pgpcontrol/README.sequoia.md

**Experimental** support for [Sequoia PGP](https://sequoia-pgp.org/) in authentication of Usenet control messages.

Usage in production is not recommended, especially for verification.
Code reviews, comments and feedback from hierarchy admins and news server admins
are welcome.

Developed with `sequoia-sq` 1.0.0 installed with `cargo` on Debian "trixie".

If you are new to Sequoia PGP command line, please see [user guide](https://sequoia-pgp.gitlab.io/user-documentation/about_sequoia.html)
and [manpages](https://sequoia-pgp.gitlab.io/sequoia-sq/man/sq.1.html).

# Using sequoia for signing

Import (`sq key import`) your secret signing key in the sequoia keystore.
Old PGP 2.x keys are not supported, if you still use such a key please upgrade to
a modern key.

Then, edit `signcontrol` as follows

```
my $pgpsigner = 'INSERT_YOUR_FINGERPRINT_OR_USERID';

# Path to sequoia-sq executable.
# A version that supports CLI 1.0.0 is required
# The program name needs to end in sq
my $pgp = "/usr/local/bin/sq";

# set other configuration variables as usual
```

# Using sequoia for verification

Import (`sq cert import`), verify and trust (`sq pki link add`) hierarchy admins
public signing keys in the sequoia certificate store (see [PGPKEYS](https://ftp.isc.org/pub/pgpcontrol/PGPKEYS)
in the ISC ftp site).
Please note that many hierarchy admins still use old PGP 2.x keys. These keys
have been deprecated since 2007 (RFC 4880) and are not supported by Sequoia or
other modern OpenPGP implementations. We urge hierarchy administrators to update
their signing keys.

Then, edit `pgpverify` as follows

```
# Path to sequoia binary.
# A version that supports CLI 1.0.0 is required
$sq = '/usr/local/bin/sq';

# Set this if you want to support old signatures with
# MD5 or SHA-1 digest algorithms and/or RSA < 2048 bits
# See the `sq config inspect policy' command and the
# `--policy-as-of' flag in the sq manpage
# Please note that sequoia DOES NOT support old PGP 2.x
# keys.
# $sq_policy_as_of = '19970101';

# comment $gpg, $gpgv and $pgp lines

# Set the absolute path to your sequoia home directory
# (see the --home flag in sq manpage)
$keyring = '/path/to/your/sq/home';

# set other configuration variables as usual
```
initial support for sequoia-sq 2024-12-21 15:41:14 +01:00			`Experimental support for [Sequoia PGP](https://sequoia-pgp.org/) in authentication of Usenet control messages.`

			`Usage in production is not recommended, especially for verification.`
			`Code reviews, comments and feedback from hierarchy admins and news server admins`
			`are welcome.`

			Developed with `sequoia-sq` 1.0.0 installed with `cargo` on Debian "trixie".

			`If you are new to Sequoia PGP command line, please see [user guide](https://sequoia-pgp.gitlab.io/user-documentation/about_sequoia.html)`
			`and [manpages](https://sequoia-pgp.gitlab.io/sequoia-sq/man/sq.1.html).`

			`# Using sequoia for signing`

			Import (`sq key import`) your secret signing key in the sequoia keystore.
			`Old PGP 2.x keys are not supported, if you still use such a key please upgrade to`
			`a modern key.`

			Then, edit `signcontrol` as follows

			```
			`my $pgpsigner = 'INSERT_YOUR_FINGERPRINT_OR_USERID';`

			`# Path to sequoia-sq executable.`
			`# A version that supports CLI 1.0.0 is required`
			`# The program name needs to end in sq`
			`my $pgp = "/usr/local/bin/sq";`

			`# set other configuration variables as usual`
			```

			`# Using sequoia for verification`

			Import (`sq cert import`), verify and trust (`sq pki link add`) hierarchy admins
			`public signing keys in the sequoia certificate store (see [PGPKEYS](https://ftp.isc.org/pub/pgpcontrol/PGPKEYS)`
			`in the ISC ftp site).`
			`Please note that many hierarchy admins still use old PGP 2.x keys. These keys`
			`have been deprecated since 2007 (RFC 4880) and are not supported by Sequoia or`
			`other modern OpenPGP implementations. We urge hierarchy administrators to update`
			`their signing keys.`

			Then, edit `pgpverify` as follows

			```
			`# Path to sequoia binary.`
			`# A version that supports CLI 1.0.0 is required`
			`$sq = '/usr/local/bin/sq';`

			`# Set this if you want to support old signatures with`
			`# MD5 or SHA-1 digest algorithms and/or RSA < 2048 bits`
			# See the `sq config inspect policy' command and the
			# `--policy-as-of' flag in the sq manpage
			`# Please note that sequoia DOES NOT support old PGP 2.x`
			`# keys.`
			`# $sq_policy_as_of = '19970101';`

			`# comment $gpg, $gpgv and $pgp lines`

			`# Set the absolute path to your sequoia home directory`
			`# (see the --home flag in sq manpage)`
			`$keyring = '/path/to/your/sq/home';`

			`# set other configuration variables as usual`
			```