|
|
Subscribe / Log in / New account

A look at the Sequoia command-line interface

By Daroc Alden
January 8, 2025

The Sequoia OpenPGP library has been in development for some time. LWN covered the library in 2020. Now the project's command-line interface has been released. The sq tool offers a promising alternative to the venerable GNU Privacy Guard (GPG) tool — albeit one with a different interface, set of terminology, and approach to the web of trust. Several distributions are making increasing use of the tool behind the scenes.

The Sequoia documentation opens with a warning that the tool uses different terminology than existing OpenPGP implementations. This warning is deserved: what other tools call "public keys", Sequoia calls "certificates". It refers to private keys as merely "keys". The documentation justifies the difference by observing that what OpenPGP and related implementations call a "public key" really bundles a lot of unrelated data: user IDs, metadata, preferences, certifications, signatures, and subkeys, as well as the actual key material itself. Sequoia calls OpenPGP public keys "certificates" in order to emphasize that they are really more than just keys.

Despite those differences, Sequoia's basic operations with keys and certificates are fairly straightforward: 

    # Import an existing (private) key
    sq key import $KEYFILE
    # Import a (public) certificate
    sq cert import $FILE

The design of Sequoia's command-line interface takes a different approach from that of GPG, which is designed with interactive use in mind, and will prompt the user with different options when appropriate. Instead, Sequoia automatically uses default values as much as possible. Configuring any operations is done with additional command-line flags — thankfully, the tool ships with comprehensive command-line completion support, so it is fairly easy to see what options are available. For example: 

    sq key generate --own-key --name 'Test Key'

That command generates a key with the default configuration. The only value the tool prompts for is the key's passphrase. Any other configuration, such as changing the kind of key generated, needs to be specified on the command line.

The default configuration is fairly sensible: it creates a 256-bit EdDSA primary key with an expiration date three years in the future, plus separate subkeys for signing, authentication, and encryption. The signing and authentication subkeys also use EdDSA, but the encryption subkey is a 256-bit ECDH key instead. The cipher suite, expiration time, user ID, email, and so on can all be set with appropriate command-line flags. Sequoia offers fewer cipher suites than GPG does, however: RSA in 2K, 3K, and 4K variants, plus Curve25519 elliptic keys.

One nice touch is that when Sequoia generates a key, it also automatically generates a revocation certificate for it, stored under ~/.local/share/sequoia/revocation-certificates. If the key is later compromised, the user can quickly publish that pre-prepared revocation certificate. Sequoia's interface was clearly designed with that kind of convenience in mind; after running a command, the tool will suggest relevant follow-up commands, which makes it easy to go through common workflows even for users who do not use the tool regularly.

One area of the interface is somewhat unavoidably complex, however: the commands that deal with the web of trust. In its interface Sequoia tries to emphasize the difference between information that can be cryptographically verified and information that has merely been asserted by a human. For example, this is the output from attempting to verify a valid signature on a file, where the signature was made by a certificate that the user has not told Sequoia to trust:

[A screenshot of the sequoia command-line tool; click for textual version]

Sequoia calls signatures that are cryptographically valid, but not necessarily from the right person, "unauthenticated". As the command suggests, when the user has determined that a particular certificate does belong to the person that it claims, they can mark the certificate as authenticated with "sq pki link add". The Sequoia documentation is clear that the tool cannot tell the user when a certificate should be authenticated, saying: "Authenticity can only be established by humans."

By default, the tool doesn't mark any certificates as authenticated except those created with the --own-key flag, because, presumably, the user trusts themselves to be who they say they are.

Marking every individual certificate as authenticated would be tedious, however, which is where the web of trust comes in. Once a user has marked a certificate as authenticated, they can then go on to "certify" that certificate — publishing their authentication for other users to rely on. To do this, the user runs "sq pki vouch certify" which generates an exportable signature attesting that the certificate belongs to the person it claims to. Then this signature can be published to a network keyserver with "sq network keyserver publish".

Other users can rely on these attestations by marking a particular key as a "trusted introducer"; using the "sq pki link authorize" command, the user can say that vouches from a particular key should be believed. Like in GPG, this trust can be applied transitively, up to a configurable depth and with configurable weights for each key. Unlike GPG, Sequoia also supports restricting which keys a trusted introducer is allowed to vouch for according to a regular expression. So, for example, if the user trusts someone to identify their coworkers but not to identify arbitrary people, they could restrict that person's key to only vouch for other keys with a matching email domain.

Before being able to authenticate a certificate by hand or through the web of trust, however, one must first obtain a copy of it. Many certificates are distributed via OpenPGP keyservers, Web Key Directories (WKD), or DNS-Based Authentication of Named Entities (DANE); Sequoia has a command ("sq network search") that will try to retrieve a certificate from all of these sources in parallel. At the same time, it also fetches any published attestations to potentially authenticate the certificate with.

Compatibility

Sequoia has been usable as a library for a while, even if the command-line interface has only recently been made ready. In fact, it is already used as the internal OpenPGP implementation for both RPM and DNF, Fedora's package managers and may soon be used in Debian-based distributions by APT. The Fedora project said that the change was motivated by "improved security and standards-compliance". But many programs don't use a PGP library, and instead use GPG as a command-line tool. For example, Git can call out to GPG or SSH in order to make and verify signatures.

This makes the prospect of porting software away from GPG daunting. So Sequoia also provides an implementation of GPG's command line (called the "GPG Chameleon"), which is intended to be a mostly drop-in replacement. There are a few known differences, such as specifically rejecting some weak algorithms that GPG allows, and a lack of translations or localizations (beyond date and time). By and large, these should not be an obstacle for scripts interacting with GPG's command-line interface.

The other main functional difference with Sequoia's reimplementation is that it stores any modified information in an overlay (a separate directory under ~/.gnupg) that is invisible to GnuPG (and uses Sequoia's database internally). On the one hand, this makes moving from Sequoia back to GnuPG somewhat tedious, because any changes need to be translated over. On the other hand, this makes it safe to try the Chameleon without worrying about accidentally breaking an existing GPG installation. Plus, a user can use the native sq front end, while still relying on programs that invoke gpg.

Overall, Sequoia presents a usable alternative to GPG. The first 1.0 release of a project is sometimes a bit rough, but in Sequoia's case that does not appear to be the case. The tool supports all of the basic operations of an OpenPGP implementation, integrates well with existing software, and has a discoverable interface that makes it easy to come up to speed in a short time. It definitely does not support everything that GPG does, but support for additional cryptographic algorithms seems likely to come in time.


to post comments

Applause

Posted Jan 9, 2025 14:49 UTC (Thu) by pj (subscriber, #4506) [Link] (9 responses)

Kudos to the Sequoia team! Multiple projects competing and collaborating can only improve the overall experience and usability in the space.

Applause

Posted Jan 19, 2025 20:24 UTC (Sun) by aheinecke (subscriber, #93141) [Link] (8 responses)

As a reply to your comment I started to outline why good competition didn't happen here. Since GnuPG is a secure and mostly done tool there was no real need to innovate on it. There is of course a lot of room for innovation on the UX side of end to end encryption and security but instead sequoia focused on the core part that isn't broken.

To share my perspective, I thought it better to write it as a blog post: https://gnupg.org/blog/20250117-aheinecke-on-sequoia.html

Applause

Posted Jan 19, 2025 20:34 UTC (Sun) by intelfx (subscriber, #130118) [Link]

> Since GnuPG is a secure and mostly done tool

Maybe from the point of view (read "echo chamber") of its developers.

For multiple years, GnuPG (and its immediate supporting ecosystem) has been at the top of my personal list of software so obtuse, out-of-touch with its use cases, and unnecessarily complicated to use that it almost crosses the line into deliberate user hostility.

It might be "secure" and "done", but quite frankly, it's bad software.

On the blog post

Posted Jan 19, 2025 20:58 UTC (Sun) by intelfx (subscriber, #130118) [Link]

I wrote my last comment before reading the linked blog post. Having read it, I really don't think it helps your cause. The entirety of the post reads excessively defensive and dismissive in hand-waving away pretty much every motivation of your opponent as "bad faith".

Where you claim to see bad faith, "need for churn" and "inventing new problems", others might see missing features, suboptimal UX and deliberately ignored use cases. Especially when you proudly claim that "you don't want to change" and preemptively dismiss any innovation as "unnecessary changes" that never outweigh supposed risks.

This isn't how you persuade anyone to side with you.

I read the blog post as offensive

Posted Jan 20, 2025 10:15 UTC (Mon) by farnz (subscriber, #17727) [Link] (5 responses)

I've just read that blog post - effectively, you're saying "if you ignore the important parts of the tool, and the key reasons why people were dissatisfied with GnuPG, then there were no reasons to write a new tool, and I'm offended that you disagree on what's important". Further, it includes the assumption that Sequoia exists to make proprietary software easier, rather than to increase security overall, and adds in a stab at the idea that a different programming language could possibly have benefits.

Given how poor GnuPG's support for being used as a library in software like RPM, KMail and Evolution is, that's not a great look - it may well be easier to restart from scratch in a different language than to write a good C library API for the existing codebase. Further, for security software, UX is absolutely critical - the human in the loop is the easiest thing to attack, then the implementations of algorithms, and the algorithms themselves are hardest to attack. Saying that you don't care about the easiest bits to attack is not a great look for a security project.

It does not portray the GnuPG project in a good light; every project is good if you exclude the areas where people were dissatisfied with it, and no new project in any area has a reason to exist if you assume the existing project is good.

I read the blog post as offensive

Posted Jan 20, 2025 11:07 UTC (Mon) by aheinecke (subscriber, #93141) [Link] (4 responses)

Well, its a fact that the salaries of the sequoia developers for the first years were paid because P€P couldn't use GnuPG due to the copyleft licensing take from that what you want. But it irks me that arguments raise that sequoia is required because of a commercialised GnuPG.

> Given how poor GnuPG's support for being used as a library in software like RPM, KMail and Evolution is, that's not a great look - it may well be
> easier to restart from scratch in a different language than to write a good C library API for the existing codebase.

Of course I am biased, I worked on KMail and GnuPG and the GPGME C Library since 2009 and maintained parts of it for close to a decade. And added PGP/MIME support through GPGME to Outlook. So don't expect me to agree with you that its bad and in dire need of replacement. :)

> Further, for security software, UX is absolutely critical - the human in the loop is the easiest thing to attack, then the implementations of algorithms,
> and the algorithms themselves are hardest to attack. Saying that you don't care about the easiest bits to attack is not a great look for a security
> project.

I totally agree. The human is the easiest, then the endpoint and then the implementations and algorithms. Thats why i think sequoia isn't helping with UX when they attack and want to replace the implementation. Creating more work and strife that is not helping.

But of course the blog post is offensive! I am saying that sequoia is unnecessary, unhelpful and developed in bad faith.

I read the blog post as offensive

Posted Jan 21, 2025 10:29 UTC (Tue) by farnz (subscriber, #17727) [Link] (3 responses)

OK, so you claim to own the "moral rights" to implement OpenPGP in free software, and are offended that someone else was paid to do the same thing that is "your" right, rather than paying you to do it. And it's problematic because you've got a setup that works for you, and this duplicates it, allowing people other than you to work on OpenPGP implementations.

This really does read like you getting upset that you had a nice little niche with no competition, and a second implementation of OpenPGP means that other people might muscle in on your niche. Not a good look at all.

I read the blog post as offensive

Posted Jan 21, 2025 11:08 UTC (Tue) by dd9jn (✭ supporter ✭, #4459) [Link] (2 responses)

I can't read that Andre wrote anything about his/our moral rights to implement OpenPGP. His whole rant is about destroying a well working protocol by changing the specification in way which benefits a new implementation (and in particular the web deployed Proton stuff which actually required the addition of GCM). The technical required changes to adopt OpenPGP to current algorithms were not large. However, the Sequioa folks decided that they want a Second System Effect on the *protocol* instead of incremental adjustments. Changing the rail gauge in the whole continent so to sell new engines?

BTW, there are other well known and widely used implementations of OpenPGP for many years. For example BouncyCastle is used by many proprietary commercial OpenPGP implementations.

I read the blog post as offensive

Posted Jan 21, 2025 11:12 UTC (Tue) by farnz (subscriber, #17727) [Link] (1 responses)

The part of his rants I'm picking up on is how by having commercial support prefer sq to GnuPG, it's taking away his funding (as if he has some sort of right to funding for OpenPGP work), and that sq by coming up with a new UX is not helping UX work, because they should have done it as part of his pet project, not as a new project.

And I can't find where Sequoia is incompatible with previous OpenPGP implementation - sure, there's new stuff as well, and there's been efforts to drive OpenPGP forwards into more niches, but blaming a competing implementation for supporting a standardised extension just because some of the people who worked on that implementation also pushed for new stuff to drive OpenPGP into new niches just has "get off my lawn" vibes.

I read the blog post as offensive

Posted Jan 21, 2025 11:46 UTC (Tue) by dd9jn (✭ supporter ✭, #4459) [Link]

Maybe I have not read Andre's blog diligent enough but in general I agree with the core of his comments. What he did not wrote is that Sequioa took away our funding. We do not have any funding but we sell support for pre-configured GnuPG software to governmental and industrial users. This works pretty well for us and everyone benefits from that (in particular all Gpg4win users). The problem is that the whole IETF WG mess started to destroy the good repudiation in the (Open)PGP protocol and of all its implementations. Managers may eventually notice that and we will have again a hard time to explain the benefits of OpenPGP over the X.509 :-(

Trust Model Correction

Posted Jan 10, 2025 10:46 UTC (Fri) by neal (subscriber, #7439) [Link] (5 responses)

Unlike GPG, Sequoia also supports restricting which keys a trusted introducer is allowed to vouch for according to a regular expression.
Actually, GPG does support restricting delegations using regular expressions. This can be done using gpg --edit-key FINGERPRINT, and the tsign or tlsign command: 
$ /usr/bin/gpg -u D60E2CCBE2AF7A902FEECD00AFFEBA0C4B0824CF --edit-key 34F9E4B6A0A70BFEC5AE45198356989DF1977575
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/0x8356989DF1977575
     created: 2022-02-09  expires: never       usage: C   
     trust: unknown       validity: unknown
sub  rsa4096/0x999AE7F28B459472
     created: 2022-02-09  expires: never       usage: S   
[ unknown] (1). OpenPGP CA <openpgp-ca@sequoia-pgp.org>

gpg> tlsign

pub  rsa4096/0x8356989DF1977575
     created: 2022-02-09  expires: never       usage: C   
     trust: unknown       validity: unknown
 Primary key fingerprint: 34F9 E4B6 A0A7 0BFE C5AE  4519 8356 989D F197 7575

     OpenPGP CA <openpgp-ca@sequoia-pgp.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I trust marginally
  2 = I trust fully

Your selection? 2

Please enter the depth of this trust signature.
A depth greater than 1 allows the key you are signing to make
trust signatures on your behalf.

Your selection? 255

Please enter a domain to restrict this signature, or enter for none.

Your selection? sequoia-pgp.org

Are you sure that you want to sign this key with your
key "Alice <alice@example.org>" (0xAFFEBA0C4B0824CF)

The signature will be marked as non-exportable.

Really sign? (y/N) y

gpg> save
That this useful functionality is not well known and, I'd argue, hard to discover is one of the things that we're trying to improve in sq. The equivalent of the above with sq is: 
$ sq pki link authorize --cert 34F9E4B6A0A70BFEC5AE45198356989DF1977575 --all --domain sequoia-pgp.org
 - ┌ 34F9E4B6A0A70BFEC5AE45198356989DF1977575
   └ OpenPGP CA <openpgp-ca@sequoia-pgp.org>
   - certification created
Sequoia and gpg's trust models have one important similarity and two important differences.

The similarity is that they are both built on the same underlying mechanisms. The current OpenPGP RFC (and the older revisions) defines constructs like trust signatures, which both gpg and Sequoia understand and emit. In this regard, the implementations are interoperable.

Unfortunately, the OpenPGP RFC does not define high-level authentication semantics. The trust model that GPG implements is documented for end users, but I'm not aware of a specification. After spending some time reverse engineering it, we decided to go a different route, which we think is more intuitive to end users, is largely (but not completely) compatible with GPG, and is more performant. I documented our approach here. (PGPainless has also implemented it.) The major difference is that we treat authentication as a maximum flow problem. That is, the induced authentication network is treated as a flow network, and authenticating a user ID and certificate binding is finding a maximum flow from the trust roots to the binding. This makes determining whether a user ID can be authenticated for a given certificate quick (< 1ms) even for complicated networks with many trusted introducers, and cycles. In contrast, GPG's algorithm has to run offline. On my keyring with 849 certificates and only a handful of trusted introducers, GPG's algorithm takes 27 seconds: 

$ time /usr/bin/gpg --check-trustdb
...
real    0m26.798s
user    0m15.795s
sys     0m10.991s
The second difference is how we expose authentication. This is particularly important for us, due to a related decision: in sq authentication is required; curated keyrings are not supported. For instance using gpg, it is possible to use a certificate even if it hasn't been authenticated: 
$ /usr/bin/gpg -e -r unauthenticated@example.org
gpg: 0x7B1F50AEB31DD3DB: There is no assurance this key belongs to the named user

sub  rsa3072/0x7B1F50AEB31DD3DB 2025-01-10 Unauthenticated <unauthenticated@example.org>
 Primary key fingerprint: 4E89 72BC E43E BF39 79CA  912D 2660 4438 76CE 60FC
      Subkey fingerprint: FB38 B45F 02AA 370B 9550  65B3 7B1F 50AE B31D D3DB

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) 
gpg: signal Interrupt caught ... exiting
sq refuses to use it: 
$ sq encrypt --for-email unauthenticated@example.org --without-signature

  Error: Failed to resolve --for-email "unauthenticated@example.org"
because: 4E8972BCE43EBF3979CA912D2660443876CE60FC, Unauthenticated <unauthenticated@example.org> cannot be authenticated
         at the required level (0 of 120). After checking that Unauthenticated <unauthenticated@example.org> really
         controls 4E8972BCE43EBF3979CA912D2660443876CE60FC, you could certify their certificate by running `sq pki link
         add --cert 4E8972BCE43EBF3979CA912D2660443876CE60FC --userid "Unauthenticated <unauthenticated@example.org>"`.

  Error: Failed to resolve certificates
In sq we spent a lot of time thinking about how to make authentication as easy as possible. This firstly means a well thought out CLI. The most important commands are sq pki link add and sq pki link authorize. In addition to our own gut feelings, we conducted user interviews, which provided good feedback. I'm happy with how they came out. As shown above, it is relatively straightforward to rely on a CA for a particular domain.

The other thing that we do is collect and save evidence. For instance, keys.openpgp.org is a verifying key server. That means that it checks that user IDs are valid. When sq downloads a certificate from keys.openpgp.org, it creates a weak link recording that keys.openpgp.org verified the user ID. Depending on a user's threat model, they can fully trust the local keys.openpgp.org CA, or use it as a simple way to filter out junk. We do the same for certificates fetched via other verifying key servers, WKD, and DANE.

One other small thing of note is that it is possible to temporarily accept a binding. This is useful if you want to use a certificate, but don't have time to thoroughly check it right now and still want to do it later: 

$ sq pki link add --cert CBCD8F030588653EEDD7E2659B7DD433F254904A --all --temporary
 - ┌ CBCD8F030588653EEDD7E2659B7DD433F254904A
   └ Justus Winter <justus@sequoia-pgp.org>
   - certification created
...

Trust Model Correction

Posted Jan 10, 2025 13:17 UTC (Fri) by daroc (editor, #160859) [Link] (4 responses)

Thank you for the detailed reply! You're right that the ability to restrict keys by domain in GPG is not well documented; I checked the documentation while writing the article and didn't see it.

It's also interesting to hear that Sequoia treats it as a max-flow problem — that's the sort of clever approach that's obvious is retrospect.

Trust Model Correction

Posted Jan 10, 2025 13:44 UTC (Fri) by neal (subscriber, #7439) [Link]

My pleasure. Thank you for the write up.

Trust Model Correction

Posted Jan 13, 2025 8:39 UTC (Mon) by dd9jn (✭ supporter ✭, #4459) [Link] (2 responses)

The vast majority of GnuPG users are using Kleopatra as their GUI. The way to certify a key as a trusted introducer is pretty straighforward and (in decent versions) supported even by tooltips:

https://dev.gnupg.org/u/ScTrustedIntroducer

BTW, we introduced the term "certificate" for public keys years before Neal even worked for GnuPG. (e.e. in 2008 Kleopatra was renamed from "KDE Certificate Manager" to "Certificate Manager and Unified Crypto GUI" https://dev.gnupg.org/rKLEOPATRAa205f3c3d958 )

Trust Model Correction

Posted Jan 19, 2025 14:36 UTC (Sun) by juliank (guest, #45896) [Link] (1 responses)

That seems like a bold statement to me, I never heard of Kleopatra until like a couple weeks ago when I read it while doing some obscure OpenPGP things. I'd wager the main ways to use GnuPG are the terminal, or pinentry support from mail clients, and managing keys in Seahorse.

Trust Model Correction

Posted Jan 20, 2025 11:08 UTC (Mon) by dd9jn (✭ supporter ✭, #4459) [Link]

Kleopatra is for ages the certificate manager in KDE. Granted, KDE is not the most used Desktop in the Linux world but we have also to admit that unfortunately the year of Linox on the desktop has not yet come and the vast majority of desktop computer users are on Windows. Over there Gpg4win is the standard *PGP tool if you want to do more things than what Thunderbird can do. In particular its notepad feature is highly appreciated by lots of Internet users.

why screenshot?

Posted Jan 19, 2025 10:10 UTC (Sun) by zuki (subscriber, #41808) [Link] (2 responses)

Thank you for the nice article.

I'd like to make an editorial request though: just select&paste the text as a <PRE> block. Screenshots are bad! This screenshot looks ugly (fuzzy), has low contrast (bad for accessibility), uses more bandwidth, does not scale, the user cannot copy the command for testing, is not searchable, etc.

(In this case this is not relevant, since the whole block is monochrome, but in cases where color is used, some terminal emulators have a "copy as HTML" option, which preserves colors and can be used to generate nice page contents with very little effort.)

why screenshot?

Posted Jan 19, 2025 14:50 UTC (Sun) by daroc (editor, #160859) [Link] (1 responses)

If you click through the screenshot, you'll find a text version, for people who use screenreaders or otherwise prefer text. Generally, we try to make LWN usable without any images — and when possible, images are links to pages with higher-resolution versions, text versions, or additional information.

In my initial draft, it was just copy-pasted into a <pre> block. Unfortunately, the text was so wide and long that it caused problems with the article layout, especially on small screens, and we thought that it would give people a more holistic overview of the structure of the output to have it as an image.

why screenshot?

Posted Jan 19, 2025 15:14 UTC (Sun) by zuki (subscriber, #41808) [Link]

Oh, indeed. Thank you for the explanation.

Hard problem space

Posted Jan 22, 2025 23:49 UTC (Wed) by Curan (subscriber, #66186) [Link]

This is a really hard nut to crack and I think sq might be on the right way here. I have to play around more with the interface (and importing things from the previous GnuPG days, to see, if sq can be a replacement.

The interface, however, looks much more "normal" compared to the (semi-)interactive interface of GnuPG. On the other hand: so far GnuPG worked for me.

Not matter what: replacing GnuPG is going to be hard. Even though APT and others switched already or will switch soon.


Copyright © 2025, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds