Chameleon - trying out Sequoia the easy way
OpenPGP written in Rust
Holger Levsen
MiniDebConfBerlin 2024
2024-05-19, C-Base, Berlin
Who am I
- Holger Levsen / holger@debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him. 🏳️🌈🏳️⚧️🖤😷
- Debian user since 1995, and a PGP user since before that.
- I don't know much Rust, I know Debian packaging and processes however.
- I also don't know much about Sequoia yet. 😇
- All the bugs in this talk are mine. 💅
About you
- Who is using GnuPG?
- Who has heard about Sequoia?
- Who has heard about Sequoia Chameleon?
- Who is using Sequoia or has tried?
- Who is using OpenPGP, but neither GnuPG nor Sequoia?
Transparency notes
- Since November 2023 I've been freelancing a few hours per month doing Sequoia work, including on the general Rust ecosystem in Debian.
- So I've done >100 uploads of Rust packages so far - Alexander Kjäll (capitol) prepared most of those uploads, and thanks to the FTP masters for 70 NEW processings too!
- Also many thanks to Daniel Kahn Gillmor (dkg) for discussions, bug reports, testing and much more.
PGP and GPG
- In the distant past, there was PGP, the software.
- Today, PGP basically always means OpenPGP as in the standards definining that.
- GnuPG and Sequoia PGP and >10 other implenentations exist.
Sequoia packages team maintenance
- All Sequoia packages are maintained in the Rust packages maintenance team, with Alexander Kjäll and myself as uploaders.
- dkg was doing Sequoia Debian maintenance in the past (and is still doing GnuPG maintenance work in Debian today) but AIUI wants to focus on OpenPGP (the standards) work.
enough introduction...!
One message to remember,
the original idea of this talk:
- hello world.
- apt install gpg-from-sq
- the end.
One message to remember,
the original idea of this talk:
- apt install gpg-from-sq
- apt install gpgv-from-sq
Some background and some more information.
- https://sequoia-pgp.org, written in Rust. Rust is a multi-paradigm, general-purpose programming language that emphasizes performance, type safety, and concurrency. It enforces memory safety—meaning that all references point to valid memory—without a garbage collector. To simultaneously enforce memory safety and prevent data races, its "borrow checker" tracks the object lifetime of all references in a program during compilation.
Rust was influenced by ideas from functional programming, including immutability, higher-order functions, and algebraic data types.
https://en.wikipedia.org/wiki/Rust_(programming_language)
This is not a talk about Sequoia
- This is just a short talk about Sequoia Chameleon.
- Two Sequoia things to remember still:
/usr/bin/sqapt install libsequoia-octopus-librnp(for Thunderbird)
What is Chameleon?
Sequoia's alternative implementation of a tool following the GnuPG command line interface.- (taken from package description field.)
What is Chameleon?
Sequoia's alternative implementation of a tool following the GnuPG command line interface.- meant as a drop in replacement, using
sqas a backend. - the goal is to be 100% feature and bug compatible (where sensible).
- uses GnuPG's keyring but can also use more sophisticated key management from Sequoia.
- more documentation is being worked on.
apt-cache search chameleon gpg
- sequoia-chameleon-gnupg - Sequoia's GnuPG CLI tools (metapackage)
- gpg-sq - gpg-like OpenPGP CLI toolkit
- gpgv-sq - gpgv-like validator for OpenPGP signatures
- gpg-from-sq - use gpg-sq for /usr/bin/gpg
- gpgv-from-sq - use gpgv-sq for /usr/bin/gpgv
It's finally available in trixie, so on all my trixie production systems I did this:
apt install gpg-from-sq- I also tested this first, outside production:
apt remove gpg-from-sq - ... and so can you!
Thank you. The end.
- not yet, but almost.
more things people did (and I did too).
- apt update #1070700 [n| |↝☣] [gpgv-from-sq] apt complains "Unknown response from gpgv to --assert-pubkey-algo check: gpgv: error: Error parsing command-line arguments"
debsignworks.debsignwith two private keys fails, bug has been filed after this talk: #1071466 [n| | ] [gpg-from-sq] clear-sign failed: Signing key maps to different keys- decrypt a textfile without realizing I was using chameleon.
more things people did and will do
- apt install gpg-from-sq
- apt install gpgv-from-sq
- reportbug gpg-from-sq
- reportbug gpgv-from-sq
- apt install sq
Thank you
🙏
… and all contributors out there!
Any questions, suggestions, ...? 🤷