Sequoia PGP gets a Bug Bounty Program
The Sequoia PGP project now has a bug bounty program! If you find a novel security-relevant issue in almost any of our libraries, applications, or specifications then you’ll be rewarded with up to €10,000.
The Sequoia PGP project now has a bug bounty program! If you find a novel security-relevant issue in almost any of our libraries, applications, or specifications then you’ll be rewarded with up to €10,000.
With recent work on Sequoia sq
I have focused on improving the user
experience (UX) of the commandline interface (CLI) and adding new features for
increased feature parity with gpg
. These changes are available starting with
version 0.31.0.
The effort has been accompanied by a few code refactorings which touch on the subject of making the CLI more composable and safe to use in the future.
This article provides an overview of the new features and improvements.
Fedora 38 is out, and unsurprisingly it comes with a lot of shiny, new things. One especially interesting novelty for readers of this blog is that this is the first release of Fedora in which the RPM Package Manager uses Sequoia to verify packages. This blog post is the story of how that came to be.
I’ve just released a new version of sq
, our general-purpose
command-line tool for Sequoia PGP, and it’s packed full of exciting,
user-visible changes. In line with our goal of providing great
end-to-end authentication, this release of sq
moves from working
exclusively in a stateless manner to including a full PKI, and a local
certificate store. It also adds a new high-level trust management
interface, sq link
. sq link
builds on the web of trust, but uses
concepts from address book management, which hopefully makes it easier
for end users to understand.
I have recently added the ability to generate Graphviz DOT output to the Sequoia Web of Trust project. This new functionality has been released in version 0.7.0. With it, users can visually inspect an OpenPGP Web of Trust.
This can provide some fascinating insights into one’s own keyring, and the relationship between OpenPGP keys involved with software projects.
Today is the day Sequoia’s StandardPolicy
starts rejecting
SHA1-based signatures by default. This change will affect existing
programs based on Sequoia, as the SHA1 deprecation has been committed
to and baked into the code three years ago. Therefore, all programs
using sequoia-openpgp
version 0.15 and up will now reject
SHA1-based signatures by default.
We are pleased to announce the first release of the Chameleon, Sequoia’s reimplementation of the GnuPG interface. This is a technology preview, but we encourage developers who integrate GnuPG into their software to see whether it works with the Chameleon.
I did some user testing of sq
with five volunteers. This blog post
is a report of what I learned. Good news: everyone did get all the
tasks done successfully and within the one hour I had allocated, with
plenty of time left over. Of course, there were a few things that
could be improved.
I will do some informal user testing of sq. In short, I will watch volunteers use sq to achieve specific tasks that I give them. The goal of this is to find out pain points when using sq: what is easy and straightforward; what is difficult to understand; what is difficult to do. The testing will cover the sq command line tool and its built-in help, but not any other manuals or materials.
The Sequoia command line tool sq
has gained support for the sq keyring list
and sq wkd url
commands.
Copyright (c) 2018-2023, p≡p foundation.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Follow us on Mastodon.
Template by Bootstrapious.
Ported to Hugo by DevCows.
Images by Ingo Kleiber, and Robert Anders.