Blog

Sequoia PGP: Out and About

Over the past few months, we’ve attended a number of conferences. In addition to hearing from a lot of people who had helpful feedback and fresh ideas, we’ve also held several presentations.

In this post, I summarize our talks, and link to recordings when they are available. I also report on the OpenPGP Email Summit, which is a yearly gathering of some people from the OpenPGP community. (If you are interested in the so-called LibrePGP / OpenPGP schism, read on.)

At the end, I list where you can meet us in person in the near future. (Spoiler: at Datenspuren in Dresden in September, and IETF 121 in Dublin in November.)

Continue reading

UX studies to test and improve sq

In a few months, we plan to release version 1.0 of sq, our primary command line interface. With version 1.0, we will commit to a long-term stable API. Ideally, that API will also be usable. Although we’ve put in a lot of time thinking about usability, we want your feedback. To this end, we’re conducting a user study.

Continue reading

Sequoia PGP, Community Outreach

Since September 2023, nearly all paid work on Sequoia has been financed by the Sovereign Tech Fund (STF). The technical focus of the award is on the maintenance and development of sq, our command-line front-end, and sequoia-openpgp, our core library. But the scope is not limited to development work: STF is also supporting our standardization work, and community outreach. In this blog post, I’ll highlight some our recent community work.

Continue reading

Sequoia PGP gets a Bug Bounty Program

The Sequoia PGP project now has a bug bounty program! If you find a novel security-relevant issue in almost any of our libraries, applications, or specifications then you’ll be rewarded with up to €10,000.

Continue reading

Improvements for the sq commandline utility

With recent work on Sequoia sq I have focused on improving the user experience (UX) of the commandline interface (CLI) and adding new features for increased feature parity with gpg. These changes are available starting with version 0.31.0.

The effort has been accompanied by a few code refactorings which touch on the subject of making the CLI more composable and safe to use in the future.

This article provides an overview of the new features and improvements.

Continue reading

RPM Sequoia: A Sequoia-based backend for the RPM Package Manager

Fedora 38 is out, and unsurprisingly it comes with a lot of shiny, new things. One especially interesting novelty for readers of this blog is that this is the first release of Fedora in which the RPM Package Manager uses Sequoia to verify packages. This blog post is the story of how that came to be.

Continue reading

Branching Out: `sq` Grows a Certificate Store, and More Convenient Trust Management

I’ve just released a new version of sq, our general-purpose command-line tool for Sequoia PGP, and it’s packed full of exciting, user-visible changes. In line with our goal of providing great end-to-end authentication, this release of sq moves from working exclusively in a stateless manner to including a full PKI, and a local certificate store. It also adds a new high-level trust management interface, sq link. sq link builds on the web of trust, but uses concepts from address book management, which hopefully makes it easier for end users to understand.

Continue reading

Pretty graphics for the Web of Trust

I have recently added the ability to generate Graphviz DOT output to the Sequoia Web of Trust project. This new functionality has been released in version 0.7.0. With it, users can visually inspect an OpenPGP Web of Trust.

This can provide some fascinating insights into one’s own keyring, and the relationship between OpenPGP keys involved with software projects.

Continue reading

Happy SHA1 Rejection Day

Today is the day Sequoia’s StandardPolicy starts rejecting SHA1-based signatures by default. This change will affect existing programs based on Sequoia, as the SHA1 deprecation has been committed to and baked into the code three years ago. Therefore, all programs using sequoia-openpgp version 0.15 and up will now reject SHA1-based signatures by default.

Continue reading

The Sequoia GnuPG Chameleon 0.1 is Released

We are pleased to announce the first release of the Chameleon, Sequoia’s reimplementation of the GnuPG interface. This is a technology preview, but we encourage developers who integrate GnuPG into their software to see whether it works with the Chameleon.

Continue reading