home.social
Sign in Create account

Heiko

@[email protected]
View on fosstodon.org
  1. Heiko @hko ·

    I just released versions 0.6.2 of rsop, a stateless ("SOP") CLI tool based on @rpgp:

    crates.io/crates/rsop/

    Changes since rsop 0.6.0:

    - decryption based on session keys is now supported,
    - generation of man pages and shell tab completion has been added,
    - some subtle semantics fixes for component key validity were implemented.

    For more on , see datatracker.ietf.org/doc/draft

    #openpgp #sop #pgp #gnupg
  2. Heiko @hko ·

    There's a lot of interest in -like tools, but without being bound to

    One exciting early stage exploration by @kushal uses the standard mechanism (datatracker.ietf.org/doc/draft).

    Kushal's experimental fork of pass can already directly use card devices via the rsop-oct implementation:

    github.com/kushaldas/password-

    #pass #gnupg #sop #openpgp
  3. Heiko @hko ·

    I just released version 0.6.0 of rsop, a stateless ("SOP") CLI tool based on @rpgp:

    crates.io/crates/rsop/

    This release updates its rPGP dependency to version 0.15.0. This should fix issues where rsop previously failed to correctly read input data in some situations, and errored with messages such as e.g. "failed reading: armor header: not enough bytes"

    For more on , see datatracker.ietf.org/doc/draft

    #openpgp #sop #pgp #gnupg
  4. Heiko @hko ·

    I just released version 0.5.0 of rsop, a stateless ("SOP") CLI tool based on @rpgp:

    crates.io/crates/rsop/

    The major change in this release is that OpenPGP card support is removed from rsop, it is now available separately in rsop-oct (see fosstodon.org/@hko/11369954521)

    For more on , see datatracker.ietf.org/doc/draft

    #openpgp #sop #pgp #gnupg
  5. Heiko @hko ·

    I just released version 0.1.0 of rsop-oct, a new stateless ("SOP") CLI tool that focuses exclusively on use with OpenPGP card hardware devices:

    crates.io/crates/rsop-oct/0.1.0

    Like its sibling project , rsop-oct is based on @rpgp

    In the next release of rsop, OpenPGP card functionality will be removed from it.
    The goal is to offer clear UX in two distinct simple CLI tools, as opposed to one combined and confusing CLI tool.

    For more on , see datatracker.ietf.org/doc/draft

    #rsop #openpgp #sop #pgp #gnupg
  6. Heiko @hko ·

    I just released version 0.4.3 of , a stateless ("SOP") CLI tool based on @rpgp:

    crates.io/crates/rsop/0.4.3

    This release fixes a bug in the 'inline-verify' command:

    In versions 0.4.0 - 0.4.2, 'rsop inline-verify' erroneously printed the message body to stdout even if no valid signatures were found (except for CSF messages, which were handled correctly).

    For more on , see datatracker.ietf.org/doc/draft

    #rsop #openpgp #sop #pgp #gnupg #statelessopenpgp
  7. Heiko @hko ·

    I just released version 0.4.2 of , a stateless ("SOP") CLI tool based on @rpgp:

    crates.io/crates/rsop/0.4.2

    This release adds support for the 'inline-detach' command.

    For more on , see datatracker.ietf.org/doc/draft

    #rsop #openpgp #sop #pgp #gnupg #statelessopenpgp
  8. Heiko @hko ·

    I just released version 0.4.1 of , a stateless ("SOP") CLI tool based on @rpgp:

    crates.io/crates/rsop/0.4.1

    This release adds support for the 'revoke-key' command.

    For more on , see datatracker.ietf.org/doc/draft

    #rsop #openpgp #sop #pgp #gnupg #statelessopenpgp
  9. Heiko @hko ·

    I just released version 0.4.0 of rsop, a stateless OpenPGP ("SOP") CLI tool based on @rpgp:

    crates.io/crates/rsop/0.4.0

    This release brings support for the updated formats in the new OpenPGP RFC 9580 (including "v6" keys and signatures).

    For more on SOP, see ietf.org/archive/id/draft-dkg-

    #openpgp #sop #gnupg #rfc9580
  10. Heiko @hko ·

    New release today: version 0.14.0 ✨

    ( implemented in pure , permissively licensed)

    github.com/rpgp/rpgp/releases/

    This release brings rather complete support for the excellent new OpenPGP RFC 9580 (also known as "crypto refresh", or "v6")

    RFC 9580 standardizes modern cryptographic mechanisms for OpenPGP: AEAD-based encryption, Argon2, and SHA2 fingerprints for the new OpenPGP v6 key format (v4 keys use SHA1).

    Thanks @NGIZero for supporting this work!

    #rpgp #openpgp #rust #rustlang #pgp #gnupg
  11. Heiko @hko ·

    I'm excited to announce the release of oct v0.11.0 🚀️

    oct is a tool for inspecting, configuring and using cards 🔒 (crates.io/crates/openpgp-card-)

    oct can now set up cards in mode, the text output format was improved for readability, and some minor bugs were fixed.

    Finally, version 0.11.0 uses , a pure OpenPGP library 🦀.
    As a result, the binary on links to four fewer dynamic libraries, while at the same time being 10% smaller.

    #openpgp #kdf #rpgp #rust #linux #rustlang
  12. Heiko @hko ·

    oct-git and its sibling project crates.io/crates/openpgp-card- are concrete options for OpenPGP card users to explore OpenPGP use without GnuPG, today.

    In addition, the "Stateless OpenPGP" tool (crates.io/crates/rsop) also supports using OpenPGP card devices (see datatracker.ietf.org/doc/draft for more).

    #rsop
  13. Heiko @hko ·

    Much credit and thanks to @wiktor for foundational work on OpenPGP card support in .

    Wiktor's work constitutes the core of the new crates.io/crates/openpgp-card- crate (used in rsop).

    #rpgp
  14. Heiko @hko ·

    I just released version 0.3.1 of crates.io/crates/rsop, a stateless ("sop") card tool based on .
    rsop natively supports OpenPGP card (hardware cryptography) devices

    SOP is a standardized, vendor agnostic, CLI interface for the most common OpenPGP operations.
    See datatracker.ietf.org/doc/draft for more on SOP.

    rsop is featured in the "OpenPGP interoperability test suite" at tests.sequoia-pgp.org/ (under "rpgpie", which is rsop's high level OpenPGP library).

    #openpgp #rpgp #pgp #gpg #gnupg #rustlang
  15. Heiko @hko ·

    I just released version 0.2.0 of crates.io/crates/rsop

    is a "Stateless OpenPGP" CLI tool based on .

    This new version adds more support for handling passphrase-protected private key material, as well as handling of un-armored OpenPGP data.

    See datatracker.ietf.org/doc/draft for more on SOP.

    #rsop #rpgp #openpgp #pgp #sop #rust
  16. Heiko @hko ·

    In the past few weeks, I spent a bit of time on a set of hobby projects around (github.com/rpgp/rpgp/). Today I'm happy to announce:

    rsop v0.1.0 (crates.io/crates/rsop), an early stage "stateless OpenPGP" tool based on rpgp.

    Relatedly, I also released rpgpie 🦀️🔐🥧 v0.0.1 (crates.io/crates/rpgpie), an experimental high level OpenPGP API based on rpgp (rsop is built on top of rpgpie).

    #openpgp #rpgp #pgp #rust #rustlang
  17. Heiko @hko ·

    While exploring use of PKCS #11 devices in contexts, I stumbled over a bug (and potential security issue) in the yubihsm_pkcs11.so driver for devices.

    Long form text by Christian Reitter (who walked me through the coordinated disclosure process with , and did amazing work analyzing and writing up the issue):
    blog.inhq.net/posts/yubico-yub

    Yubico advisory: yubico.com/support/security-ad

    : cve.mitre.org/cgi-bin/cvename.

    (Thanks again to @sovtechfund for funding my work)

    #openpgp #yubihsm #yubico #cve #pkcs11
  18. Heiko @hko ·

    Over the last half year, I've spent time with PKCS #11 and PIV hardware security devices. In particular, using such devices in the context.

    Entry points for results of this work:

    - codeberg.org/heiko/openpgp-pkc
    - codeberg.org/heiko/openpgp-piv
    - codeberg.org/heiko/pkcs11-open

    One particular focus was building CI testing infrastructure (including gitlab.com/hkos/virtual-piv/), to make future work on these codebases easier (and hopefully fun).

    [This work was funded by @sovtechfund]

    #openpgp #pkcs11 #piv #hsm
  19. Heiko @hko ·

    I added a bit of documentation to my repository of "virtual PIV hardware tokens": gitlab.com/hkos/virtual-piv/

    (These virtual cards are useful for CI-testing of software that uses PIV devices.)

    #piv #fips201 #hsm #openpgp
  20. Heiko @hko ·

    Today I spent a bit of time with the and its driver (the yubihsm_pkcs11.so driver had exhibited some confusing-to-me behavior, during occasional experiments over the past few weeks).

    After a closer look, I believe that "yubihsm_pkcs11.so" version 2.4.0 has introduced a number of rather confusing regressions around object IDs (see github.com/Yubico/yubihsm-shel ).

    This investigation was a side-quest of my @sovtechfund financed project "PKCS#11 support for @sequoiapgp".

    #yubihsm #pkcs11 #yubico
  21. Heiko @hko ·

    I just released version 0.1.5 of the simple experimental standalone SSH agent for cards (crates.io/crates/openpgp-card-).

    This is a minor update in terms of functionality.

    However, it marks a move of the crate to the @Codeberg platform (including an integration test in Codeberg's Woodpecker CI, testing the agent against a virtual OpenPGP card: ci.codeberg.org/openpgp-card/s)

    #openpgp #openssh #openpgpcard #sequoiapgp
  22. Heiko @hko ·

    The team has released version 1.5.0 of crates.io/crates/sequoia-octop, the Sequoia-based alternative backend for .

    This release fixes support for Thunderbird 102.7, and contains a big overhaul for Web of Trust calculations, which automatically set Thunderbird's "acceptance" of OpenPGP certificates based on published certifications and the trust roots the user configured in their GnuPG subsystem.

    #sequoiapgp #openpgp #thunderbird #octopus