Sequoia PGP: A Sapling Matures: Meet sq 1.0

By Neal | December 16, 2024

The Sequoia PGP team is happy to announce the release of version 1.0 of sq. sq is a command-line tool for working with OpenPGP artifacts with a focus on usability, security, and robustness.

After seven years of development, this is sq’s first stable release. A notable change for existing users of sq is that we will no longer change sq’s CLI in an incompatible manner.

A Short Introduction

sq is a command-line tool for working with OpenPGP artifacts. In addition to encryption, decryption, signing, and verification services, sq provides a decentralized public key infrastructure (PKI), and comprehensive key management facilities.

sq targets command-line users, package maintainers, and software developers. Although these users tend to handle complex systems well, we’ve spent a lot of time ensuring that sq is easy to use, and minimizes the cognitive burden on users. To this end, we’ve rethought existing concepts, and designed the tool around common workflows.

sq aims to be safe by default. One way it achieves this is not by having good defaults, but by avoiding defaults when it is not absolutely clear that one option is and will remain much better than the alternatives. sq also avoids do-what-I-mean (DWIM) interfaces. At the beginning we feared that these design decisions would decrease usability. In practice, tab completion hides most of the additional typing, and being explicit appears to reduce confusion.

sq’s PKI is probably its most notable feature, and the one we invested the most time in. The PKI is used to authenticate certificates, and messages. Authentication is necessary to ensure that you are encrypting to the person you think you are, and to identify who really authored a message; without authentication, encryption and verification are much weaker.

sq’s PKI helps the user by opportunistically recording evidence. When a certificate is downloaded from keys.openpgp.org, for instance, sq automatically records that fact locally, and can display it when the user later examines the certificate. For users whose threat model allows it, they can opt-in to using keys.openpgp.org as a trusted introducer, and will rarely have to manually authenticate a certificate. This is safe in this threat model, because keys.openpgp.org is a verifying key server. For others, the recorded information provides a helpful starting point to separate fake certificates from authentic ones. Fully trusting or partially trusting a certification authority (CA), e.g., only relying on a CA for a particular domain, is just as easy as using a global CA like keys.openpgp.org. This mechanism is a requirement for a federated CA system, which we hope will emerge in the coming years.

A Demo

Here’s a small demonstration of how to download and verify a Qubes release.

First, we search for the certificate the Qubes project uses for signing their releases. We use sq to download the certificate from the project’s web page. sq doesn’t just fetch that file, it also iterates, and looks for updates on various key servers, WKD and DANE:

$ sq network search https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc
Found 1 certificate related to the query:

 - 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
   - Qubes OS Release 4.2 Signing Key (UNAUTHENTICATED)
   - created 2022-10-04 14:10:01 UTC
   - found via: hkps://keys.openpgp.org, hkps://keyserver.ubuntu.com, hkps://sks.pod01.fleetstreetops.com, http
Imported 1 new certificate, updated 0 certificates, 0 certificates unchanged, 0 errors.

Hint: After checking that the certificate 9C884DF3F81064A569A4A9FAE022E58F8E34D89F really belongs to the stated
      owner, you can mark the certificate as authenticated.  Each stated user ID can be marked individually using:

  $ sq pki link add --cert 9C884DF3F81064A569A4A9FAE022E58F8E34D89F "--userid=Qubes OS Release 4.2 Signing Key"

After verifying the fingerprint according to our threat model, we link the certificate as suggested by the hint:

$ sq pki link add --cert 9C884DF3F81064A569A4A9FAE022E58F8E34D89F --userid "Qubes OS Release 4.2 Signing Key"
 - ┌ 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
   └ Qubes OS Release 4.2 Signing Key
   - certification created

Finally, we simultaneously download and verify the Qubes image:

$ sq download --signature-url https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.2.3-x86_64.iso.asc --url https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.2.3-x86_64.iso --output /tmp/qubes.iso
 - ┌ 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
   └ Qubes OS Release 4.2 Signing Key (authenticated)
 - 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
   - created 2022-10-04 14:10:01 UTC

   - [] Qubes OS Release 4.2 Signing Key

     ◯─┬ 488780DC4EDF3D0FD536FF28C6025CF549CD0515
     │ └ (Local Trust Root)
     │  certified the following binding on 2024‑12‑16
     └─┬ 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
       └ Qubes OS Release 4.2 Signing Key
Finished downloading data.  Authenticating data.
...
1 authenticated signature.

We only need to link the certificate once. When downloading other files published and signed by the Qubes project, sq will use the existing link to authenticate the data.

Learn More

If you want to try out sq and you have a Rust development environment, you can use cargo install to get the latest version:

$ cargo install sequoia-sq --locked

Alternatively, you may already be able to get sq from your distribution. Many distributions are closely following Sequoia’s development and provide updated packages shortly after their release.

You can learn more about sq, by reading sq’s book, and the man pages. We’ve also held several talks about Sequoia and sq. The most recent presentation was at Datenspuren 2024:

Clicking on the thumbnail will load content from media.ccc.de.
Sequoia PGP: A not quite new implementation of OpenPGP

Thanks

Seven years is a long time, and there are a lot of people to thank!

The following people have contributed code to sq:

  • Alexander Kjäll
  • Andriy Utkin
  • Azul
  • Daiki Ueno
  • Daniel Kahn Gillmor
  • David Runge
  • Devan Carpenter
  • Fabio Valentini
  • Franziska Schmidtke
  • Gabriel de Perthuis
  • Heiko Schaefer
  • Holger Levsen
  • Igor Matuszewski
  • Jan Christian Grünhage
  • Jens Reimann
  • Justus Winter
  • Lars Wirzenius
  • Luca Saiu
  • Malte Meiboom
  • Neal H. Walfield
  • Nora Widdecke
  • Stacey Sheldon
  • Wiktor Kwapisiewicz

The following people have opened issues regarding sq:

Finally, we’d like to thank the following individuals and institutions that have financed our work on Sequoia over the years: