Chameleon - trying out Sequoia the easy way
OpenPGP written in Rust


Holger Levsen
DebConf24, Busan, South Korea
2024-07-30

Who am I

  1. Holger Levsen / holger@debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him. 🏳️‍🌈🏳️‍⚧️🖤😷
  2. Debian user since 1995, and a PGP user since before that.
  3. I don't know much Rust, I do know Debian packaging and processes however.
  4. I also don't know much about Sequoia or OpenPGP. 😇
  5. All the bugs in this talk are mine. 💅
    6.

About you

  • Who is using GnuPG?
  • Who has heard about Sequoia?
  • Who has heard about Sequoia Chameleon?
  • Who is using Sequoia (Chameleon or not) or has tried?
  • Who is using OpenPGP, but neither GnuPG nor Sequoia?

Other OpenPGP related talks at DebConf24

  • Sunday: Continuous Key-Signing Party introduction by Gunnar Wolf
  • Monday: Gnuk 2.2 and Gnuk NEXT by NIIBE Yutaka
  • Tuesday: Sequoia PGP, sq, gpg-from-sq, v6 OpenPGP, and Debian by Justus Winter
  • Tuesday: Protecting OpenPGP keyservers from certificate flooding by Gunnar Wolf

PGP and GPG

  1. In the distant past, there was PGP, the software.
  2. Today, PGP usually means OpenPGP as in the standards definining that. (The software called PGP is dead.)
  3. GnuPG and Sequoia PGP and >10 other implementations exist.

Sequoia - OpenPGP written in Rust

  • https://sequoia-pgp.org, written in Rust. Rust is a multi-paradigm, general-purpose programming language that emphasizes performance, type safety, and concurrency. It enforces memory safety—meaning that all references point to valid memory—without a garbage collector. To simultaneously enforce memory safety and prevent data races, its "borrow checker" tracks the object lifetime of all references in a program during compilation. Rust was influenced by ideas from functional programming, including immutability, higher-order functions, and algebraic data types.
    https://en.wikipedia.org/wiki/Rust_(programming_language)

What is Chameleon?

  • Sequoia's alternative implementation of a tool following the GnuPG command line interface.
  • ment as a drop in replacement, using sq as a backend.
  • the goal is to be 100% feature and bug compatible (where sensible).
  • uses GnuPG's keyring but can also use more sophisticated key management from Sequoia.
  • more documentation is being worked on.

This is not a talk about Sequoia

  • This is just a short talk about Sequoia Chameleon.
  • Other Sequoia things possible:
    • apt install sq (Sequoia OpenPGP commandline client)
    • apt install libsequoia-octopus-librnp (OpenPGP for Thunderbird)
    • apt install sqop (Stateless OpenPGP Protocol)

enough introduction...!

One message to remember,
the original idea of this talk:

  • hello world.
  • apt install gpg-from-sq
  • the end.

but as we have more time...

Sequoia packages team maintenance

  1. All Sequoia packages are maintained in the Rust packages maintenance team, with Alexander Kjäll and myself as uploaders.
  2. dkg was doing Sequoia Debian maintenance in the past (and is still doing GnuPG maintenance work in Debian today) but AIUI wants to focus on OpenPGP (the standards) work.

Transparency notes

  1. Since November 2023 I've been freelancing a few hours per month doing Sequoia work, including on the general Rust ecosystem in Debian.
  2. So I've done >100 uploads of Rust packages so far - Alexander Kjäll (capitol) prepared most of those uploads, and thanks to the FTP masters for >70 NEW processings too!
  3. Also many thanks to Daniel Kahn Gillmor (dkg) for discussions, bug reports, testing and much more.
  4. The Debian Rust team is lovely too! 🤗

apt install gpg-sq

  • this installs Sequoia Chameleon GnuPG into /usr/bin/gpg-sq.

apt install gpg-from-sq

  • this diverts /usr/bin/gpg so that Sequoia Chameleon GnuPG becomes /usr/bin/gpg.

apt-cache search chameleon gpg

  • sequoia-chameleon-gnupg - Sequoia's GnuPG CLI tools (metapackage)
  • gpg-sq - gpg-like OpenPGP CLI toolkit
  • gpgv-sq - gpgv-like validator for OpenPGP signatures
    •
  • gpg-from-sq - use gpg-sq for /usr/bin/gpg
  • gpgv-from-sq - use gpgv-sq for /usr/bin/gpgv
    •

It's finally available in trixie, so on all my trixie production systems I did this:

  • apt install gpg-from-sq
  • I also tested this first, outside production:
    apt remove gpg-from-sq
  • ... and so can you!

Thank you. The end.

  • not yet, but almost.

more things people did (and I did too).

  • apt update fails: #1070700 [n| |↝☣] [gpgv-from-sq] apt complains "Unknown response from gpgv to --assert-pubkey-algo check: gpgv: error: Error parsing command-line arguments"
  • debsign works.
  • debsign with two private keys might fail: #1071466 [n| | ] [gpg-from-sq] clear-sign failed: Signing key maps to different keys
  • decrypt a textfile without realizing I was using chameleon.

more things people did
and hopefully many more will do:

  • apt install gpg-from-sq
  • apt install gpgv-from-sq
  • reportbug gpg-from-sq
  • reportbug gpgv-from-sq
    •
  • apt install sq

Sequoia Chameleon is only available in trixie and newer...

  • and it won't be available in bookworm-backports.
  • but there is one nice command available for GnuPG users on stable too:
  • sudo apt install sq ; sq network fetch 091AB856069AAA1C -o - | gpg --import
  • IMO much better than gpg --recv-keys 091AB856069AAA1C and dealing with gpg.conf and choosing keyservers...!
    •

please file bugs!

  • early and often
  • upstream loves bugs, so they can priotize and make it work for your usecases.

Thank you
🙏
… and all contributors out there!

Any questions, suggestions, ...? 🤷

Holger Levsen <holger@layer-acht.org>
B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C