Close to the end of 2021 I’m excited to announce the release of PGPainless version 1.0.0! After a series of release candidates, it is finally time to party! The OpenPGP library successfully underwent a security audit in late November and I feel like it finally reached a state of sufficient maturity to be worthy of a major release with a “1” at the front.
The audit was carried out over a period of 2 weeks by the nice folks of cure53.de. The team swiftly discovered some security flaws most of which were quickly fixed in the library. Some other issues (such as lacking brute-force protection) were declared out of scope, as they are better fixed on the application level. Others unfortunately are the direct consequence of compliance to the OpenPGP standard, e.g. the fact that secret keys are not encrypted using authenticated encryption (this will hopefully change soon). The results of the security audit are publicly available for anyone to read.
In the light of the recent Log4j related events, I’d like to explicitly express my gratitude towards the fine folks of FlowCrypt, which perpetually financially support my work on PGPainless. Particularly they sponsored the security audit. Their support makes PGPainless a sustainable free software project and is a significant factor for its success. Thank you so much!
Throughout its development PGPainless has now reached a steady JUnit test coverage of 90% and around 90+% agreement with the OpenPGP Interoperability Test Suite. Furthermore, the project is now reuse compliant!
As always, the new release is available on Maven Central for you to download. Since the binaries are reproducible, you can also grab the source code, build them yourselves and compare the hashes against the known-good values.
Now whats left for me is to wish everyone a Better New Year 2022! Stay safe and encrypted!