I sent a rather lengthy email to the "gnupg-devel" mailing list, about the governance and development of the #OpenPGP standard (and #GnuPG's fork of the specification that is branded "#LibrePGP")
https://lists.gnupg.org/pipermail/gnupg-devel/2025-September/036064.html
Einblicke in das #Datenspuren-Programm
Heute: Irgendwas mit Nitrokeys - #Workshop und Keysign-Party
https://talks.datenspuren.de/ds25/talk/W3JBDH/
In ihrem Workshop betreut @senf Menschen beim Einrichten von Nitrokeys und danach kann gegenseitig mit den #OpenPGP-Schlüsseln signiert werden.
Wann? 20. September, 15:15 bis 17:00 Uhr
Wo? Kleiner Saal
Komplettes Programm ansehen: https://talks.datenspuren.de/ds25/schedule/
P.S.: Die Nitrokeys sollten im Vorfeld bei Nitrokey beschafft werden (ca. 55€).
Today we have also created the first release of voa-openpgp, a #RustLang library for the use of #OpenPGP verifiers in #VOA hierarchies. 
https://crates.io/crates/voa-openpgp/0.1.0
In this first release we have focused on the use case of importing #OpenPGP certificates to a #VOA hierarchy.
As a special treat, this enables direct import of #ArchLinux keyring structures.
https://gitlab.archlinux.org/archlinux/archlinux-keyring/
#DigitalSignature #Verification #Packaging
Many thanks to @hko @Nukesor and @orhun for the thorough reviews 
#Whatsapp on #iOS had a severe 0day that was exploited in the wild for some months, and is fixed with august 20th releases https://hackread.com/whatsapp-0-day-exploit-attack-targeted-ios-macos-users/
Last year #signal also had its multi-device functionality exploited in the wild. https://thehackernews.com/2025/02/hackers-exploit-signals-linked-devices.html
FWIW #deltachat has a dumber multi-device sync model, no device linking, depends on being in the same WiFI for setup (therefore no easy remote exploits), and #OpenPGP signatures and verification for ongoing usage (like all other E2EE messages).
@avoca Suggesting we give up or drop our efforts is a valid opinion, and we don't blame people for having it. There are shitloads of messengers, and why are we engaging in this crazy trip of using #email and #openpgp for instant messaging, out of all things? We consider it progress if it's just a few percent opposing our effort and current trajectory at all. That surely was different some years ago where it felt more like 80% being in that "are you kidding me?" camp.
I just released version 0.1.6 of oct-git, a simple tool for Git signing and verification with #OpenPGP cards
https://crates.io/crates/openpgp-card-tool-git
This is a maintenance release: It updates the libraries that oct-git builds on (in particular @rpgp), but doesn't add new functionality.
However, with this update there is now a straightforward path to automated updating of OpenPGP certificates (aka public keys) from keyservers. I look forward to implementing that soon.
We have just released the first version of voa-core, a #RustLang library for access to verifiers in #VOA structures. 
https://crates.io/crates/voa-core/0.1.0
VOA, short for "File Hierarchy for the Verification of OS Artifacts", is a way of providing and using verifiers for digital signatures in a stateless manner, for various cryptographic technologies:
https://uapi-group.org/specifications/specs/file_hierarchy_for_the_verification_of_os_artifacts/
Thanks to @hko for his work on this and an upcoming #OpenPGP backend! 
@osxreverser I guess forcing everyone to use #OpenPGP (or rather #enc¹) and #VeraCrypt / @veracrypt ² and putting that on an (S) #FTP (S) server isn't an option?
Towards OpenPGP v6 in PGPainless
I’m very excited to announce the results of what I have been working on for the past 1,5 years. *drumrolls*
I added support for OpenPGP v6 (rfc9580) in both Bouncy Castle and PGPainless! In this blog post, I want to go over the work in more details.
https://warmwasserwerfer.de/2025/08/28/towards-openpgp-v6-in-pgpainless/
I just released version 0.6.6 of rpgpie, an experimental high level API for @rpgp:
https://crates.io/crates/rpgpie
The rpgpie library crate ships with the (also experimental) "rpgp" CLI tool, which can inspect certificates (aka "#OpenPGP public keys") in two different ways:
- "show" prints the internal structure of a certificate without much interpretation
- "status" prints a summarized view, and applies OpenPGP validity semantics
Since this release, "status" can emit JSON.
1/5
@agowa338 if you refer to #OpenPGP cards here, have a look at the #ArchWiki article (and the upstream documentation) for the oct CLI: https://wiki.archlinux.org/title/OpenPGP-card-tools
me, opening a new terminal tab: From all the things I've scripted so far, this has got to have one of the best effort-to-usefulness factors ever.
https://codeberg.org/scy/dotfiles/commit/9ef269f86356d80e53f6e7bbde9d85b65a21525f
Finally did activate the NXP SE050 Secure Element in my Nitrokey 3 and generated new on-device keys, by using the amazing "oct" (openpgp-card-tools).
Almost entirely using the modern rust-based openpgp implementations now:
- oct for card management and file signing
- openpgp-card-ssh-agent for SSH authentication
- rsop-oct for file encryption/decryption and package signing
- oct-git for git signing of my code commits
The only part, where I still rely on classic openpgp, is my MUA KMail, where alternatives aren't yet supported.
And it's still a pain, that modern GPG implementations aren't available as Fedora packages *sigh* but cargo works sufficiently well for now.
#linux #rust #openpgp #nitrokey #crypto #security @hko @fedora @nitrokey
The updated security whitepaper for Passbolt v5 is now available. It explains how passbolt protects your data, including a clear breakdown of security model based on the #OpenPGP encryption standard.
The paper also outlines how we keep the platform secure over time, from built-in risk mitigations strategies, to yearly independent code audits to ongoing SOC 2 Type II compliance checks, and more.
Read the full whitepaper: https://www.passbolt.com/security
