Chameleon - trying out Sequoia the easy way
OpenPGP written in Rust

Holger Levsen
MiniDebConf Toulouse 2024
2024-11-17

Who am I

1. Holger Levsen / holger@debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him. 🏳️‍🌈🏳️‍⚧️🖤😷
2. Debian user since 1995 and around the Chaos Computer Club (CCC) since longer.
3. I know many people and this year too many died.
4. p2-mate and Lunar from Debian, and yesterday after my talk I learned about the 3rd friend from the CCC who died this year. And sadly there were many more...
5. So today in this lightning talk I want to share a quote I didn't want to share yesterday...

A quote from a friend, part 1:

1. Since a few days, all these kind words I read all over the place make me cry and shout inside "mayyybe we should tell each other this sort of things more often while we're still alive, what about that?".

A quote from a friend, part 2:

1. Don't get me wrong, I'm immensely grateful for all the people like y'all who're putting in the effort to write & publish tributes.
   This is amazing for Lunar's close friends and families, and as a way to collectively deal with the death of someone we love/respect/whatever.
   But still, if I'm being honest, once I'm dead I'll be pissed off to know that all these people are saying all these kind things about me that they never told me face to face.

So, seriously, thank you all very very much for your amazing work!

❤️

Chameleon - trying out Sequoia the easy way
OpenPGP written in Rust

Holger Levsen
MiniDebConf Toulouse 2024
2024-11-17

Who am I

1. Holger Levsen / holger@debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him. 🏳️‍🌈🏳️‍⚧️🖤😷
2. Debian user since 1995, and a PGP user since before that.
3. I don't know much Rust, I do know Debian packaging and processes however.
4. I also don't know much about Sequoia or OpenPGP. 😇
5. All the bugs in this talk are mine. 💅

PGP and GPG

1. In the distant past, there was PGP, the software.
2. Today, PGP usually means OpenPGP as in the standards (RFC 9580) definining that.
3. (The software called PGP is dead.)
4. GnuPG and Sequoia PGP and >10 other implementations exist.

Sequoia - OpenPGP written in Rust

• https://sequoia-pgp.org, written in Rust. Rust is a multi-paradigm, general-purpose programming language that emphasizes performance, type safety, and concurrency. It enforces memory safety—meaning that all references point to valid memory—without a garbage collector. To simultaneously enforce memory safety and prevent data races, its "borrow checker" tracks the object lifetime of all references in a program during compilation. Rust was influenced by ideas from functional programming, including immutability, higher-order functions, and algebraic data types.
  https://en.wikipedia.org/wiki/Rust_(programming_language)

This is not a talk about Sequoia

• This is just a short talk about Sequoia Chameleon.
• Other Sequoia things possible:
• apt install sq (Sequoia OpenPGP commandline client)
• apt install libsequoia-octopus-librnp (OpenPGP for Thunderbird)
• apt install sqop (Stateless OpenPGP Protocol)

This is not a talk about Sequoia

• There's Justus Winter's talk about Sequoia PGP, sq, gpg-from-sq, v6 OpenPGP, and Debian at DebConf24 available thanks to the videoteam.

enough introduction...!

What is Chameleon?

• Sequoia's alternative implementation of a tool following the GnuPG command line interface.
• ment as a drop in replacement, using sq as a backend.
• the goal is to be 100% feature and bug compatible (where sensible).
• uses GnuPG's keyring but can also use more sophisticated key management from Sequoia.

One message to remember,
the original idea of this talk:

• hello world.
• apt install gpg-from-sq
• the end.

but as we have more time...

Sequoia packages team maintenance

1. All Sequoia packages are maintained in the Rust packages maintenance team, with Alexander Kjäll and myself as uploaders.
2. dkg was doing Sequoia Debian maintenance in the past (and is still doing GnuPG maintenance work in Debian today) but AIUI wants to focus on OpenPGP (the standards) work.

Transparency notes

1. Since November 2023 I've been freelancing a few hours per month doing Sequoia work, including on the general Rust ecosystem in Debian.
2. So I've done >100 uploads of Rust packages so far - Alexander Kjäll (capitol) prepared most of those uploads, and thanks to the FTP masters for >70 NEW processings too!
3. The Debian Rust team is lovely too! 🤗

apt-cache search chameleon gpg

• sequoia-chameleon-gnupg - Sequoia's GnuPG CLI tools (metapackage)
• gpg-sq - gpg-like OpenPGP CLI toolkit
• gpgv-sq - gpgv-like validator for OpenPGP signatures
• gpg-from-sq - use gpg-sq for /usr/bin/gpg
• gpgv-from-sq - use gpgv-sq for /usr/bin/gpgv

apt install gpg-sq

• this installs Sequoia Chameleon GnuPG into /usr/bin/gpg-sq.

It's available in trixie, so on all my trixie production systems I did this:

• apt install gpg-from-sq
• I also tested this first, outside production:
  apt remove gpg-from-sq
• ... and so can you!

Thank you. The end.

• not yet, but almost.

more things people did (and I did too).

• apt update works.
• debsign works.
• encrypting and decrypting of files on the commandline works.

more things people did
and hopefully many more will do:

• apt install gpg-from-sq
• apt install gpgv-from-sq
• reportbug gpg-from-sq
• reportbug gpgv-from-sq
• apt install sq

Sequoia Chameleon is only available in trixie and newer...

• and it won't be available in bookworm-backports.

Security support

• is being discussed with the security team.
• Probably not for the whole Rust ecosystem but hopefully for some Rust (using) apps like firefox, thunderbird and sequoia ;)
• We'll see. Help welcome.

Documentation:

• https://book.sequoia-pgp.org/
• https://wiki.debian.org/OpenPGP/Sequoia

please file bugs!

• early and often
• upstream loves bugs, so they can priotize and make it work for your usecases.

Thank you
🙏
… and all contributors out there!

Any questions, suggestions, ...? 🤷

Holger Levsen <holger@layer-acht.org>
B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C