Sequoia-PGP (gpg replacement) - OpenPGP

Patrick · June 4, 2023, 10:39am

Patrick · June 4, 2023, 10:47am

port Qubes Split GPG to Sequoia-PGP

opened 10:47AM - 04 Jun 23 UTC

T: enhancement P: default

### The problem you're addressing (if any) gpg has an ancient code base writt…en in a memory unsafe language. ### The solution you'd like Could you consider https://sequoia-pgp.org/ please? Available in Debian and fedora-38. * https://packages.debian.org/bullseye/sq * https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/ ### The value to a user, and who that user might be Increased security and perhaps even increased reliability, code simplification.

HulaHoop · June 4, 2023, 2:46pm

It’s an interesting project with backing of a trust worthy foundation, but with all due respect to the authors, I wouldn’t jump all in on it. GPG is just too critically important that you are better off sticking with the project that has more eyes on it and is constantly being developed. While buggy code can cause serious security risks, there isn’t much record of that being the case with GPG. The other thing is competence of crypto implementations. Despite there being certain standards GPG follows, there are many instances of GPG-isms where they diverge from IETF standards that are cumbersome or don’t make sense for them.

Patrick · June 5, 2023, 12:49pm

The RPM package manager was ported to Sequoia.

Patrick · October 4, 2023, 9:13am

Qubes builder infrastructure uses sequoia. Source:

Quote @marmarek:

Gpg in default settings may not verify it, but we use sequoia which is much stricter.

Patrick · October 4, 2023, 9:17am

sq(1) — sq — Debian bookworm — Debian Manpages

Patrick · October 5, 2023, 3:38am

dpkg-source internally uses sq. I figured that out because of a signature verification error trying to build a Kicksecure package. It failed because sq keystore is different from gpg keystore.

+ dpkg-source --require-strong-checksums --require-valid-signature -x /home/user/derivative-binary/genmkfile-packages-result/genmkfile_13.0-1.dsc /tmp/tmp.ImjZq87mKV/
No key to check checksum from 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
1 unknown checksum.
Error: Verification failed
dpkg-source: error: cannot verify inline signature for /home/user/derivative-binary/genmkfile-packages-result/genmkfile_13.0-1.dsc: no acceptable signature found

Patrick · October 5, 2023, 4:16am

The dpkg-source issue hard to debug… What’s the file to add my sq public key? As per dpkg source code scripts/Dpkg/Vendor/Debian.pm

    if ($hook eq 'package-keyrings') {
        return ('/usr/share/keyrings/debian-keyring.gpg',

with /etc/dpkg/origins/default pointing to /etc/dpkg/origins/debian. Otherwise, dpkg might use different vendor (distribution) specific package-keyrings.

Importing my key to /usr/share/keyrings/debian-maintainers.gpg helped.

sudo gpg --no-default-keyring --keyring /usr/share/keyrings/debian-maintainers.gpg --import /usr/share/keyrings/derivative.asc

I locally added some debug output to /usr/share/perl5/Dpkg/OpenPGP/Backend/Sequoia.pm

This is what dpkg-source is actually executing:

sq verify --signer-cert /usr/share/keyrings/debian-keyring.gpg --signer-cert /usr/share/keyrings/debian-nonupload.gpg --signer-cert /usr/share/keyrings/debian-maintainers.gpg /home/user/derivative-binary/genmkfile-packages-result/genmkfile_13.0-1.dsc

Command

sq keyring list /usr/share/keyrings/debian-keyring.gpg | grep adrelanos

showed that

0. 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA Patrick Schleizer <adrelanos@kicksecure.com>

Not the cleanest solution.

Debian’s version of sq might not have the new sq feature of a local keystore:

That would have probably made this a lot easier.