Mastodawn

minipgp6 is happening.

For the past four weeks I've immersed myself in writing an extremely minimal, modern #OpenPGP software stack.

There's still a lot of work ahead, but the current draft code already feels quite exciting.
It's very modular and currently weighs just over 5k LOC (including a small Stateless OpenPGP CLI tool).

I look forward to publishing a first version of the code in the coming weeks 🚀

#rfc9580 #RustLang #PGP

Delta Chat Dec 28

Relax 😎! GPG is not OpenPGP!

Yesterday, vulnerabilities were published https://gpg.fail but they don't affect #deltachat or other #chatmail clients because

A) We never used #gnupg for anything; we use the modern #rustlang #openpgp implementation @rpgp, security audited multiple times.

B) #openpgp is fine, as modernized in #RFC9580, which already warns against several #gpgfail issues (gpg didn't implement that spec)

Please spread the word that #gpg is not #openpgp ... Thanks! #39c3

gpg.fail

Show thread

David Sardari Nov 9

@Velocifyer @andrewg That's the reason for my plans to switch from #GnuPG to #sequoiapgp, not the #LibrePGP vs #RFC9580 mess. If a RTFM doesn't suffice and it comes down to RTFC (...Code), I am out.

See GnuPG manpage:

❯ gpg --version | head -n 1
gpg (GnuPG) 2.5.13
❯ man gpg | sed -n '/^[[:space:]]*dane/,/^$/p'
              dane   Locate a key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt.

... and:

The lookup result MUST pass DNSSEC validation; if validation reaches any state other than "Secure", the verification MUST be treated as a failure.

Source: https://datatracker.ietf.org/doc/html/draft-ietf-dane-openpgpkey-05#section-5

Using DANE to Associate OpenPGP public keys with email addresses

OpenPGP is a message format for email (and file) encryption that lacks a standardized lookup mechanism to securely obtain OpenPGP public keys. This document specifies a method for publishing and locating OpenPGP public keys in DNS for a specific email address using a new OPENPGPKEY DNS Resource Record. Security is provided via DNSSEC.

IETF Datatracker

Show thread

David Sardari Oct 5

@mgorny Thanks for planning to bring up my bug (https://bugs.gentoo.org/963069) for discussion in the council. I personally use OpenPGP with all bells and whistles, but agree that what happens lately (#LibrePGP vs #RFC9580) is a s**tshow, and #OpenPGP was never easy to use. When it comes down to it, we should think about what the main use of OpenPGP at Gentoo is. And, that's signing commits if I am not mistaken. If #RFC9580 and #LibrePGP folks can't reach an agreement, I hope that #Git gets some logic implemented that allows it to automatically delegate the task of v5 (LibrePGP) or v6 (RFC9580) signature verification to the correct OpenPGP tool. In that case, users are free to choose the tool of their choice for Git commit signing.

963069 – OpenPGP v5 (LibrePGP) and OpenPGP v6 (RFC 9580) formats are incompatible, GLEP63 should mention and handle this

Jezus Michał "Le Wzdych" (on)Oct 4

No to poprawcie mnie, jeżeli się mylę, co do aktualnego stanu #OpenPGP.

Po pierwsze, jest dawne #RFC4880bis, aktualnie przepychane jako "#LibrePGP", używane przez #GnuPG (i #rnp?), z formatem kluczy "v5" — i zdaje się, że każdy inny projekt spogląda na to z politowaniem.

Po drugie, jest #RFC9580 z formatem kluczy "v6", używany przez #OpenPGPjs, #SequoiaPGP (i inne narzędzia), ale odrzucony przez GnuPG. I wygląda na to, że jest przepychane z założeniem, że GnuPG ugnie się pod presją.

Więc mamy dwa niezgodne ze sobą standardy, ze "wspólnym mianownikiem" w postaci zabytkowego #RFC4880; jedne narzędzia przepychają jeden standard i ignorują drugi, a inne decydują się wspierać oba, by pomóc swoim użytkownikom. A #Gentoo ostatecznie utknie z tym, co wspierać będzie GnuPG, bo potrzebujemy kryptografii, która działa na wszystkich wspieranych platformach, a nie tylko tam, gdzie Rust.

https://bugs.gentoo.org/963069

963069 – OpenPGP v5 (LibrePGP) and OpenPGP v6 (RFC 9580) formats are incompatible, GLEP63 should mention and handle this

Jesus Michał "Le Sigh" 🏔 (he)Oct 4

Okay, so please correct me if I'm wrong about the state of #OpenPGP right now.

So first there's the former #RFC4880bis which is now pursued as "#LibrePGP", used by #GnuPG (and #rnp?), with a "v5" key format, that everyone else seem to looks "politely" at.

Then there's #RFC9580 with a "v6" key format, used by #OpenPGPjs, #SequoiaPGP (and more) but explicitly rejected by GnuPG. However, it seems to be pushed forward under the assumption that GnuPG will yield to pressure.

So we effectively have two incompatible standards, with a "common denominator" of ancient #RFC4880, some tools pursuing one of them with disregard for the other, and a few supporting both for the sake of the users. And #Gentoo is effectively stuck with whatever GnuPG supports, because we need working crypto on all supported platforms, not just the "Rust subset".

https://bugs.gentoo.org/963069

963069 – OpenPGP v5 (LibrePGP) and OpenPGP v6 (RFC 9580) formats are incompatible, GLEP63 should mention and handle this

vanitasvitae Sep 26

I just released #PGPainless 2.0!

The new release comes with support for #OpenPGP v6 (#rfc9580) leveraging #BouncyCastle|s new high-level OpenPGP API internally.

The API saw substantial changes compared to the 1.7 release line. Among others, it migrated away from the singleton pattern towards configurable API instances.

You can download the (Linux_x86_64) native CLI binary binary here: https://github.com/pgpainless/pgpainless/releases/tag/2.0.0

Release PGPainless-CLI 2.0.0 · pgpainless/pgpainless

PGPainless 2.0.0

GitHub

PGPkeys EU Jul 19, 2025

News from the coalface:

Upgrading the #Hockeypuck #openpgp #keyserver in-place has historically not been a smooth experience. In particular, the search indexes are only updated on write during normal operation, and the database schema is not updated at all. When major changes are made to the back end code, the dataset therefore has to be dumped and reloaded. This requires double the disk space and adds to the burden of maintaining a keyserver.

In preparation for #rfc9580 and #pqc keys, we have been working on in-place migrations for the search indexes and database schemas. The hockeypuck master branch now reindexes search terms transparently on startup, which will ensure consistent search results after any changes to the indexing policy. We are also testing a feature to reload the full dataset in-place after an upgrade, which must be run in offline mode due to concurrency limitations, but should otherwise be seamless and does not affect resource usage. Together these changes will reduce the maintenance burden for keyserver operators, and smooth the path for future upgrades.

In-place post-upgrade migrations, plus improved sync resilience, and hopefully a few additional improvements (watch this space!), will be available in the forthcoming 2.3 release, which is generously supported by @NGIZero Core.

qbi Jul 16, 2025

#PGP bzw. genauer #OpenPGP gibt es in verschiedenen Standards:
- RFC 2440
- RFC 4880
- RFC 9580 und
- LibrePGP

Johannes Roth und Falko Strenzke haben die Unterschiede zwischen den wichtigsten Standards herausgearbeitet:
https://github.com/crypto-security-tools/OpenPGP-LibrePGP-comparison

#rfc2440 #rfc4880 #rfc9580 #librepgp

Fabrizio T.Nov 20, 2024

Le slide dell’intervento “(Open|Libre)PGP - Novità, controversie e sviluppi futuri” proposto ad HackЯocchio 2024

https://www.fabriziotarizzo.org/documenti/slide-openpgp-2024/

#OpenPGP #LibrePGP #RFC9580 #hackrocchio

(Open Libre)PGP - Novità, controversie e sviluppi futuri

Slide e risorse per il talk proposto ad HackЯocchio 2024. Il talk presenta le novità introdotte dalla nuova edizione dello standard OpenPGP (RFC 9580), gli sviluppi previsti nel prossimo futuro e discute le controversie che hanno portato alla nascita dello standard “alternativo” LibrePGP

Fabrizio Tarizzo