Sequoia is a cool new OpenPGP implementation. It consists of several crates, providing both a low-level and a high-level API for dealing with OpenPGP data.

The low-level API can be found in the openpgp crate. This crate aims to provide a complete implementation of OpenPGP as defined by RFC 4880 as well as several extensions (e.g., RFC 6637, which describes ECC cryptography for OpenPGP, and RFC 4880bis, the draft of the next OpenPGP standard). This includes support for unbuffered message processing.

The openpgp crate tries hard to avoid dictating how OpenPGP should be used. This doesn't mean that we don't have opinions about how OpenPGP should be used in a number of common scenarios (for instance, message validation).

The high-level API can be found in the sequoia crate, which conveniently includes all the other crates. The high-level API include a public key store, and network access routines.

Please note that as of this writing the high-level API is very incomplete.

Sequoia includes a simple frontend sq (sequoia-sq) that can be used to experiment with Sequoia and OpenPGP. It is also an example of how to use various aspects of Sequoia.

The low-level API is quite feature-complete and can be used encrypt, decrypt, sign, and verify messages. It can create, inspect, and manipulate OpenPGP data on a very low-level.

The high-level API is effectively non-existent, though there is some functionality related to key servers and key stores.

The foreign function interface provides a C API for some of Sequoia's low- and high-level interfaces, but it is incomplete.

There is a mostly feature-complete command-line verification tool for detached messages called 'sqv'.

Sequoia is licensed under the GNU Library General Public License version 2 or any later version. See the file LICENSE.txt or visit https://www.gnu.org/licenses/lgpl-2.0.html for details.

If you want to use Sequoia from Rust in a binary crate, you can simply register the dependency in your Cargo.toml file as with any other project. Please see this guide on how to use Sequoia in a library crate, or how to control the cryptographic backend used by Sequoia.

sequoia-openpgp = "*"

Note that we depend on a number of C libraries, which must be present along with their development packages. See Requirements section below.

Besides being a Rust crate, we also provide a C API, and bindings to other languages, see Bindings.

Sequoia is currently supported on a variety of platforms.

By default it uses the Nettle cryptographic library (version 3.4.1 or up) but it can be used with different cryptographic backends. At the time of writing, it also supports the native Windows [Cryptographic API: Next Generation (CNG)].

Various backends can be enabled via Cargo features, e.g. crypto-nettle or crypto-cng and exactly one can be enabled at a time.

Currently, the crypto-nettle feature is enabled by default - regardless of the operating system used. If you choose to enable a different backend, please make sure to disable the default first.

See [openpgp/README.md#features-flags] for more information.

To build all Sequoia components, simply execute cargo build [--release] --all. Individual components may be built independently, e.g. to build sq, run cargo build [--release] -p sequoia-sq, or build sequoia-openpgp-ffi to build a shared object with the C API.

The command line tool sq can also be built using Docker:

$ docker build -t sq .
$ docker run --rm -i sq --help

For example retrieving a certificate and inspecting its contents:

$ docker run --rm -i sq keyserver get 653909A2F0E37C106F5FAF546C8857E0D8E8F074 > cert.asc
$ docker run --rm -i sq packet dump < cert.asc

A current build of the docker image is available from the gitlab registry. Rename it to sq locally so that it matches the above commands and for convenience.

$ docker pull registry.gitlab.com/sequoia-pgp/sequoia:latest
$ docker tag registry.gitlab.com/sequoia-pgp/sequoia:latest sq
$ docker run --rm -i sq --help

The minimum supported Rust version (MSRV) is 1.67. Sequoia aims to always be compatible with the version included in Debian testing, the MSRV follows what is available there. Increasing the MSRV will be accompanied by a raise in the minor version of all crates.

Building Sequoia requires a few libraries, notably the Nettle cryptographic library version 3.4.1 or up. Please see below for OS-specific commands to install the needed libraries:

# apt install cargo clang git nettle-dev pkg-config libssl-dev

Notes:

• You need at least rustc version 1.60. This is the version included in Debian 12 (bookworm) at the time of writing. You can use rustup if your distribution only includes an older Rust version.
• You need at least Nettle 3.4.1. Both the versions in Debian 10 (Buster) and Debian 11 (Bullseye) are fine.
• libssl-dev is only required by the sequoia-net crate and crates depending on it (sq).

# pacman -S clang git pkgconf rustup --needed

# dnf install cargo clang git nettle-devel openssl-devel

Notes:

• openssl-devel is only required by the sequoia-net crate and crates depending on it (sq).

Development environment for use with nix-shell or direnv:

let
  oxalica_overlay = import (builtins.fetchTarball
    "https://github.com/oxalica/rust-overlay/archive/master.tar.gz");
  nixpkgs = import <nixpkgs> { overlays = [ oxalica_overlay ]; };
  rust_channel = nixpkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain;
in with nixpkgs;
pkgs.mkShell {
  buildInputs = [
    nettle
    openssl
  ];

  nativeBuildInputs = [
    (rust_channel.override{
        extensions = [ "rust-src" "rust-std" ];
    })

    llvmPackages.clang
    pkgconfig

    # tools
    codespell
  ];

  RUST_BACKTRACE = 1;

  # compilation of -sys packages requires manually setting LIBCLANG_PATH
  LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib";
}

$ sudo port install cargo nettle pkgconfig

$ brew install rust nettle

Please make sure to preserve line-endings when cloning the Sequoia repository. The relevant git option is core.autocrlf which must be set to false.

Due to Windows Runners being somewhat slow, we only run them automatically for MRs, which contain windows in the branch name. Please name your branch accordingly when contributing a patch which might affect Windows.

On Windows Sequoia PGP can use one of several cryptographic backends. The recommended one is Windows Cryptography API (CNG) as it doesn't require any additional dependencies. The standard tooling required to build native dependencies (Visual Studio Build Tools) is still needed.

When building, make sure to disable default features (to disable Nettle) and enable the CNG via crypto-cng Cargo feature:

$ cargo build --no-default-features --features crypto-cng,compression # Only change crypto backend

It is also possible to use Sequoia's default backend (Nettle) on Windows through MSYS2.

You can install the needed libraries with the following command:

$ pacman -S mingw-w64-x86_64-{bzip2,clang,gcc,pkg-config,nettle}

MSYS2 can also be used to build Sequoia with the Windows-native CNG backend. The list of packages is the same as for Nettle with the exception of mingw-w64-x86_64-nettle which is not needed. Build command is the same as for the CNG backend.

Sequoia PGP can also be built for 32-bit Windows. See .gitlab-ci.yml for detailed example.

Additionally, the experimental Rust backend can also be used on Windows. See the sequoia-openpgp crate's documentation for details.

Sequoia's documentation is hosted here: https://docs.sequoia-pgp.org/

The guide is hosted here: https://sequoia-pgp.org/guide/

You can join our mailing list by sending a mail to [email protected].

You can talk to us using IRC on OFTC in #sequoia.

Please report bug and feature requests to our bugtracker. If you find a security vulnerability, please refer to our security vulnerability guide.