RNP version 0.16.1 released
RNP 0.16.1 brings significant improvements in security policies, operational flexibility, and platform support.
Introduction
The release marks a major milestone in RNP’s evolution with comprehensive support for OpenSSL 3.0, enabling seamless integration with the latest enterprise Linux distributions.
Additionally, it introduces more nuanced security policies and several user-requested features that improve flexibility and ease of use.
Key highlights:
-
OpenSSL 3.0 support for RHEL 9 and Fedora 36 compatibility
-
Enhanced SHA1 signature handling for key and data signatures
-
Raw encryption support for flexible data processing
Other highlights:
-
Configurable timestamp override functionality
-
Improved handling of unknown packet versions
-
Automatic backend feature detection during build
-
Base64-encoded key import/export for Autocrypt
-
Two-year default key expiration time
Platform support improvements
OpenSSL 3.0 compatibility
OpenSSL 3.0 has been recently released and RNP 0.16.1 is the only OpenPGP implementation that fully supports it.
This feature enables:
-
Native compatibility with RHEL 9, CentOS Stream 9, and Fedora 36
-
Support for OpenSSL’s new provider architecture
-
Improved FIPS compatibility through OpenSSL 3.0’s FIPS provider
-
Enhanced performance through OpenSSL 3.0’s optimizations
The implementation ensures that RNP works seamlessly with these platforms' default cryptographic backends, eliminating the need for custom builds or external dependencies.
Security policy enhancements
SHA1 signature handling improvements
This release introduces a more sophisticated approach to SHA1 signatures:
-
Allows distinguishing between data and key signatures
-
Extended support for SHA1 key signatures until January 19, 2024 (2024-01-19)
-
More granular control over signature acceptance policies
-
Better compatibility with existing key infrastructure
This change allows organizations to maintain compatibility with legacy systems while gradually transitioning to stronger algorithms.
Key expiration defaults
A new security-focused default has been implemented:
-
Automatic 2-year expiration time for newly generated keys
-
Encourages regular key rotation practices
-
Aligns with modern security recommendations
-
Helps prevent the use of outdated keys
Operational improvements
Raw encryption support
The addition of raw encryption capabilities provides:
-
Ability to encrypt already-signed data
-
More flexible processing pipelines
-
Better integration with existing workflows
-
Improved performance for certain use cases
Timestamp control
New timestamp override functionality enables:
-
Testing of time-dependent operations
-
Reproduction of specific scenarios
-
Validation of expiration handling
-
Better debugging capabilities
Enhanced format handling
Several improvements make RNP more robust when dealing with various OpenPGP implementations:
-
Graceful handling of unknown packet versions
-
Support for base64-encoded keys in Autocrypt headers
-
More flexible packet processing
-
Improved interoperability
Developer improvements
Build system feature detection
The new automatic backend feature detection during build:
-
Simplifies configuration
-
Ensures optimal use of available crypto features
-
Reduces build-time errors
-
Improves portability
API enhancements
New FFI capabilities have been added:
-
rnp_op_encrypt_set_flags()
withRNP_ENCRYPT_NOWRAP
for raw encryption -
Base64 encoding options for key import/export
-
Timestamp override functionality
-
Updated security rule functions
Looking ahead
RNP 0.16.1 sets a strong foundation for future development with its improved platform support and security policies. The changes demonstrate RNP’s commitment to:
-
Maintaining broad platform compatibility
-
Implementing flexible security policies
-
Improving usability and integration capabilities
-
Supporting modern cryptographic practices
For detailed technical information and the complete list of changes, please visit the RNP v0.16.1 release page.