Hi everyone,
I'm pleased to announce the release of version 1.11.0 of the sequoia-openpgp crate. It has been published on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch it using the openpgp/v1.11.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp%2Fv1.11.0
which I signed:
$ git verify-tag openpgp/v1.11.0 gpg: Signature made Fri 18 Nov 2022 02:28:42 PM CET gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield neal@walfield.org" [ultimate] gpg: aka "Neal H. Walfield neal@gnupg.org" [ultimate] gpg: aka "Neal H. Walfield neal@pep.foundation" [ultimate] gpg: aka "Neal H. Walfield neal@pep-project.org" [ultimate] gpg: aka "Neal H. Walfield neal@sequoia-pgp.org" [ultimate] Primary key fingerprint: 8F17 7771 18A3 3DDA 9BA4 8E62 AACB 3243 6300 52D9 Subkey fingerprint: C03F A641 1B03 AE12 5764 6118 7223 B566 78E0 2528
The most notable change in this release is support for v3 signatures.
RFC 4880 says:
Implementations SHOULD accept V3 signatures. Implementations SHOULD generate V4 signatures.
https://www.rfc-editor.org/rfc/rfc4880#section-5.2
Although the recommendation from 2007 is clear that v4 signatures should be preferred, the rpm ecosystem still generates v3 signatures. As Panu Matilainen, the maintainer of rpm, says: this appears to be more because it was forgotten about than out of any desire to stick with v3, and now it is time to figure out how to move on:
[I]t IS us the rpm-ecosystem who has been sleeping here. The good news is that V3 doesn't appear to be heartbleed critically flawed, just that V4 is better and everybody should be using that instead. ... This caught us all by surprise. It's just another piece of rusty but vitally important piping in the backyard that everybody had forgotten until it bust open. It's a good thing this was discovered, now lets just move on to fix this up
https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c29
But, moving to v4 signatures will take time, because resigning all existing packages is infeasible. So, to accommodate reality, sequoia-openpgp is now able to parse and verify v3 signatures. By default, they are forbidden by the standand policy; an application must opt in to them using `StandardPolicy::accept_packet_tag_version`.
https://docs.rs/sequoia-openpgp/1.11.0/sequoia_openpgp/policy/struct.Standar...
Other user visible changes are listed in the NEWS file:
https://gitlab.com/sequoia-pgp/sequoia/-/blob/openpgp/v1.11.0/openpgp/NEWS
Neal