Hi everyone,
I'm pleased to announce the release of version 0.7.0 of the Sequoia
Web of Trust crate, sequoia-wot.
I have published sequoia-wot on crates.io:
https://crates.io/crates/sequoia-wot
You can also fetch version 0.7.0 using the v0.7.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-wot/-/tags/v0.7.0
which I signed:
$ git verify-tag v0.7.0
gpg: Signature made Fri Mar 24 11:31:41 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release includes an exciting new feature: the ability to render
the output as a graphical network in DOT format. The DOT output can
in turn be compiled into an SVG using Graphviz's DOT compiler. This
is a great usability improvement.
This feature was implemented by David Runge, a new Sequoia
contributor.
Here's an example of how to use it. David says that he is an Arch
Linux developer. We can see what Arch developers have certified a
certificate with his email address by running:
$ sq-wot --format dot \
--keyring usr/share/pacman/keyrings/archlinux.gpg \
--gossip lookup \
--email dvzrv(a)archlinux.org \
| dot -Tsvg -o /tmp/dvzrv.svg
The attached SVG shows the result.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 0.27.0 of sequoia-net,
a library for looking up certificates on OpenPGP keyservers, in web
key directories (WKDs), and using DANE.
I have published sequoia-net on crates.io:
https://crates.io/crates/sequoia-net
You can also fetch version 0.27.0 using the net/v0.27.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/net/v0.27.0
which I signed:
$ git verify-tag net/v0.27.0
gpg: Signature made Fri Mar 24 10:36:11 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
The main change in this release is switching DANE from using ring to
OpenSSL. As we already use OpenSSL, this reduces the number of
dependencies, and the trusted computing base.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 1.14.0 of
sequoia-openpgp, our low-level OpenPGP library.
I have published sequoia-openpgp on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch version 1.14.0 using the openpgp/v1.14.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.14.0
which I signed:
$ git verify-tag openpgp/v1.14.0
gpg: Signature made Thu Mar 23 15:43:58 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
A notable change in this release is support for Botan, a new
cryptographic backend:
https://botan.randombit.net/
sequoia-openpgp now supports five cryptographic backends:
- Nettle
- OpenSSL
- Botan
- Windows CNG (Windows only)
- Rust Crypto
We also audited our protected memory mechanism, and found that there
are several cases where secrets were not cleared when the memory was
freed. We created a tool to partially automate searching for these
types of leaks. We've fixed the cases that we found. For those
interested in the details, please refer to these MRs:
https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1436/commitshttps://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1440/commits
This release includes several minor performance improvements.
In addition, the following functionality was added:
- crypto::mem::Protected::new
- crypto::mpi::SecretKeyMaterial::from_bytes
- crypto::mpi::SecretKeyMaterial::from_bytes_with_checksum
- fmt::hex::Dumper::with_offset
- parse::buffered_reader re-export
- policy::AsymmetricAlgorithm::BrainpoolP384
- RawCert implements Parse
And, the following functions were deprecated:
- crypto::mpi::SecretKeyMaterial::parse
- crypto::mpi::SecretKeyMaterial::parse_with_checksum
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 0.6.0 of the Sequoia
Web of Trust crate, sequoia-wot.
I have published sequoia-wot on crates.io:
https://crates.io/crates/sequoia-wot
You can also fetch version 0.6.0 using the v0.6.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-wot/-/tags/v0.6.0
which I signed:
$ git verify-tag v0.6.0
gpg: Signature made Thu Mar 09 14:39:29 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
The most noticeable change in this release is that we switched from
providing our own certificate store abstraction to using the one
provided by sequoia-cert-store. More information about
sequoia-cert-store is available here:
https://docs.rs/sequoia-cert-store/0.2.0/sequoia_cert_store/
We also added a wrapper struct so that it is easy to work with a
`CertStore`, which is provided by the Certificate Store library, or
any other data structure implementing the Store trait. The following
code snippet illustrates the idea:
use std::borrow::Cow;
use sequoia_openpgp as openpgp;
use openpgp::cert::CertBuilder;
use openpgp::packet::UserID;
use openpgp::policy::StandardPolicy;
use sequoia_cert_store as cert_store;
use cert_store::Store;
use cert_store::StoreUpdate;
use sequoia_wot as wot;
use wot::Network;
use wot::Query;
use wot::Roots;
const P: &StandardPolicy = &StandardPolicy::new();
let mut cert_store = cert_store::CertStore::empty();
cert_store.update(Cow::Owned(alice.clone().into()))?;
cert_store.update(Cow::Owned(bob.clone().into()))?;
// Build a WoT network.
let trust_roots = Roots::from(&[
(alice.fingerprint().into(), wot::FULLY_TRUSTED),
]);
let wot_data = wot::store::CertStore::from_backend(&cert_store, P, None);
let network = Network::new(&wot_data)?;
let q = Query::new(&network, trust_roots.clone());
// Try and authenticate Bob.
let paths = q.authenticate(
UserID::from("<bob(a)example.org>"),
bob.fingerprint(),
wot::FULLY_TRUSTED);
// Alice, our sole trust root, did not certify Bob so this will fail.
assert_eq!(paths.amount(), 0);
Since we depend on sequoia-cert-store, we can also remove redundant
code, like the keyserver implementation, which sequoia-cert-store also
implements.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 0.2.0 of the Sequoia
Certificate Store crate, sequoia-cert-store.
I have published sequoia-cert-store on crates.io:
https://crates.io/crates/sequoia-cert-store
You can also fetch version 0.2.0 using the v0.2.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-cert-store/-/tags/v0.2.0
which I signed:
$ git verify-tag v0.2.0
gpg: Signature made Tue Mar 07 17:39:46 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
sequoia-cert-store provides a unified, high-level API for different
certificate stores via its Store and StoreUpdate traits.
This version fixes an issue with `CertStore`'s key server backend:
calling `CertStore::add_keyserver` accidentally did not enable key
server support.
This release also includes several other improvements to the key
server backend. A notable improvement is the addition of a generic
interface, `store::StatusListener`, which allows a backend to indicate
when a certificate look up starts and ends. This is implemented by
the key server backend. This allows an application to better show the
user that the application is working and not hung when using a key
server.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce v1.3.0 of the RPM Sequoia crate.
I have published rpm-sequoia on crates.io:
https://crates.io/crates/rpm-sequoia
You can also fetch version 1.3.0 using the v1.3.0 tag:
https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.3.0
which I signed:
$ git verify-tag v1.3.0
gpg: Signature made Mon Mar 06 16:54:07 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release includes two notable changes.
First, when `pgpVerifySignature` verifies a signature, it now
distinguishes between an invalid signature, and one that uses weak
cryptography, or is from a certificate that is expired or has been
revoked. Specifically, in the case that the signature is okay, but
the cryptography is weak or the certificate is invalid,
`pgpVerifySignature` now returns `RPMRC_NOTTRUSTED` instead of
`RPMRC_FAIL`.
This change allows installed packages, which use outdated cryptography
or certificates to be updated or removed. Please refer to this
comment:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c8
and this issue:
https://github.com/rpm-software-management/rpm/issues/2402
for more details.
Second, rpm-sequoia now looks for its configuration file by first
checking the environment variable `RPM_SEQUOIA_CRYPTO_POLICY` and the
file `/etc/crypto-policies/back-ends/rpm-sequoia.config`. Only if
both of those are not set does it fallback to the more generic
`SEQUOIA_CRYPTO_POLICY` environment variable and the file
`/etc/crypto-policies/back-ends/sequoia.config`.
This change allows RPM to use a different cryptographic policy from
other Sequoia-based applications. It was motivated by Fedora 38's
decision to allow signatures using the SHA-1 hash algorithm and made
by 1024-bit DSA keys, which is necessary to support some popular
third-party repositories. For more details, refer to:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878 ,
https://pagure.io/fesco/issue/2960 , and
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 .
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce v0.6.0 of the Sequoia Policy Config crate,
sequoia-policy-config.
I have published sequoia-policy-config on crates.io:
https://crates.io/crates/sequoia-policy-config
You can also fetch version 0.6.0 using the v0.6.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-policy-config/-/tags/v0.6.0
which I signed:
$ git verify-tag v0.6.0
gpg: Signature made Mon Mar 06 15:11:44 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release adds a few new functions that make it easier to use an
alternate configuration name space. In particular,
`ConfiguredStandardPolicy::parse_default_config` was split into the
following functions: `ConfiguredStandardPolicy::parse_env_config`,
`ConfiguredStandardPolicy::parse_config_file`, and
`ConfiguredStandardPolicy::parse_config`.
This was motivated by Fedora 38, which needs to enable some legacy
algorithms to give third parties additional time to update their
OpenPGP certificates. We decided that just because these algorithms
are enabled for rpm does not mean that they should to be enabled for
all applications that use Sequoia. The relevant issue is here:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 1.5.0 of the
sequoia-octopus-librnp crate.
The crate is published on:
https://crates.io/crates/sequoia-octopus-librnp
You can also fetch the code from gitlab.com using the v1.5.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp/-/tags/v1.5.0
which Neal signed:
$ git verify-tag v1.5.0
gpg: Signature made Fri 03 Mar 2023 03:57:16 PM CET
gpg: using RSA key
C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [full]
gpg: aka "Neal H. Walfield <neal(a)gnupg.org>" [full]
gpg: aka "Neal H. Walfield <neal(a)pep.foundation>" [full]
gpg: aka "Neal H. Walfield <neal(a)pep-project.org>" [full]
gpg: aka "Neal H. Walfield <neal(a)sequoia-pgp.org>" [full]
This release fixes support for Thunderbird 102.7 and includes improvements
to the automated calculation of acceptance of OpenPGP certificates (based
on trust-roots defined in the user's GnuPG setup).
Heiko on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the first release of the Sequoia Certificate
Store crate, sequoia-cert-store.
I have published sequoia-cert-store on crates.io:
https://crates.io/crates/sequoia-cert-store
You can also fetch version 0.1.0 using the v0.1.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-cert-store/-/tags/v0.1.0
which I signed:
$ git verify-tag v0.1.0
gpg: Signature made Thu Mar 02 12:01:21 2023 +01:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
sequoia-cert-store provides a unified, high-level API for different
certificate stores via its Store and StoreUpdate traits. To lookup a
certificate by fingerprint given a certificate store backend, one
would do:
let cert = backend.lookup_by_cert_fpr(fingerprint)?;
Or to lookup the certificates that have a User ID where the domain is
`sequoia-pgp.org`, one would do:
let certs = backend.lookup_by_email_domain("sequoia-pgp.org")?;
The crate provides a number of helper functions and data structures
like UserIDIndex to help a backend implement this functionality.
This release includes three backends: a backend for OpenPGP
certificate directories [1], a backend for certificates, e.g., as read
from a keyring or other database, and a key server backend.
[1] https://datatracker.ietf.org/doc/draft-nwjw-openpgp-cert-d/
Finally, the crate provides the CertStore data structure, which
combines multiple backends in a transparent way to its users.
Neal on behalf of the whole Sequoia PGP team