- Devel - lists.sequoia-pgp.org

sequoia-wot 0.6.0
by Neal H. Walfield 09 Mar '23

09 Mar '23

Hi everyone, I'm pleased to announce the release of version 0.6.0 of the Sequoia Web of Trust crate, sequoia-wot. I have published sequoia-wot on crates.io: https://crates.io/crates/sequoia-wot You can also fetch version 0.6.0 using the v0.6.0 tag: https://gitlab.com/sequoia-pgp/sequoia-wot/-/tags/v0.6.0 which I signed: $ git verify-tag v0.6.0 gpg: Signature made Thu Mar 09 14:39:29 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" The most noticeable change in this release is that we switched from providing our own certificate store abstraction to using the one provided by sequoia-cert-store. More information about sequoia-cert-store is available here: https://docs.rs/sequoia-cert-store/0.2.0/sequoia_cert_store/ We also added a wrapper struct so that it is easy to work with a `CertStore`, which is provided by the Certificate Store library, or any other data structure implementing the Store trait. The following code snippet illustrates the idea: use std::borrow::Cow; use sequoia_openpgp as openpgp; use openpgp::cert::CertBuilder; use openpgp::packet::UserID; use openpgp::policy::StandardPolicy; use sequoia_cert_store as cert_store; use cert_store::Store; use cert_store::StoreUpdate; use sequoia_wot as wot; use wot::Network; use wot::Query; use wot::Roots; const P: &StandardPolicy = &StandardPolicy::new(); let mut cert_store = cert_store::CertStore::empty(); cert_store.update(Cow::Owned(alice.clone().into()))?; cert_store.update(Cow::Owned(bob.clone().into()))?; // Build a WoT network. let trust_roots = Roots::from(&[ (alice.fingerprint().into(), wot::FULLY_TRUSTED), ]); let wot_data = wot::store::CertStore::from_backend(&cert_store, P, None); let network = Network::new(&wot_data)?; let q = Query::new(&network, trust_roots.clone()); // Try and authenticate Bob. let paths = q.authenticate( UserID::from("<bob(a)example.org>"), bob.fingerprint(), wot::FULLY_TRUSTED); // Alice, our sole trust root, did not certify Bob so this will fail. assert_eq!(paths.amount(), 0); Since we depend on sequoia-cert-store, we can also remove redundant code, like the keyserver implementation, which sequoia-cert-store also implements. Neal on behalf of the whole Sequoia PGP team

1 0

Sequoia Certificate Store v0.2.0
by Neal H. Walfield 07 Mar '23

07 Mar '23

Hi everyone, I'm pleased to announce the release of version 0.2.0 of the Sequoia Certificate Store crate, sequoia-cert-store. I have published sequoia-cert-store on crates.io: https://crates.io/crates/sequoia-cert-store You can also fetch version 0.2.0 using the v0.2.0 tag: https://gitlab.com/sequoia-pgp/sequoia-cert-store/-/tags/v0.2.0 which I signed: $ git verify-tag v0.2.0 gpg: Signature made Tue Mar 07 17:39:46 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" sequoia-cert-store provides a unified, high-level API for different certificate stores via its Store and StoreUpdate traits. This version fixes an issue with `CertStore`'s key server backend: calling `CertStore::add_keyserver` accidentally did not enable key server support. This release also includes several other improvements to the key server backend. A notable improvement is the addition of a generic interface, `store::StatusListener`, which allows a backend to indicate when a certificate look up starts and ends. This is implemented by the key server backend. This allows an application to better show the user that the application is working and not hung when using a key server. Neal on behalf of the whole Sequoia PGP team

1 0

rpm-sequoia 1.3.0
by Neal H. Walfield 06 Mar '23

06 Mar '23

Hi everyone, I'm pleased to announce v1.3.0 of the RPM Sequoia crate. I have published rpm-sequoia on crates.io: https://crates.io/crates/rpm-sequoia You can also fetch version 1.3.0 using the v1.3.0 tag: https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.3.0 which I signed: $ git verify-tag v1.3.0 gpg: Signature made Mon Mar 06 16:54:07 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release includes two notable changes. First, when `pgpVerifySignature` verifies a signature, it now distinguishes between an invalid signature, and one that uses weak cryptography, or is from a certificate that is expired or has been revoked. Specifically, in the case that the signature is okay, but the cryptography is weak or the certificate is invalid, `pgpVerifySignature` now returns `RPMRC_NOTTRUSTED` instead of `RPMRC_FAIL`. This change allows installed packages, which use outdated cryptography or certificates to be updated or removed. Please refer to this comment: https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c8 and this issue: https://github.com/rpm-software-management/rpm/issues/2402 for more details. Second, rpm-sequoia now looks for its configuration file by first checking the environment variable `RPM_SEQUOIA_CRYPTO_POLICY` and the file `/etc/crypto-policies/back-ends/rpm-sequoia.config`. Only if both of those are not set does it fallback to the more generic `SEQUOIA_CRYPTO_POLICY` environment variable and the file `/etc/crypto-policies/back-ends/sequoia.config`. This change allows RPM to use a different cryptographic policy from other Sequoia-based applications. It was motivated by Fedora 38's decision to allow signatures using the SHA-1 hash algorithm and made by 1024-bit DSA keys, which is necessary to support some popular third-party repositories. For more details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=2170878 , https://pagure.io/fesco/issue/2960 , and https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 . Neal on behalf of the whole Sequoia PGP team

1 0

sequoia-policy-config 0.6.0
by Neal H. Walfield 06 Mar '23

06 Mar '23

Hi everyone, I'm pleased to announce v0.6.0 of the Sequoia Policy Config crate, sequoia-policy-config. I have published sequoia-policy-config on crates.io: https://crates.io/crates/sequoia-policy-config You can also fetch version 0.6.0 using the v0.6.0 tag: https://gitlab.com/sequoia-pgp/sequoia-policy-config/-/tags/v0.6.0 which I signed: $ git verify-tag v0.6.0 gpg: Signature made Mon Mar 06 15:11:44 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release adds a few new functions that make it easier to use an alternate configuration name space. In particular, `ConfiguredStandardPolicy::parse_default_config` was split into the following functions: `ConfiguredStandardPolicy::parse_env_config`, `ConfiguredStandardPolicy::parse_config_file`, and `ConfiguredStandardPolicy::parse_config`. This was motivated by Fedora 38, which needs to enable some legacy algorithms to give third parties additional time to update their OpenPGP certificates. We decided that just because these algorithms are enabled for rpm does not mean that they should to be enabled for all applications that use Sequoia. The relevant issue is here: https://bugzilla.redhat.com/show_bug.cgi?id=2170878 Neal on behalf of the whole Sequoia PGP team

1 0

sequoia-octopus-librnp v1.5.0
by Heiko Schäfer 04 Mar '23

04 Mar '23

Hi everyone, I'm pleased to announce the release of version 1.5.0 of the sequoia-octopus-librnp crate. The crate is published on: https://crates.io/crates/sequoia-octopus-librnp You can also fetch the code from gitlab.com using the v1.5.0 tag: https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp/-/tags/v1.5.0 which Neal signed: $ git verify-tag v1.5.0 gpg: Signature made Fri 03 Mar 2023 03:57:16 PM CET gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [full] gpg: aka "Neal H. Walfield <neal(a)gnupg.org>" [full] gpg: aka "Neal H. Walfield <neal(a)pep.foundation>" [full] gpg: aka "Neal H. Walfield <neal(a)pep-project.org>" [full] gpg: aka "Neal H. Walfield <neal(a)sequoia-pgp.org>" [full] This release fixes support for Thunderbird 102.7 and includes improvements to the automated calculation of acceptance of OpenPGP certificates (based on trust-roots defined in the user's GnuPG setup). Heiko on behalf of the whole Sequoia PGP team

1 0

Sequoia Certificate Store v0.1.0
by Neal H. Walfield 02 Mar '23

02 Mar '23

Hi everyone, I'm pleased to announce the first release of the Sequoia Certificate Store crate, sequoia-cert-store. I have published sequoia-cert-store on crates.io: https://crates.io/crates/sequoia-cert-store You can also fetch version 0.1.0 using the v0.1.0 tag: https://gitlab.com/sequoia-pgp/sequoia-cert-store/-/tags/v0.1.0 which I signed: $ git verify-tag v0.1.0 gpg: Signature made Thu Mar 02 12:01:21 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" sequoia-cert-store provides a unified, high-level API for different certificate stores via its Store and StoreUpdate traits. To lookup a certificate by fingerprint given a certificate store backend, one would do: let cert = backend.lookup_by_cert_fpr(fingerprint)?; Or to lookup the certificates that have a User ID where the domain is `sequoia-pgp.org`, one would do: let certs = backend.lookup_by_email_domain("sequoia-pgp.org")?; The crate provides a number of helper functions and data structures like UserIDIndex to help a backend implement this functionality. This release includes three backends: a backend for OpenPGP certificate directories [1], a backend for certificates, e.g., as read from a keyring or other database, and a key server backend. [1] https://datatracker.ietf.org/doc/draft-nwjw-openpgp-cert-d/ Finally, the crate provides the CertStore data structure, which combines multiple backends in a transparent way to its users. Neal on behalf of the whole Sequoia PGP team

1 0

sequoia-keyring-linter v1.0.1
by Neal H. Walfield 10 Feb '23

10 Feb '23

Hi everyone, I'm pleased to announce the release of version 1.0.1 of the sequoia-keyring-linter crate. I have published sequoia-keyring-linter on crates.io: https://crates.io/crates/sequoia-keyring-linter You can also fetch 1.0.1 using the v1.0.1 tag: https://gitlab.com/sequoia-pgp/keyring-linter/-/tags/v1.0.1 which I signed: $ git verify-tag v1.0.1 gpg: Signature made Fri Feb 10 12:30:49 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release is a minor update. A new option, `--time`, is now available, which allows the user to set a reference time. This is useful for checking if a certificate will have problems some time in the future. man page generation has also improved. And, shell completions are now generated. Several deendencies have also been updated. In particular, sq-keyring-linter now uses rpassword 6.0, and and clap 4. Neal on behalf of the whole Sequoia PGP team

1 0

sequoia-wot v0.5.0
by Neal H. Walfield 08 Feb '23

08 Feb '23

Hi everyone, I'm pleased to announce the release of version 0.5.0 of the sequoia-wot crate. I have published sequoia-wot on crates.io: https://crates.io/crates/sequoia-wot You can also fetch 0.5.0 using the v0.5.0 tag: https://gitlab.com/sequoia-pgp/sequoia-wot/-/tags/v0.5.0 which I signed: $ git verify-tag v0.5.0 gpg: Signature made Wed Feb 08 15:55:57 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)g10code.com>" gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release includes one significant change: certificates fetched from key servers are cached on disk in the default certificate directory. This release also includes a number of minor bug fixes. When upgrading to clap 4, the short option for `--keyring` was mistakenly changed from `-k` to `-f`. That change has been reverted. Several API warts were corrected. And, a performance bug, which impacts `sq-wot list`, was fixed. Neal on behalf of the whole Sequoia PGP team

1 0

sequoia-ipc v0.30.1
by Neal H. Walfield 02 Feb '23

02 Feb '23

Hi everyone, I'm pleased to announce the release of version 0.30.1 of the sequoia-ipc crate. I have published sequoia-ipc on crates.io: https://crates.io/crates/sequoia-ipc You can also fetch 0.30.1 using the v0.30.1 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/ipc/v0.30.1 which I signed: $ git verify-tag ipc/v0.30.1 gpg: Signature made Thu Feb 02 15:18:54 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)g10code.com>" gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release includes a fix for the keybox parser. Neal on behalf of the whole Sequoia PGP team

1 0

sequoia-ipc v0.30.0
by Neal H. Walfield 01 Feb '23

01 Feb '23

Hi everyone, I'm pleased to announce the release of version 0.30.0 of the sequoia-ipc crate. I have published sequoia-ipc on crates.io: https://crates.io/crates/sequoia-ipc You can also fetch 0.30.0 using the v0.30.0 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/ipc/v0.30.0 which I signed: $ git verify-tag ipc/v0.30.0 gpg: Signature made Wed Feb 01 16:27:00 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)g10code.com>" gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" Primary key fingerprint: 8F17 7771 18A3 3DDA 9BA4 8E62 AACB 3243 6300 52D9 Subkey fingerprint: C03F A641 1B03 AE12 5764 6118 7223 B566 78E0 2528 This release includes a fix for sequoia-ipc's gpg agent support. When decrypting a message with multiple recipients (i.e., multiple PKESK packets), sequoia-ipc's state machine would sometimes become desynchronized from gpg agent's state machine, and the decryption would fail. It also includes a fix for a test failure on big endian systems, like S390. Neal on behalf of the whole Sequoia PGP team

1 0

2025

2024

2023

2022

2021

2020

2019

2018

Devel