TL;DR: An alternative OpenPGP backend for Thunderbird, based on Sequoia PGP, is now available for testing in COPR, with packages submitted but still pending review.
I have been working with the nice people from the Sequoia PGP Project to get their software properly packaged for Fedora, which includes an alternative OpenPGP backend implementation for Thunderbird, codenamed “The Octopus”.
The “Octopus” backend for Thunderbird has several advantages compared to the bundled RNP backend:
- integration with the GnuPG keyring
- integration with running gpg agents
- no support for weak cryptographic standards
- in-memory-encryption of GPG keys
- restrictions for SHA-1 use and mitigations for SHA-1 collision attacks
- better conformance and compatibility with OpenPGP than librnp
- better performance (parallelized parsing, background tasks as threads)
- memory- and thread-safe implementation in Rust
- uses system nettle as cryptography library instead of botan (which is not available in RHEL)
Other packages provide various tools for dealing with GPG keys:
- sequoia-keyring-linter: OpenPGP certificate linter, focused on deprecated SHA-1 usage
- sequoia-sop: Sequoia implementation of the Stateless OpenPGP (SOP) CLI
- sequoia-sq: CLI interface for Sequoia
- sequoia-sqv: OpenPGP signature verification tool
All packages are currently maintained in a GitHub repo, but I have already submitted review requests for all new packages. Test builds for Fedora 34 and Rawhide are available in COPR. Builds for older Fedora releases won’t be possible for now, since the build process for Rust packages is cumbersome on Fedora < 34, and almost impossible to do right in COPR.