Sequoia 1.4 is released

By Justus | October 6, 2021

We’re happy to announce the release of version 1.4 of our low-level OpenPGP library. The most prominent change is the addition of a new cryptographic backend based on the RustCrypto crates.

Cryptographic backends

Sequoia allows you to chose between several cryptographic libraries at compile time. Previously, there were two options available:

This release adds a third option:

  • RustCrypto: Cryptographic algorithms implemented in pure Rust

This work was started by Nikhil Benesch sponsored by Materialize (you can sponsor us too!). This makes it possible to use Sequoia in environments where the other options are not available or desirable (e.g. WASM, non-Rust dependencies). The set of supported cryptographic algorithms depends on the backend, for more information please see our status page.

Sequoia 1.4

During the 1.x release cycle, we are adding features, fixing bugs, and improving the documentation, while keeping the API stable. Downstream users should be able to update to version 1.4 without changing their code. In December 2020, we commited to providing security fixes for and maintaining the 1.x releases for 1 year. We remain commited to that promise.

Notable Bug Fixes

  • #738: Unbounded, attacker-controlled heap allocation during decryption of AEAD encrypted messages.
  • win-crypto-ng#39: Some DSA keys triggered a crash in the CNG backend. Sequoia now works around that problem.


The following new functions have been added:

  • CipherSuite::is_supported
  • MPI::value_padded
  • Preferences::policy_uri
  • ProtectedMPI::value_padded
  • TSK::eq
  • ValidAmalgamation::revocation_keys
  • ValidCert::policy_uri
  • ValidCert::revocation_keys