go-sequoia-plugin is a Go plugin wrapping OpenPGP signature operations backed by sequoia-pgp, to be used as an alternative signing mechanism for container signing.

The deliverable of this project is a Go plugin sequoia.so, which is a shared library module accompanying Go type information. The plugin is implemented using sequoia-pgp through Rust FFI and then CGO.

Applications can dynamically load the plugin with plugin.Open. That way, it is possible to decouple the complicated build process involving both Rust and Go toolchain out of the application package.

• Rust toolchain
• Go toolchain
• sequoia-sq package for key manipulation
• Dependencies: capnproto, openssl-devel, sqlite3-devel, and bzip2-devel

1. Run make or make RELEASE=1

1. Generate an OpenPGP keypair for testing, e.g., gpg2 --gen-key, without passphrase
2. Export the secret key, with gpg2 --export-secret-key KEYID > KEYID.pgp
3. Import the secret key to sequoia-keystore, with sq key import --cert-store=$HOME/.local/share/sequoia/certs KEYID.pgp

1. cd cmd/sign
2. go build
3. ./sign KEYID somefile

1. cd cmd/verify
2. go build
3. ./verify somefile.sig somefile

Apache-2.0