Sequoia is a cool new OpenPGP implementation. It consists of several crates, providing both a low-level and a high-level API for dealing with OpenPGP data.
The low-level API can be found in the openpgp crate. This crate aims to provide a complete implementation of OpenPGP as defined by RFC 4880 as well as several extensions (e.g., RFC 6637, which describes ECC cryptography for OpenPGP, and RFC 4880bis, the draft of the next OpenPGP standard). This includes support for unbuffered message processing.
The openpgp crate tries hard to avoid dictating how OpenPGP should be used. This doesn't mean that we don't have opinions about how OpenPGP should be used in a number of common scenarios (for instance, message validation).
The high-level API can be found in the sequoia crate, which conveniently includes all the other crates. The high-level API include a public key store, and network access routines.
Please note that as of this writing the high-level API is very incomplete.
Sequoia includes a simple frontend sq
(sequoia-sq) that can be
used to experiment with Sequoia and OpenPGP. It is also an example of
how to use various aspects of Sequoia.
The low-level API is quite feature-complete and can be used encrypt, decrypt, sign, and verify messages. It can create, inspect, and manipulate OpenPGP data on a very low-level.
The high-level API is effectively non-existent, though there is some functionality related to key servers and key stores.
The foreign function interface provides a C API for some of Sequoia's low- and high-level interfaces, but it is incomplete.
There is a mostly feature-complete command-line verification tool for detached messages called 'sqv'.
Sequoia is licensed under the GNU Library General Public License version 2 or any later version. See the file LICENSE.txt or visit https://www.gnu.org/licenses/lgpl-2.0.html for details.
If you want to use Sequoia from Rust in a binary crate, you can simply
register the dependency in your Cargo.toml
file as with any other
project. Please see this guide on how to use Sequoia in a library
crate, or how to control the cryptographic backend used by Sequoia.
sequoia-openpgp = "*"
Note that we depend on a number of C libraries, which must be present along with their development packages. See Requirements section below.
Besides being a Rust crate, we also provide a C API, and bindings to other languages, see Bindings.
Sequoia is currently supported on a variety of platforms.
By default it uses the Nettle cryptographic library (version 3.4.1 or up) but it can be used with different cryptographic backends. At the time of writing, it also supports the native Windows [Cryptographic API: Next Generation (CNG)].
Various backends can be enabled via Cargo features,
e.g. crypto-nettle
or crypto-cng
and exactly one can be enabled at
a time.
Currently, the crypto-nettle
feature is enabled by default -
regardless of the operating system used. If you choose to enable a
different backend, please make sure to disable the default first.
See [openpgp/README.md#features-flags] for more information.
To build all Sequoia components, simply execute cargo build [--release] --all
. Individual components may be built independently,
e.g. to build sq
, run cargo build [--release] -p sequoia-sq
, or
build sequoia-openpgp-ffi
to build a shared object with the C API.
The command line tool sq
can also be built using Docker:
$ docker build -t sq .
$ docker run --rm -i sq --help
For example retrieving a certificate and inspecting its contents:
$ docker run --rm -i sq keyserver get 653909A2F0E37C106F5FAF546C8857E0D8E8F074 > cert.asc
$ docker run --rm -i sq packet dump < cert.asc
A current build of the docker image is available from the gitlab registry.
Rename it to sq
locally so that it matches the above commands and for convenience.
$ docker pull registry.gitlab.com/sequoia-pgp/sequoia:latest
$ docker tag registry.gitlab.com/sequoia-pgp/sequoia:latest sq
$ docker run --rm -i sq --help
The minimum supported Rust version (MSRV) is 1.67. Sequoia aims to always be compatible with the version included in Debian testing, the MSRV follows what is available there. Increasing the MSRV will be accompanied by a raise in the minor version of all crates.
Building Sequoia requires a few libraries, notably the Nettle cryptographic library version 3.4.1 or up. Please see below for OS-specific commands to install the needed libraries:
# apt install cargo clang git nettle-dev pkg-config libssl-dev
Notes:
- You need at least
rustc
version 1.60. This is the version included in Debian 12 (bookworm) at the time of writing. You can use rustup if your distribution only includes an older Rust version. - You need at least Nettle 3.4.1. Both the versions in Debian 10 (Buster) and Debian 11 (Bullseye) are fine.
libssl-dev
is only required by thesequoia-net
crate and crates depending on it (sq
).
# pacman -S clang git pkgconf rustup --needed
# dnf install cargo clang git nettle-devel openssl-devel
Notes:
openssl-devel
is only required by thesequoia-net
crate and crates depending on it (sq
).
Development environment for use with nix-shell
or direnv
:
`shell.nix`
let
oxalica_overlay = import (builtins.fetchTarball
"https://github.com/oxalica/rust-overlay/archive/master.tar.gz");
nixpkgs = import <nixpkgs> { overlays = [ oxalica_overlay ]; };
rust_channel = nixpkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain;
in with nixpkgs;
pkgs.mkShell {
buildInputs = [
nettle
openssl
];
nativeBuildInputs = [
(rust_channel.override{
extensions = [ "rust-src" "rust-std" ];
})
llvmPackages.clang
pkgconfig
# tools
codespell
];
RUST_BACKTRACE = 1;
# compilation of -sys packages requires manually setting LIBCLANG_PATH
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib";
}
$ sudo port install cargo nettle pkgconfig
$ brew install rust nettle
Please make sure to preserve line-endings when cloning the Sequoia
repository. The relevant git option is core.autocrlf
which must be
set to false
.
Due to Windows Runners being somewhat slow, we only run them
automatically for MRs, which contain windows
in the branch
name. Please name your branch accordingly when contributing a patch
which might affect Windows.
On Windows Sequoia PGP can use one of several cryptographic backends. The recommended one is Windows Cryptography API (CNG) as it doesn't require any additional dependencies. The standard tooling required to build native dependencies (Visual Studio Build Tools) is still needed.
When building, make sure to disable default features (to disable
Nettle) and enable the CNG via crypto-cng
Cargo feature:
$ cargo build --no-default-features --features crypto-cng,compression # Only change crypto backend
It is also possible to use Sequoia's default backend (Nettle) on Windows through MSYS2.
You can install the needed libraries with the following command:
$ pacman -S mingw-w64-x86_64-{bzip2,clang,gcc,pkg-config,nettle}
MSYS2 can also be used to build Sequoia with the Windows-native CNG
backend. The list of packages is the same as for Nettle with the
exception of mingw-w64-x86_64-nettle
which is not needed. Build
command is the same as for the CNG backend.
Sequoia PGP can also be built for 32-bit Windows. See
.gitlab-ci.yml
for detailed example.
Additionally, the experimental Rust backend can also be used on
Windows. See the sequoia-openpgp
crate's documentation for details.
Sequoia's documentation is hosted here: https://docs.sequoia-pgp.org/
The guide is hosted here: https://sequoia-pgp.org/guide/
You can join our mailing list by sending a mail to [email protected].
You can talk to us using IRC on OFTC in #sequoia
.
Please report bug and feature requests to our bugtracker. If you find a security vulnerability, please refer to our security vulnerability guide.