Sequoia PGP tools available for Fedora 34+

TL;DR: An alternative OpenPGP backend for Thunderbird, based on Sequoia PGP, is now available for testing in COPR, with packages submitted but still pending review.


I have been working with the nice people from the Sequoia PGP Project to get their software properly packaged for Fedora, which includes an alternative OpenPGP backend implementation for Thunderbird, codenamed “The Octopus”.

The “Octopus” backend for Thunderbird has several advantages compared to the bundled RNP backend:

  • integration with the GnuPG keyring
  • integration with running gpg agents
  • no support for weak cryptographic standards
  • in-memory-encryption of GPG keys
  • restrictions for SHA-1 use and mitigations for SHA-1 collision attacks
  • better conformance and compatibility with OpenPGP than librnp
  • better performance (parallelized parsing, background tasks as threads)
  • memory- and thread-safe implementation in Rust
  • uses system nettle as cryptography library instead of botan (which is not available in RHEL)

Other packages provide various tools for dealing with GPG keys:

All packages are currently maintained in a GitHub repo, but I have already submitted review requests for all new packages. Test builds for Fedora 34 and Rawhide are available in COPR. Builds for older Fedora releases won’t be possible for now, since the build process for Rust packages is cumbersome on Fedora < 34, and almost impossible to do right in COPR.

All Sequoia PGP packages are now available for fedora 34+ stable repos, just in time for the f34 release :slight_smile:

Note that the packages containing the command line tools are named after the respective crate, not the name of the command line tool:

  • /usr/bin/sq : sequoia-sq
  • /usr/bin/sq-keyring-linter : sequoia-keyring-linter
  • /usr/bin/sqop : sequoia-sop
  • /usr/bin/sqv : sequoia-sqv