pgpcontrol/README.sequoia.md
2024-12-21 15:41:14 +01:00

2.2 KiB

Experimental support for Sequoia PGP in authentication of Usenet control messages.

Usage in production is not recommended, especially for verification. Code reviews, comments and feedback from hierarchy admins and news server admins are welcome.

Developed with sequoia-sq 1.0.0 installed with cargo on Debian "trixie".

If you are new to Sequoia PGP command line, please see user guide and manpages.

Using sequoia for signing

Import (sq key import) your secret signing key in the sequoia keystore. Old PGP 2.x keys are not supported, if you still use such a key please upgrade to a modern key.

Then, edit signcontrol as follows

my $pgpsigner = 'INSERT_YOUR_FINGERPRINT_OR_USERID';

# Path to sequoia-sq executable.
# A version that supports CLI 1.0.0 is required
# The program name needs to end in sq
my $pgp = "/usr/local/bin/sq";

# set other configuration variables as usual

Using sequoia for verification

Import (sq cert import), verify and trust (sq pki link add) hierarchy admins public signing keys in the sequoia certificate store (see PGPKEYS in the ISC ftp site). Please note that many hierarchy admins still use old PGP 2.x keys. These keys have been deprecated since 2007 (RFC 4880) and are not supported by Sequoia or other modern OpenPGP implementations. We urge hierarchy administrators to update their signing keys.

Then, edit pgpverify as follows

# Path to sequoia binary.
# A version that supports CLI 1.0.0 is required
$sq = '/usr/local/bin/sq';

# Set this if you want to support old signatures with
# MD5 or SHA-1 digest algorithms and/or RSA < 2048 bits
# See the `sq config inspect policy' command and the
# `--policy-as-of' flag in the sq manpage
# Please note that sequoia DOES NOT support old PGP 2.x
# keys.
# $sq_policy_as_of = '19970101';

# comment $gpg, $gpgv and $pgp lines

# Set the absolute path to your sequoia home directory
# (see the --home flag in sq manpage)
$keyring = '/path/to/your/sq/home';

# set other configuration variables as usual