2.2 KiB
Experimental support for Sequoia PGP in authentication of Usenet control messages.
Usage in production is not recommended, especially for verification. Code reviews, comments and feedback from hierarchy admins and news server admins are welcome.
Developed with sequoia-sq
1.0.0 installed with cargo
on Debian "trixie".
If you are new to Sequoia PGP command line, please see user guide and manpages.
Using sequoia for signing
Import (sq key import
) your secret signing key in the sequoia keystore.
Old PGP 2.x keys are not supported, if you still use such a key please upgrade to
a modern key.
Then, edit signcontrol
as follows
my $pgpsigner = 'INSERT_YOUR_FINGERPRINT_OR_USERID';
# Path to sequoia-sq executable.
# A version that supports CLI 1.0.0 is required
# The program name needs to end in sq
my $pgp = "/usr/local/bin/sq";
# set other configuration variables as usual
Using sequoia for verification
Import (sq cert import
), verify and trust (sq pki link add
) hierarchy admins
public signing keys in the sequoia certificate store (see PGPKEYS
in the ISC ftp site).
Please note that many hierarchy admins still use old PGP 2.x keys. These keys
have been deprecated since 2007 (RFC 4880) and are not supported by Sequoia or
other modern OpenPGP implementations. We urge hierarchy administrators to update
their signing keys.
Then, edit pgpverify
as follows
# Path to sequoia binary.
# A version that supports CLI 1.0.0 is required
$sq = '/usr/local/bin/sq';
# Set this if you want to support old signatures with
# MD5 or SHA-1 digest algorithms and/or RSA < 2048 bits
# See the `sq config inspect policy' command and the
# `--policy-as-of' flag in the sq manpage
# Please note that sequoia DOES NOT support old PGP 2.x
# keys.
# $sq_policy_as_of = '19970101';
# comment $gpg, $gpgv and $pgp lines
# Set the absolute path to your sequoia home directory
# (see the --home flag in sq manpage)
$keyring = '/path/to/your/sq/home';
# set other configuration variables as usual