Pull PQC crypto to sq

This includes some related fixes from upstream, such as better FIPS
mode integration and fixes to the --password-file CLI.

Resolves: RHEL-85985, RHEL-101905, RHEL-86640

.gitignore

@@ -1,3 +1,9 @@
 /sequoia-sq-0.37.0.crate
 /rust-sequoia-sq-0.37.0-vendor.tar.xz
 /capnproto-c++-1.0.1.tar.gz
+/sequoia-sq-1.1.0.crate
+/rust-sequoia-sq-1.1.0-vendor.tar.xz
+/sequoia-sq-1.3.0.crate
+/rust-sequoia-sq-1.3.0-vendor.tar.xz
+/sequoia-sq-vendor-1.3.1.1.tar.gz
+/sequoia-sq-1.3.1.1.tar.gz

rust-sequoia-sq.spec

@@ -1,41 +1,36 @@
-# Generated by rust2rpm 26
+# Generated by rust2rpm 27
-%bcond_without check
+%bcond check 1
 
 %global crate sequoia-sq
 
 %if 0%{?rhel}
-# RHEL: Use bundled deps as it doesn't ship Rust libraries
-%global bundled_rust_deps 1
 %global __brp_mangle_shebangs_exclude_from ^/usr/src/debug/.*$
-%bcond_without bundled_capnproto
-%else
-# Fedora: Use only system Rust libraries
-%global bundled_rust_deps 0
-%bcond_with bundled_capnproto
 %endif
 
+
 Name:           rust-sequoia-sq
-Version:        0.37.0
+Version:        1.3.1.1
 Release:        %autorelease
 Summary:        Command-line frontends for Sequoia
 
 License:        LGPL-2.0-or-later
 URL:            https://crates.io/crates/sequoia-sq
-Source0:        %{crates_source}
+# The version 1.3.1 upstream + patches from justus/pqc branch
+# Generated using:
+#  git archive --format=tar.gz --prefix sequoia-sq-1.3.1.1/ -o sequoia-sq-1.3.1.1.tar.gz justus/pqc
+Source0:        %{crate}-%{version}.tar.gz
 
 # Generated using cargo-vendor-filterer:
-#   cargo download %%{crate}==%%{version} > %%{crate}-%%{version}.crate
-#   tar xf %%{crate}-%%{version}.crate
-#   cargo update ... # optional, if you want to update specific dependencies
-#   pushd %%{crate}-%%{version}
 #   cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
 #                         --platform powerpc64le-unknown-linux-gnu \
 #                         --platform aarch64-unknown-linux-gnu \
 #                         --platform i686-unknown-linux-gnu \
 #                         --platform s390x-unknown-linux-gnu \
-#                         --all-features=true
+#                         --all-features
-Source1:        %{name}-%{version}-vendor.tar.xz
+#   tar -czf ../%%{crate}-vendor-%%{version}.tar.gz vendor
+Source1:        %{crate}-vendor-%{version}.tar.gz
 Source2:        capnproto-c++-1.0.1.tar.gz
+Source3:        vendor.toml
 # Manually created patch for downstream crate metadata changes
 # * switch crypto backend from Nettle to OpenSSL
 # * exclude files that are only useful for upstream development
@@ -43,20 +38,19 @@ Source2:        capnproto-c++-1.0.1.tar.gz
 # * drop features for unsupported crypto backends
 Patch:          sequoia-sq-fix-metadata.diff
 
-%if 0%{?bundled_rust_deps}
+%if 0%{?rhel}
 BuildRequires:  rust-toolset
-# vendored openssl-sys
-BuildRequires:  openssl-devel
-# vendored rustqlite
-BuildRequires:  sqlite-devel
 %else
 BuildRequires:  cargo-rpm-macros >= 24
 %endif
 
-%if %{with bundled_capnproto}
+# vendored openssl-sys
+BuildRequires:  openssl-devel
+# vendored rustqlite
+BuildRequires:  sqlite-devel
+
 BuildRequires:  gcc-c++
 BuildRequires:  cmake >= 3.1
-%endif
 
 %global _description %{expand:
 Command-line frontends for Sequoia.}
@@ -75,6 +69,7 @@ Summary:        %{summary}
 # Apache-2.0 OR MIT
 # Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT
 # BSD-2-Clause OR Apache-2.0 OR MIT
+# BSD-3-Clause
 # BSL-1.0
 # LGPL-2.0-or-later
 # MIT
@@ -84,7 +79,22 @@ Summary:        %{summary}
 # MPL-2.0
 # Unlicense OR MIT
 # Zlib OR Apache-2.0 OR MIT
-License:        LGPL-2.0-or-later AND Apache-2.0 AND BSL-1.0 AND BSD-3-Clause AND MIT AND MPL-2.0 AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND (MIT OR Apache-2.0 OR Zlib) AND (Unlicense OR MIT)
+License:        %{shrink:
+    LGPL-2.0-or-later AND
+    Apache-2.0 AND
+    BSL-1.0 AND
+    BSD-3-Clause AND
+    MIT AND
+    MPL-2.0 AND
+    Unicode-DFS-2016 AND
+    (0BSD OR MIT OR Apache-2.0) AND
+    (Apache-2.0 OR BSL-1.0) AND
+    (Apache-2.0 OR ISC OR MIT) AND
+    (Apache-2.0 OR MIT) AND
+    (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND
+    (MIT OR Apache-2.0 OR Zlib) AND
+    (Unlicense OR MIT)
+}
 # LICENSE.dependencies contains a full license breakdown
 
 %description -n %{crate} %{_description}
@@ -92,69 +102,69 @@ License:        LGPL-2.0-or-later AND Apache-2.0 AND BSL-1.0 AND BSD-3-Clause AN
 %files       -n %{crate}
 %license LICENSE.txt
 %license LICENSE.dependencies
+%license cargo-vendor.txt
 %doc README.md
 %{_bindir}/sq
 %{_mandir}/man1/sq*
+%if 0%{?rhel} > 9
 %{bash_completions_dir}/sq.bash
 %{fish_completions_dir}/sq.fish
 %{zsh_completions_dir}/_sq
-
-%prep
-%autosetup -n %{crate}-%{version} -N %{?bundled_rust_deps:-a1}
-%autopatch -M 99 -p1
-%if 0%{?bundled_rust_deps}
-%cargo_prep -v vendor
-
-# drop broken integration tests
-rm -vr subplot/
-# don't lock the dependencies
-rm -f Cargo.lock
-%else
-%cargo_prep
-# drop broken integration tests
-rm -vr subplot/
-
-%generate_buildrequires
-%cargo_generate_buildrequires
 %endif
 
-%if %{with bundled_capnproto}
+%prep
+%autosetup -n %{crate}-%{version} -N -a1
+%autopatch -M 99 -p1
+%cargo_prep -N
+# include full configuration for vendored dependencies
+cat %{SOURCE3} >> .cargo/config.toml
+
+# drop broken integration tests
+rm -vr subplot/
+rm -v tests/sq-subplot.rs
+
 mkdir -p bundled_capnproto
 pushd bundled_capnproto
 tar --strip-components=1 -xf %{SOURCE2}
 popd
-%endif
 
 %build
-%if %{with bundled_capnproto}
+export ASSET_OUT_DIR=target/assets
 pushd bundled_capnproto
 %cmake -DBUILD_TESTING=OFF
 %cmake_build
 export PATH="$PWD/%{__cmake_builddir}/src/capnp:$PATH"
 popd
-%endif
+
 %cargo_build
 %{cargo_license_summary}
 %{cargo_license} > LICENSE.dependencies
+%{cargo_vendor_manifest}
+# replace un-parseable git snapshot dependency information
+sed 's/\(.*\) (.*#\(.*\))/\1+git\2/' -i cargo-vendor.txt
 
 %install
-%cargo_install
+# for some reason, cargo install does not work
+# with vendored dependncies from git branch
+#%%cargo_install
+install -Dpm 0755 target/rpm/sq -t %{buildroot}/%{_bindir}
 # install manual pages
 mkdir -p %{buildroot}/%{_mandir}/man1
-cp -pav target/release/build/%{crate}-*/out/man-pages/sq*.1 %{buildroot}/%{_mandir}/man1/
+cp -pav target/assets/man-pages/sq*.1 %{buildroot}/%{_mandir}/man1/
+%if 0%{?rhel} > 9
 # install shell completions
-install -Dpm 0644 target/release/build/%{crate}-*/out/shell-completions/sq.bash \
+install -Dpm 0644 target/assets/shell-completions/sq.bash \
     %{buildroot}/%{bash_completions_dir}/sq.bash
-install -Dpm 0644 target/release/build/%{crate}-*/out/shell-completions/sq.fish \
+install -Dpm 0644 target/assets/shell-completions/sq.fish \
     %{buildroot}/%{fish_completions_dir}/sq.fish
-install -Dpm 0644 target/release/build/%{crate}-*/out/shell-completions/_sq \
+install -Dpm 0644 target/assets/shell-completions/_sq \
     %{buildroot}/%{zsh_completions_dir}/_sq
+%endif
+
 
 %if %{with check}
 %check
-# * skip tests that require files which are not included in published crates
+%cargo_test
-# * skip tests that fail because the Fedora crypto policy is too strict
-%cargo_test -- -- --exact --skip cli::cert::export::sq_cert_export --skip cli::cert::import::sq_cert_import --skip cli::inspect::sq_inspect --skip cli::key::expire::sq_key_expire --skip cli::key::sq_key_import --skip cli::key::sq_key_list --skip cli::pki::sq_pki_authenticate --skip cli::pki::sq_pki_identify --skip cli::pki::sq_pki_list --skip cli::pki::sq_pki_lookup --skip cli::pki::sq_pki_path --skip sq_sign --skip sq_sign_append --skip sq_sign_append_on_compress_then_sign --skip sq_sign_detached --skip sq_sign_detached_append --skip sq_sign_with_notations --skip sq_autocrypt_import
 %endif
 
 %changelog

rust2rpm.toml

@@ -11,50 +11,29 @@ extra-files = [
     "%{fish_completions_dir}/sq.fish",
     "%{zsh_completions_dir}/_sq",
 ]
+doc-files.exclude = [
+    "sq-subplot.md",
+]
 
 [scripts]
 prep.post = [
     "# drop broken integration tests",
     "rm -vr subplot/",
+    "rm -v tests/sq-subplot.rs",
+]
+build.pre = [
+    "export ASSET_OUT_DIR=target/assets",
 ]
 install.post = [
     "# install manual pages",
     "mkdir -p %{buildroot}/%{_mandir}/man1",
-    "cp -pav target/release/build/%{crate}-*/out/man-pages/sq*.1 %{buildroot}/%{_mandir}/man1/",
+    "cp -pav target/assets/man-pages/sq*.1 %{buildroot}/%{_mandir}/man1/",
     "# install shell completions",
-    "install -Dpm 0644 target/release/build/%{crate}-*/out/shell-completions/sq.bash \\",
+    "install -Dpm 0644 target/assets/shell-completions/sq.bash \\",
     "    %{buildroot}/%{bash_completions_dir}/sq.bash",
-    "install -Dpm 0644 target/release/build/%{crate}-*/out/shell-completions/sq.fish \\",
+    "install -Dpm 0644 target/assets/shell-completions/sq.fish \\",
     "    %{buildroot}/%{fish_completions_dir}/sq.fish",
-    "install -Dpm 0644 target/release/build/%{crate}-*/out/shell-completions/_sq \\",
+    "install -Dpm 0644 target/assets/shell-completions/_sq \\",
     "    %{buildroot}/%{zsh_completions_dir}/_sq",
 ]
 
-[tests]
-skip = [
-    # --lib
-    "cli::cert::export::sq_cert_export",
-    "cli::cert::import::sq_cert_import",
-    "cli::inspect::sq_inspect",
-    "cli::key::expire::sq_key_expire",
-    "cli::key::sq_key_import",
-    "cli::key::sq_key_list",
-    "cli::pki::sq_pki_authenticate",
-    "cli::pki::sq_pki_identify",
-    "cli::pki::sq_pki_list",
-    "cli::pki::sq_pki_lookup",
-    "cli::pki::sq_pki_path",
-    # --test sq-sign
-    "sq_sign",
-    "sq_sign_append",
-    "sq_sign_append_on_compress_then_sign",
-    "sq_sign_detached",
-    "sq_sign_detached_append",
-    "sq_sign_with_notations",
-]
-skip-exact = true
-comments = [
-    "skip tests that require files which are not included in published crates",
-    "skip tests that fail because the Fedora crypto policy is too strict",
-]
-

sequoia-sq-fix-metadata.diff

@@ -1,9 +1,10 @@
---- sequoia-sq-0.37.0/Cargo.toml	1970-01-01T00:00:01+00:00
+diff -up a/Cargo.toml.orig b/Cargo.toml
-+++ sequoia-sq-0.37.0/Cargo.toml	2024-06-15T16:34:04.061673+00:00
+--- a/Cargo.toml.orig	2025-06-19 18:18:08.225290250 +0200
-@@ -44,6 +44,12 @@
++++ b/Cargo.toml	2025-06-19 18:20:29.142344871 +0200
- ]
+@@ -23,6 +23,12 @@ categories = ["cryptography", "authentic
  license = "LGPL-2.0-or-later"
- repository = "https://gitlab.com/sequoia-pgp/sequoia-sq"
+ edition = "2021"
+ rust-version = "1.79"
 +exclude = [
 +    "/deny.toml",
 +    "/Dockerfile",
@@ -11,67 +12,52 @@
 +    "/sq-subplot.md",
 +]
  
- [profile.release]
+ [badges]
- debug = true
+ gitlab = { repository = "sequoia-pgp/sequoia-sq" }
-@@ -76,10 +82,6 @@
+@@ -66,11 +72,6 @@ termcolor = "1.2.0"
- [dependencies.dirs]
+ textwrap = { version = ">=0.15, <0.17", default-features = false, features = ["smawk", "unicode-width"] }
- version = "5"
+ typenum = "1"
  
--[dependencies.dot-writer]
+-# This is for subplot only.  If you don't enable the subplot feature,
--version = "0.1.3"
+-# feel free to patch it out.
--optional = true
+-subplotlib = { version = ">=0.11, <0.13", optional = true }
+-culpa = { version = "1", optional = true }
 -
- [dependencies.humantime]
+ [build-dependencies]
- version = "2"
+ anyhow = "1.0.18"
+ buffered-reader = { version = "1.4", default-features = false, features = ["compression"] }
+@@ -90,10 +91,6 @@ typenum = "1"
+ cfg-if = "1"
+ terminal_size = ">=0.2.6, <0.5"
  
-@@ -155,9 +157,6 @@
+-# This is for subplot only.  If you don't enable the subplot feature,
- [dev-dependencies.dircpy]
+-# feel free to patch it out.
- version = "0.3"
+-subplot-build = { version = ">=0.11, <0.13", optional = true }
- 
--[dev-dependencies.fehler]
--version = "1.0.0"
 -
- [dev-dependencies.libc]
+ [dev-dependencies]
- version = "0.2"
+ assert_cmd = "2"
+ predicates = ">=2, <4"
+@@ -105,22 +102,13 @@ name = "sq"
+ path = "src/main.rs"
+ bench = false
  
-@@ -166,9 +165,6 @@
+-[[test]]
- 
+-name = "sq-subplot"
- [dev-dependencies.regex]
+-path = "tests/sq-subplot.rs"
- version = "1"
+-required-features = ["subplot"]
 -
--[dev-dependencies.subplotlib]
--version = ">=0.7, <0.10"
- 
- [build-dependencies.anyhow]
- version = "1.0.18"
-@@ -217,10 +213,6 @@
- version = "1.0.137"
- features = ["derive"]
- 
--[build-dependencies.subplot-build]
--version = ">=0.7, <0.10"
--optional = true
--
- [build-dependencies.terminal_size]
- version = ">=0.2.6, <0.4"
- 
-@@ -228,17 +220,12 @@
- version = ">=0.15, <0.17"
- 
  [features]
+ default = [
+-    "crypto-nettle",
++    "crypto-openssl",
+ ]
+ crypto-nettle = ["sequoia-openpgp/crypto-nettle"]
+ crypto-openssl = ["sequoia-openpgp/crypto-openssl"]
 -crypto-botan = ["sequoia-openpgp/crypto-botan"]
 -crypto-botan2 = ["sequoia-openpgp/crypto-botan2"]
 -crypto-cng = ["sequoia-openpgp/crypto-cng"]
- crypto-nettle = ["sequoia-openpgp/crypto-nettle"]
- crypto-openssl = ["sequoia-openpgp/crypto-openssl"]
  crypto-rust = ["sequoia-openpgp/crypto-rust"]
- default = [
+-subplot = ["culpa", "subplot-build", "subplotlib"]
--    "crypto-nettle",
--    "dot-writer",
--]
--subplot = ["subplot-build"]
-+    "crypto-openssl",
-+]
  
- [badges.gitlab]
+ [profile.release]
- repository = "sequoia-pgp/sequoia-sq"
+ debug = true

sources

@@ -1,3 +1,3 @@
-SHA512 (sequoia-sq-0.37.0.crate) = c716284bfd1f8492d7f073c07adbbfd73495573a8503d7aa5e24a42873a50392086c69c25a1bd655e3d09df6c369bc2568d02dfda3dc83c189cb9187c440162c
+SHA512 (sequoia-sq-vendor-1.3.1.1.tar.gz) = 7e23b5466f8b951b4324c64d5a04807d5d2865d80b11c9be52ea48564984378e69501e8d67f387fa66bef0a874bb1588f31be63423a3f5ad2f04632f737e2fd8
-SHA512 (rust-sequoia-sq-0.37.0-vendor.tar.xz) = 27ef8c7dfbb535ce51534b9bd66a5cea2f5fcf779dfd69b95002b0e0e30641f9bc69240d83ed8dc11e07ca79cec1dd067938e4367036d85f8367a2ec6c09e45b
+SHA512 (sequoia-sq-1.3.1.1.tar.gz) = 652549f83aba9e3dbe95b9bf16824e1bd0ac12922a14b5d5c78af88da6d333ea43b7f1922a1c12d4b4ccf659c7e2f731c1ad2fb42c91410f17fbb6a3e4d779bc
 SHA512 (capnproto-c++-1.0.1.tar.gz) = c60291f433eea15a51e480e1679a4b9b3b5e67edebc445e371a7a32fce6ec5a7e4b440b17b2adc0565519ec369e3dae8ea727ae790a082a53ecd0d245b5275a9

vendor.toml

@@ -0,0 +1,21 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/teythoon/rust-openssl?branch=justus/pqc"]
+git = "https://github.com/teythoon/rust-openssl"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source."git+https://gitlab.com/sequoia-pgp/sequoia-policy-config?branch=justus/pqc"]
+git = "https://gitlab.com/sequoia-pgp/sequoia-policy-config"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source."git+https://gitlab.com/sequoia-pgp/sequoia?branch=justus/pqc"]
+git = "https://gitlab.com/sequoia-pgp/sequoia"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"
+