Hi everyone,
I'm pleased to announce the release of version 1.11.0 of the
sequoia-openpgp crate. It has been published on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch it using the openpgp/v1.11.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp%2Fv1.11.0
which I signed:
$ git verify-tag openpgp/v1.11.0
gpg: Signature made Fri 18 Nov 2022 02:28:42 PM CET
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: aka "Neal H. Walfield <neal(a)gnupg.org>" [ultimate]
gpg: aka "Neal H. Walfield <neal(a)pep.foundation>" [ultimate]
gpg: aka "Neal H. Walfield <neal(a)pep-project.org>" [ultimate]
gpg: aka "Neal H. Walfield <neal(a)sequoia-pgp.org>" [ultimate]
Primary key fingerprint: 8F17 7771 18A3 3DDA 9BA4 8E62 AACB 3243 6300 52D9
Subkey fingerprint: C03F A641 1B03 AE12 5764 6118 7223 B566 78E0 2528
The most notable change in this release is support for v3 signatures.
RFC 4880 says:
Implementations SHOULD accept V3 signatures. Implementations SHOULD
generate V4 signatures.
https://www.rfc-editor.org/rfc/rfc4880#section-5.2
Although the recommendation from 2007 is clear that v4 signatures
should be preferred, the rpm ecosystem still generates v3 signatures.
As Panu Matilainen, the maintainer of rpm, says: this appears to be
more because it was forgotten about than out of any desire to stick
with v3, and now it is time to figure out how to move on:
[I]t IS us the rpm-ecosystem who has been sleeping here. The good news
is that V3 doesn't appear to be heartbleed critically flawed, just
that V4 is better and everybody should be using that instead. ... This
caught us all by surprise. It's just another piece of rusty but
vitally important piping in the backyard that everybody had forgotten
until it bust open. It's a good thing this was discovered, now lets
just move on to fix this up
https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c29
But, moving to v4 signatures will take time, because resigning all
existing packages is infeasible. So, to accommodate reality,
sequoia-openpgp is now able to parse and verify v3 signatures. By
default, they are forbidden by the standand policy; an application
must opt in to them using `StandardPolicy::accept_packet_tag_version`.
https://docs.rs/sequoia-openpgp/1.11.0/sequoia_openpgp/policy/struct.Standa…
Other user visible changes are listed in the NEWS file:
https://gitlab.com/sequoia-pgp/sequoia/-/blob/openpgp/v1.11.0/openpgp/NEWS
Neal