I'm pleased to announce the release of version 1.12.0 of the
sequoia-openpgp crate. It has been published on crates.io:
You can also fetch it using the openpgp/v1.12.0 tag:
which I signed:
$ git verify-tag openpgp/v1.12.0
gpg: Signature made Tue Dec 13 16:14:59 2022 GMT
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>"
gpg: "Neal H. Walfield <neal(a)g10code.com>"
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
The main reason for this release is to fix an issue with a dependency.
sequoia-openpgp v1.11.0 depended on version 0.12 or later of the
base64 crate. Version 0.20 of the base64 crate was recently released
with an incompatible API. This means that when an application uses
sequoia-openpgp, it may try and to use version 0.20 of base64, and
compilation will fail. Version 1.12.0 tightens the dependency. We
expect that the next version of sequoia-openpgp will upgrade to
version 0.20 of base64.
This release also includes a fix for how text data is hashed .
When sequoia-openpgp hashes a text (signature type = "0x01: Signature
of a canonical text document" ), it breaks the input into to
blocks. Unlike for signatures over data, for signatures over text,
the line endings `\n`, `\r`, and `\r\n` are canonicalized to `\r\n`.
Unfortuantely, if a '\r\n' is split across two blocks, sequoia-openpgp
would recognize two line endings instead of one, and hash too much
This defect does not impact binary signatures, and in practice it is
relatively uncommon as a line ending has to straddle two blocks.
Nevertheless, this defect may have resulted in the creation of
incorrect signatures, or correct signatures being incorrectly
identified as invalid.
Neal on behalf of the whole Sequoia PGP team