Three years after the beginning of the development published release Sequoia 1.0. It is a Rust implementation of OpenPGP that contains an extensive library of functions and command line tools. Release published after the developers have completed work on a low-level API - it just implemented fully OpenPGP standard.
All this is written in Rust, and the package is distributed under the GPLv2 + license. There are versions for all major platforms - Linux, FreeBSD, Windows, macOS, Android and iOS. The development team is small, based on three GnuPG developers from g10code. The same command created the Hagrid key service, which is used in the keys.openpgp.org service .... About what the package is - under the cut.
The main goal set by the developers is a complete redesign of the architecture and the use of new techniques to improve the security and reliability of the code base.
To increase the level of protection in Sequoia, in addition to the safe programming tools using the Rust language, API level error protection is applied. An example is the inability to accidentally export the contents of a private key, since the default export operations require explicit selection. In addition, the API insures against missing important steps during the digital signature update. This operation should update the creation time, hashing algorithm and signature issuer.
In addition, the developers are very familiar with the shortcomings of gnuPGP as they are the authors of this project. In the new release, they tried to get rid of them. For example, measures have been taken to eliminate the desynchronization of the functionality of the command line tools with the library of functions. Some actions can be performed only in the interface of the utility itself. In addition, the problem of too tight coupling between components disappeared - it was it that made it difficult to make changes to the code base. As a result, there is confusion and complexity in the organization of unit testing.
The developers have created package inspection tools by integrating them with a parser. They allow you to simplify development, debugging, and incident analysis. Moreover, the user gets the opportunity to visually analyze the structure of encrypted messages, including digital signatures and keys.
Sequoia also develops the sq command line utility with Git style subcommand support, the sqv program (replacement for gpgv ) for verifying detached signatures, the sqop utility (Stateless OpenPGP CLI), and the sequoia-openpgp library . The developers have provided bindings for the C and Python languages.
The new release supports the vast majority of features specific to the OpenPGP standard, including encryption, decryption, creation and verification of digital signatures. As for the advanced features, it added support for verification by separately supplied digital signatures (detached signature), adaptation for integration with package managers (APT, RPM, cargo, etc.) and the ability to limit signatures by threshold values ββand time.
There are also two API options - low-level, and, accordingly, high-level. As for the first, it most accurately reproduces the capabilities of OpenPGP and related extensions. Plus, it provides calls for unbuffered message processing, parsing and serializing fields in certificates and keys. The second API, a high-level one, covers both helper and domain-specific capabilities. These are public key storage and network access functions. Unfortunately, the high-level API will still be refined - it is only at an early stage of development.
Interestingly, the developers were in no hurry with the release, although most of the current features and capabilities were ready a year ago. They preferred to check and recheck the codebase for bugs. In addition, the team has written comprehensive documentation with references to OpenPGP. The developers have not forgotten about the use cases.
The 1.0 release now includes the sequoia-openpgp crate and the sqv digital signature verification utility . And here is the sq CLI and high-level APIs are not yet stabilized and are being finalized. In the near future, the development team plans to integrate services for storing private and public keys, add support for unencrypted digital signatures and the ability to use regular expressions to determine trustworthy signatures.
