBuilder>(
        signatureType, signingKey, protector, api) {
    override val signatureTypePredicate: Predicate<SignatureType>
        get() =
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SelfSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SelfSignatureBuilder.kt
@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException
 import org.bouncycastle.openpgp.PGPSignature
 import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector
 import org.bouncycastle.openpgp.api.OpenPGPKey
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.SignatureType
 import org.pgpainless.key.protection.SecretKeyRingProtector
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets
@ -32,22 +33,25 @@ class SelfSignatureBuilder : AbstractSignatureBuilder<SelfSignatureBuilder> {
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(SignatureType.GENERIC_CERTIFICATION, signingKey, protector)
+        api: PGPainless
    ) : super(SignatureType.GENERIC_CERTIFICATION, signingKey, protector, api)
    @Throws(PGPException::class)
    constructor(
        signatureType: SignatureType,
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(signatureType, signingKey, protector)
+        api: PGPainless
    ) : super(signatureType, signingKey, protector, api)
    @Throws(PGPException::class)
    constructor(
        primaryKey: OpenPGPKey.OpenPGPSecretKey,
        primaryKeyProtector: SecretKeyRingProtector,
-        oldCertification: PGPSignature
+        oldCertification: PGPSignature,
-    ) : super(primaryKey, primaryKeyProtector, oldCertification)
+        api: PGPainless
    ) : super(primaryKey, primaryKeyProtector, oldCertification, api)
    val hashedSubpackets: SelfSignatureSubpackets = _hashedSubpackets
    val unhashedSubpackets: SelfSignatureSubpackets = _unhashedSubpackets
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.kt
@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException
 import org.bouncycastle.openpgp.PGPPublicKey
 import org.bouncycastle.openpgp.PGPSignature
 import org.bouncycastle.openpgp.api.OpenPGPKey
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.HashAlgorithm
 import org.pgpainless.algorithm.SignatureType
 import org.pgpainless.key.protection.SecretKeyRingProtector
@ -27,27 +28,31 @@ class SubkeyBindingSignatureBuilder : AbstractSignatureBuilder<SubkeyBindingSign
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(SignatureType.SUBKEY_BINDING, signingKey, protector)
+        api: PGPainless
    ) : super(SignatureType.SUBKEY_BINDING, signingKey, protector, api)
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
        protector: SecretKeyRingProtector,
-        hashAlgorithm: HashAlgorithm
+        hashAlgorithm: HashAlgorithm,
        api: PGPainless
    ) : super(
        SignatureType.SUBKEY_BINDING,
        signingKey,
        protector,
        hashAlgorithm,
        SignatureSubpackets.createHashedSubpackets(signingKey.publicKey.pgpPublicKey),
-        SignatureSubpackets.createEmptySubpackets())
+        SignatureSubpackets.createEmptySubpackets(),
        api)
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
        protector: SecretKeyRingProtector,
-        oldSubkeyBinding: PGPSignature
+        oldSubkeyBinding: PGPSignature,
        api: PGPainless
    ) : super(
        signingKey,
        protector,
@ -55,7 +60,8 @@ class SubkeyBindingSignatureBuilder : AbstractSignatureBuilder<SubkeyBindingSign
            require(it.signatureType == SignatureType.SUBKEY_BINDING.code) {
                "Invalid signature type."
            }
-        })
+        },
        api)
    val hashedSubpackets: SelfSignatureSubpackets = _hashedSubpackets
    val unhashedSubpackets: SelfSignatureSubpackets = _unhashedSubpackets
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.kt
@ -47,8 +47,9 @@ class ThirdPartyCertificationSignatureBuilder :
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(SignatureType.GENERIC_CERTIFICATION, signingKey, protector)
+        api: PGPainless
    ) : super(SignatureType.GENERIC_CERTIFICATION, signingKey, protector, api)
    /**
     * Create a new certification signature builder.
@ -62,8 +63,9 @@ class ThirdPartyCertificationSignatureBuilder :
    constructor(
        signatureType: SignatureType,
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(signatureType, signingKey, protector)
+        api: PGPainless
    ) : super(signatureType, signingKey, protector, api)
    /**
     * Create a new certification signature builder.
@ -77,8 +79,9 @@ class ThirdPartyCertificationSignatureBuilder :
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
        protector: SecretKeyRingProtector,
-        archetypeSignature: PGPSignature
+        archetypeSignature: PGPSignature,
-    ) : super(signingKey, protector, archetypeSignature)
+        api: PGPainless
    ) : super(signingKey, protector, archetypeSignature, api)
    val hashedSubpackets: CertificationSubpackets = _hashedSubpackets
    val unhashedSubpackets: CertificationSubpackets = _unhashedSubpackets
@ -111,7 +114,7 @@ class ThirdPartyCertificationSignatureBuilder :
    @Throws(PGPException::class)
    @Deprecated("Pass in an OpenPGPCertificate instead of a PGPPublicKeyRing.")
    fun build(certificate: PGPPublicKeyRing, userId: CharSequence): PGPSignature =
-        build(PGPainless.getInstance().toCertificate(certificate), userId).signature
+        build(api.toCertificate(certificate), userId).signature
    fun build(
        certificate: OpenPGPCertificate,
@ -137,6 +140,5 @@ class ThirdPartyCertificationSignatureBuilder :
    fun build(
        certificate: PGPPublicKeyRing,
        userAttribute: PGPUserAttributeSubpacketVector
-    ): PGPSignature =
+    ): PGPSignature = build(api.toCertificate(certificate), userAttribute).signature
        build(PGPainless.getInstance().toCertificate(certificate), userAttribute).signature
 }
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.kt
@ -33,15 +33,17 @@ class ThirdPartyDirectKeySignatureBuilder :
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(SignatureType.DIRECT_KEY, signingKey, protector)
+        api: PGPainless
    ) : super(SignatureType.DIRECT_KEY, signingKey, protector, api)
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
        protector: SecretKeyRingProtector,
-        archetypeSignature: PGPSignature
+        archetypeSignature: PGPSignature,
-    ) : super(signingKey, protector, archetypeSignature)
+        api: PGPainless
    ) : super(signingKey, protector, archetypeSignature, api)
    val hashedSubpackets: CertificationSubpackets = _hashedSubpackets
    val unhashedSubpackets: CertificationSubpackets = _unhashedSubpackets
@ -64,7 +66,7 @@ class ThirdPartyDirectKeySignatureBuilder :
    @Throws(PGPException::class)
    @Deprecated("Pass in an OpenPGPCertificate instead.")
    fun build(certificate: PGPPublicKeyRing): PGPSignature =
-        build(PGPainless.getInstance().toCertificate(certificate)).signature
+        build(api.toCertificate(certificate)).signature
    @Deprecated("Pass in an OpenPGPComponentKey instead.")
    @Throws(PGPException::class)
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/UniversalSignatureBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/builder/UniversalSignatureBuilder.kt
@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException
 import org.bouncycastle.openpgp.PGPSignature
 import org.bouncycastle.openpgp.PGPSignatureGenerator
 import org.bouncycastle.openpgp.api.OpenPGPKey
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.SignatureType
 import org.pgpainless.key.protection.SecretKeyRingProtector
 import org.pgpainless.signature.subpackets.SignatureSubpackets
@ -27,15 +28,17 @@ class UniversalSignatureBuilder : AbstractSignatureBuilder<UniversalSignatureBui
    constructor(
        signatureType: SignatureType,
        signingKey: OpenPGPKey.OpenPGPSecretKey,
-        protector: SecretKeyRingProtector
+        protector: SecretKeyRingProtector,
-    ) : super(signatureType, signingKey, protector)
+        api: PGPainless
    ) : super(signatureType, signingKey, protector, api)
    @Throws(PGPException::class)
    constructor(
        signingKey: OpenPGPKey.OpenPGPSecretKey,
        protector: SecretKeyRingProtector,
-        archetypeSignature: PGPSignature
+        archetypeSignature: PGPSignature,
-    ) : super(signingKey, protector, archetypeSignature)
+        api: PGPainless
    ) : super(signingKey, protector, archetypeSignature, api)
    val hashedSubpackets: SignatureSubpackets = _hashedSubpackets
    val unhashedSubpackets: SignatureSubpackets = _unhashedSubpackets
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java
@ -33,7 +33,8 @@ public class SubkeyAndPrimaryKeyBindingSignatureTest {
    @Test
    public void testRebindSubkey() throws PGPException, IOException {
-        OpenPGPKey secretKeys = PGPainless.getInstance().toKey(TestKeys.getEmilSecretKeyRing());
+        PGPainless api = PGPainless.getInstance();
        OpenPGPKey secretKeys = api.toKey(TestKeys.getEmilSecretKeyRing());
        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
        OpenPGPKey.OpenPGPSecretKey primaryKey = secretKeys.getPrimarySecretKey();
@ -47,7 +48,7 @@ public class SubkeyAndPrimaryKeyBindingSignatureTest {
                        HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224)),
                hashAlgorithmSet);
-        SubkeyBindingSignatureBuilder sbb = new SubkeyBindingSignatureBuilder(primaryKey, SecretKeyRingProtector.unprotectedKeys());
+        SubkeyBindingSignatureBuilder sbb = new SubkeyBindingSignatureBuilder(primaryKey, SecretKeyRingProtector.unprotectedKeys(), api);
        sbb.applyCallback(new SelfSignatureSubpackets.Callback() {
            @Override
            public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
@ -9,7 +9,6 @@ import org.bouncycastle.bcpg.sig.Exportable;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.api.OpenPGPCertificate;
 import org.bouncycastle.openpgp.api.OpenPGPImplementation;
 import org.bouncycastle.openpgp.api.OpenPGPKey;
 import org.bouncycastle.openpgp.api.OpenPGPSignature;
 import org.junit.jupiter.api.Test;
@ -30,17 +29,20 @@ public class ThirdPartyCertificationSignatureBuilderTest {
    @Test
    public void testInvalidSignatureTypeThrows() {
        PGPainless api = PGPainless.getInstance();
        OpenPGPKey secretKeys = PGPainless.generateKeyRing()
                .modernKeyRing("Alice");
        assertThrows(IllegalArgumentException.class, () ->
                new ThirdPartyCertificationSignatureBuilder(
                        SignatureType.BINARY_DOCUMENT, // invalid type
                        secretKeys.getPrimarySecretKey(),
-                        SecretKeyRingProtector.unprotectedKeys()));
+                        SecretKeyRingProtector.unprotectedKeys(),
                        api));
    }
    @Test
    public void testUserIdCertification() throws PGPException {
        PGPainless api = PGPainless.getInstance();
        OpenPGPKey secretKeys = PGPainless.generateKeyRing()
                .modernKeyRing("Alice");
@ -49,7 +51,8 @@ public class ThirdPartyCertificationSignatureBuilderTest {
        ThirdPartyCertificationSignatureBuilder signatureBuilder = new ThirdPartyCertificationSignatureBuilder(
                secretKeys.getPrimarySecretKey(),
-                SecretKeyRingProtector.unprotectedKeys());
+                SecretKeyRingProtector.unprotectedKeys(),
                api);
        signatureBuilder.applyCallback(new CertificationSubpackets.Callback() {
            @Override
@ -70,7 +73,7 @@ public class ThirdPartyCertificationSignatureBuilderTest {
        assertFalse(exportable.isExportable());
        // test sig correctness
-        signature.init(OpenPGPImplementation.getInstance().pgpContentVerifierBuilderProvider(),
+        signature.init(api.getImplementation().pgpContentVerifierBuilderProvider(),
                secretKeys.getPrimaryKey().getPGPPublicKey());
        assertTrue(signature.verifyCertification("Bob", bobsPublicKeys.getPrimaryKey().getPGPPublicKey()));
    }
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
@ -34,12 +34,14 @@ public class ThirdPartyDirectKeySignatureBuilderTest {
    @Test
    public void testDirectKeySignatureBuilding() throws PGPException {
        PGPainless api = PGPainless.getInstance();
        OpenPGPKey secretKeys = PGPainless.generateKeyRing()
                .modernKeyRing("Alice");
        DirectKeySelfSignatureBuilder dsb = new DirectKeySelfSignatureBuilder(
                secretKeys.getPrimarySecretKey(),
-                SecretKeyRingProtector.unprotectedKeys());
+                SecretKeyRingProtector.unprotectedKeys(),
                api);
        Date now = new Date();
        Date t1 = new Date(now.getTime() + 1000 * 60 * 60);
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java
@ -62,10 +62,11 @@ public class UniversalSignatureBuilderTest {
    @Test
    public void createPetNameSignature() throws PGPException {
        PGPainless api = PGPainless.getInstance();
        OpenPGPKey.OpenPGPSecretKey signingKey = secretKeys.getPrimarySecretKey();
        PGPSignature archetype = signingKey.getPublicKey().getPGPPublicKey().getSignatures().next();
        UniversalSignatureBuilder builder = new UniversalSignatureBuilder(
-                signingKey, protector, archetype);
+                signingKey, protector, archetype, api);
        builder.applyCallback(new SignatureSubpackets.Callback() {
            @Override