Commit Graph

1275 Commits

Author SHA1 Message Date
Justus Winter
0d5fbb0cb6
Make use of DANE configurable when doing sq network search.
- See #336.
2024-12-02 16:31:40 +01:00
Justus Winter
a81a1a7689
Make use of WKD configurable when doing sq network search.
- See #336.
2024-12-02 16:28:58 +01:00
Justus Winter
1fe498db4e
Make the path to the backend servers configurable.
- See #336.
2024-12-02 16:00:21 +01:00
Justus Winter
e58f47e434
Fix displaying effective configuration. 2024-12-02 15:56:55 +01:00
Justus Winter
dcc3db167d
Make hints configurable.
- See #336.
2024-12-02 14:58:18 +01:00
Justus Winter
092ba48e5a
Generalize function. 2024-12-02 14:57:49 +01:00
Justus Winter
7d2fab14f9
Make verbosity configurable.
- See #336.
2024-12-02 14:42:04 +01:00
Justus Winter
24ce3aa2e9
Introduce accessors for sq.quiet and sq.verbose. 2024-12-02 14:35:25 +01:00
Justus Winter
099e9c8737
Use platform-specific prompt in hints. 2024-12-02 12:52:01 +01:00
Justus Winter
f5fff14661
Indent hints so that they look different from shell prompts.
- Fixes #473.
2024-12-02 12:47:54 +01:00
Justus Winter
b565f7ec90
Improve the --for-self encryption hint.
- Mention the configuration file, if any.

  - Fixes #472.
2024-12-02 12:15:23 +01:00
Justus Winter
04615bc768
Don't show hint if a recipient is listed in encrypt.for-self.
- Fixes #471.
2024-12-02 12:02:59 +01:00
Justus Winter
dfc36e38d8
Don't explicitly create Recipients. 2024-12-02 12:02:59 +01:00
Neal H. Walfield
84a8807173
Show the configuration file's location in sq config --help.
- Include the location of the configuration file in `sq config
    --help`.

  - See #470.
2024-11-30 10:00:32 +01:00
Neal H. Walfield
de9c5f48b0
Fix message.
- Always parenthesize the message.
2024-11-30 09:56:21 +01:00
Justus Winter
d6992416f4
Display a hint if encrypting a message that one can not decrypt.
- This is a heuristic, of course, as we cannot know which keys the
    user controls, but we can try to be helpful and display a hint.
2024-11-29 19:03:09 +01:00
Justus Winter
b88367ce36
Implement sq encrypt --for-self.
- This adds a mechanism to add a list of certificates presumably
    owned by the user to the recipients using the `--for-self` flag.
    This makes sure the encrypted message can be decrypted again.

  - Fixes #461.
2024-11-29 19:03:09 +01:00
Justus Winter
abafa552f0
When encrypting a message, list signers.
- This makes the process more transparent.  Also see #459.
2024-11-29 18:57:50 +01:00
Justus Winter
0df3b9676e
When encrypting a message, list recipients and passwords.
- See #461.
2024-11-29 18:57:49 +01:00
Justus Winter
879b619dae
Use BufferedReader::copy to avoid an extra copy.
- In contrast, std::io::copy has to copy the data into an
    intermediate buffer.
2024-11-29 18:57:34 +01:00
Justus Winter
8d7650def7
Rework encryption subkey selection. 2024-11-29 18:57:33 +01:00
Justus Winter
0d9fae1820
Fix handling of --home=default and --home=none.
- Fixes 4b3f2c97ad which predates the
    introduction of `--home=default` and `--home=none`.
2024-11-29 13:55:42 +01:00
Justus Winter
ea593feb02
Drop superfluous mut. 2024-11-28 19:16:32 +01:00
Justus Winter
012e762d38
Align user ID designators in sq pki link retract.
- User IDs have to be explicitly given, or `--all` has to be used to
    select them all (this was previously the default).

  - This aligns the retract subcommand with the other link and vouch
    management commands.

  - Fixes #442.
2024-11-28 18:07:30 +01:00
Neal H. Walfield
c9bde7fe47
Add support for addressing shadow CAs by symbolic names.
- Add a new paramter to `sq pki link add`, `sq pki link authorize`,
    and `sq pki link retract`, `--cert-special`, which allows addressing
    shadow CAs by symbolic names.

  - If the shadow CA doesn't exist yet, we create it.

  - This means `sq pki link authorize --cert-special keys.openpgp.org
    --all --unconstrained` can be used to fully trust the
    `keys.openpgp.org` key server, for instance.  This is more
    convenient, and especially useful for documentation.

  - Fixes #337.
2024-11-28 15:38:34 +01:00
Justus Winter
477f255f84
Make sq config get policy.path reflect SEQUOIA_CONFIG_POLICY.
- This is cosmetic, but makes the output more consistent.

  - Fixes #467.
2024-11-28 13:20:18 +01:00
Neal H. Walfield
3b45a6bb63
Release 0.40.0.
* Changes in 0.40.0
** New functionality
   - New subcommand `sq download`, which downloads a file and a
     signature file, and then authenticates the file.
** Notable changes
   - `sq toolbox keyring merge` now supports merging bare revocation
     certificates.
   - `sq verify` now deletes the output file on failure.
   - `sq decrypt` now deletes the output file on failure.
   - Add a global option, `--policy-as-of`, that selects the
     cryptographic policy as of the specified time.
   - `sq key subkey export` takes an additional argument, `--cert`,
     which is required.  The specified keys must be attached to that
     certificate.  This ensures that if a key is attached to multiple
     certificates, the correct certificate is exported.
   - Add a new argument, `--cli-version`, which requests a particular
     semver-compatible version of the CLI.  This enables breaking
     changes to the CLI in the future.
   - The `help` subcommand has been removed everywhere except at the
     top-level (`--help` still works).
   - If designated signers are specified for `sq verify`, `sq
     decrypt`, and `sq download`, they are now the only certificates
     that are considered when verifying signatures.  If no signers are
     specified, the certificate store is consulted.
   - The argument `sq cert lint --list-keys` has been removed.
   - `sq key list` now has a DWIM search parameter.
   - The flag `sq sign --detached` is now called `sq sign
     --signature-file`.
   - The flag `sq sign --clearsign` is now called `sq sign
     --cleartext`.
   - Both `sq sign` and `sq verify` now require an explicit mode,
     one of `--signature-file`, `--message`, or `--cleartext`.
   - The flag `sq --no-cert-store` has been replaced with `sq
     --cert-store=none`.
   - The flag `sq --no-key-store` has been replaced with `sq
     --key-store=none`.
   - Similarly, `sq --home=none` disables all state, unless explicitly
     re-enabled using `--cert-store` or `--key-store`.
   - `sq pki link add`, `sq pki link authorize`, `sq pki vouch
     certify`, and `sq pki vouch authorize` have a `--userid-or-add`
     flag.  Replace it with an `--userid-or-add` argument, and an
     `--email-or-add` argument.
   - The `--email` and `--email-or-add` arguments to `sq pki link add`,
     etc. cannot be used to designate a self-signed user ID, if
     multiple self-signed user IDs include the specified email
     address.  Previously, the arguments would designate all
     self-signed user IDs with the specified email address.
   - The new argument `sq sign --mode` can be used to create text
     signatures in addition to binary signatures.
   - The argument `sq network wkd publish --create` has been split
     into two arguments, `--create` and `--method`, avoiding an
     ambiguity when parsing the arguments.
   - `sq key userid revoke` no longer accepts the `--userid-or-add` flag
     to indicate that a user ID specified using `--userid`, an email
     specified using `--email`, or a name specified using `--name`
     should be used even if there is no corresponding self-signed user
     ID.  This functionality is replaced by the `--userid-or-add`,
     `--email-or-add` and `--name-or-add` arguments.
   - `sq pki path` previously interpreted the last positional argument
     as the user ID to authenticate.  Make it a named argument
     instead, `--userid`.
   - Add `sq pki path --email` and `sq pki path --name` as additional
     ways to specify the user ID to authenticate.
   - The argument `sq encrypt --set-metadata-time` has been removed.
   - The argument `sq encrypt --set-metadata-filename` now takes a
     string that specifies the file name to be set.
   - `sq pki authenticate`'s positional argument for specifying the
     certificate to authenticate must now be specified using a named
     argument, `--cert`.
   - `sq pki identify`'s positional argument for specifying the
     certificate to identify must now be specified using a named
     argument, `--cert`.
   - Drop `sq cert list --email`'s flag, and replace it with the
     `--userid` and `--email` positional arguments, which match on
     user IDs.
   - Drop `sq pki authenticate --email`'s flag, and replace it with
     the `--userid` and `--email` positional arguments, which match on
     user IDs.
   - Drop `sq pki lookup --email`'s flag, and replace it with the
     `--userid` and `--email` positional arguments, which match on
     user IDs.
   - `sq toolbox keyring` is now just `sq keyring`.
   - `sq toolbox packet` is now just `sq packet`.
   - `sq toolbox armor` is now `sq packet armor`.
   - `sq toolbox dearmor` is now `sq packet dearmor`.
   - `sq key userid revoke`, `sq pki link add`, `sq pki link
     authorize`, `sq pki vouch certify`, and `sq pki vouch authorize`
     now check that user IDs that are not self-signed are in canonical
     form.  Add a flag, `--allow-non-canonical-userids`, to disable
     this check.
   - `sq key approvals update` now requires an action, like
     `--add-authenticated`.
   - `sq key approvals --add-authenticated` is now a simple flag, and
     we always require full authentication.
   - `sq toolbox strip-userid` has been removed.
   - All cert designators now use the `--cert-` prefix, e.g.  `sq key
     export --email` has been changed to `sq key export --cert-email`
     for consistency reasons, and to free `--name`, `--email`, and
     `--userid` for user ID designators.
   - The `--binary` argument has been removed from all commands but
     those that emit signed and or encrypted messages.
   - The command `sq toolbox extract-cert` has been removed in favor
     of `sq key delete` and `sq key subkey delete`.
   - The command `sq packet split` now writes to stdout by default.
   - The argument `sq packets split --prefix` is now called
     `--output-prefix`.
   - `sq pki vouch certify` is now called `sq pki vouch add`.
   - We now certify newly generated keys with a per-host shadow CA.
   - The argument `sq encrypt --signature-notation` has been added.
   - All arguments to add signature notations have been renamed from
     `--notation` to `--signature-notation`.
   - When generating keys, either `--own-key` or `--shared-key` has to
     be given.  The former marks the key's user IDs as authenticated
     and makes it a trusted introducer.  The latter marks the key's
     user IDs as authenticated, and marks the key as a group key.
   - The argument `sq cert lint --export-secret-keys` has been
     removed: if a secret key is provided as file input, it will be
     emitted.
   - The argument `sq key subkey export --cert-file` has been removed.
   - `sq` now reads a configuration file that can be used to tweak a
     number of defaults, like the cipher suite to generate new keys,
     the set of key servers to query, and the cryptographic policy.
   - The command `sq keyring filter` is now considered experimental
     and may change in the future.  To acknowledge this, it has to be
     invoked with the `--experimental` flag.
2024-11-28 06:45:13 +01:00
Neal H. Walfield
99d97c0cc3
Support thiserror 2.0.
- Adjust one bit of syntax to be compatible with `thiserror` 1.0 and
    `thiserror` 2.0, and loosen the dependency requirements to accept
    either version.
2024-11-28 06:37:07 +01:00
Neal H. Walfield
841ce9d0b5
Update Cargo.lock. 2024-11-28 06:06:55 +01:00
Justus Winter
9f5c5ce930
Mark sq keyring filter experimental.
- Invoking it now requires the `--experimental` flag.  This is a
    template that we may use to introduce features into sq with a bit
    of a chance to stabilize it over time.

  - Fixes #455.
2024-11-27 17:27:04 +01:00
Justus Winter
1d23ae8a5b
Update MSRV to 1.79, which is subplot's current MSRV.
- Fixes #460.
2024-11-27 16:39:13 +01:00
Justus Winter
4b3f2c97ad
Add a configuration file and associated management commands.
- Add a configuration file for sq, and sq config get to
    programmatically query configuration values, and sq config template
    to create a template as a starting point for a custom configuration
    file.

  - As a first step, the following things have been made configurable:

    - The cipher suite for key generation.
    - The set of keyservers.
    - The cryptographic policy, which can be sourced from an external
      file as well as modified inline.

  - If there is no configuration file, sq config template can be used to
    create a template for the user to modify.

  - If a default has been overridden using the configuration file,
    sq's --help output is augmented with the configured value.
2024-11-27 15:26:36 +01:00
Justus Winter
3b1bd79195
Align user ID designators in sq pki {link,vouch} {add,authorize}.
- Align user ID designators across these four commands.  Previously,
    `--all` was implied for the authorize commands if no user ID
    designator was given.

  - However, this is problematic for the following reasons:

    - First, it is inconsistent across the commands.

    - Second, while CAs can add any name to their cert because they
      are CAs, those certifications are subject to constraints, such
      as domain constraints, or the amount.  But, the link we add
      fully authenticates the current user IDs, which may not be what
      the user wants, so it should require explicit consent.

    - Third, making this implicit again is easier than going from
      implicit to explicit, which breaks existing users.

  - Fixes #442.
2024-11-27 13:33:30 +01:00
Justus Winter
1c6bf5d6fd
Require self-signed user IDs when publishing certs in a WKD.
- Fixes #449.
2024-11-27 11:36:32 +01:00
Justus Winter
7b2be4d93c
Update sequoia-keystore to 0.6.2.
- Fixes #458.
2024-11-26 20:50:52 +01:00
Justus Winter
f55015ab77
Remove argument sq key subkey export --cert-file.
- This doesn't work, and it is of questionable use.  Also, `sq key
    export` doesn't have `--cert-file` either.

  - Fixes #464.
2024-11-26 19:49:16 +01:00
Neal H. Walfield
8072a9f8e6
Fix message. 2024-11-26 13:59:23 +01:00
Justus Winter
a47da3ac33
Remove argument sq cert lint --export-secret-keys.
- If a secret key is provided as file input, it will be emitted.
    This makes it consistent with what other commands do.

  - Fixes #448.
2024-11-25 15:30:58 +01:00
Neal H. Walfield
be5b1f7103
Change sq pki link retract to use the NULL policy.
- Change `sq pki link retract` to use the NULL policy when resolving
    user IDs.  It's safer to retract a link for a user ID than to
    refuse.
2024-11-24 22:01:06 +01:00
Neal H. Walfield
4763cfef48
Improve hint. 2024-11-23 20:38:34 +01:00
Neal H. Walfield
bfc843bc52
To revoke a user ID, require the cert be valid under the current policy.
- Change `sq key userid revoke` to require the certificate be valid
    under the current policy.  If the certificate is not valid under
    the current policy, the user should revoke the whole certificate,
    or fix it using `sq cert lint` after verifying the certificate's
    integrity.  If the certificate is valid under the current policy,
    but the user ID to revoke isn't, it can still be revoked using
    `--userid-or-add`.

  - See #375.
2024-11-23 20:38:21 +01:00
Neal H. Walfield
99ad920c43
Improve message when a certificate can't be used for encryption.
- Improve the error message that `sq encrypt` emits when it can't
    use a certificate for encryption.
2024-11-23 14:51:10 +01:00
Neal H. Walfield
c51e657fcc
tests: Add more tests for sq encrypt. 2024-11-23 12:15:17 +01:00
Neal H. Walfield
258394678f
Don't use revoked certificates for encryption.
- Change `sq encrypt` to not use revoked certificates.
2024-11-23 12:14:56 +01:00
Neal H. Walfield
9835714dbd
Improve sq key password's output.
- When prompting to unlock a key, show the key's fingerprint, the
    key's creation time, and its key flags.  Don't show the
    certificate's fingerprint.  That's constant.

  - When we actually change a password, show a message, which can be
    silenced with `--quiet`.
2024-11-22 18:19:05 +01:00
Neal H. Walfield
d5c4c50326
Make sq key password change the password of weakly bound keys.
- Change `sq key password` to also change the password of keys that
    are weakly bound.  Users are likely to be more surprised when a
    password is not changed.
2024-11-22 17:47:41 +01:00
Neal H. Walfield
493ab3ab31
tests: Add tests for sq key password. 2024-11-22 17:20:17 +01:00
Neal H. Walfield
0c5e0c9487
Improve how sq key delete handles ambiguous associations.
- Change `sq key delete` to fail if a key is associated with
    multiple certificates.

  - Fixes #457.
2024-11-22 16:03:20 +01:00
Neal H. Walfield
569a5fa5f9
Change sq key {delete,password} to work with more certificates.
- `sq key delete` and `sq key password` fail if any of the keys are
    missing secret key material.

  - Change them to work with the available secret key material.  (But
    if there is none, still fail.)
2024-11-22 16:01:38 +01:00
Neal H. Walfield
faa350b694
Change sq key delete to refuse to work with weakly bound subkeys.
- `sq key delete` deletes all secret key material associated with a
    certificate.  Of course, we don't want to delete secret key
    material that we are not confident belongs to the certificate.

  - Imagine Alice creates a new certificate.  Mallory see this, and
    anticipates that she is going to delete the old certificate.  He
    attaches her new encryption-capable subkey to the old certificate
    using some weak cryptography, publishes it, and then Alice gets
    the update to her old certificate via parcimonie.  When she
    deletes the secret key material associated with the old
    certificate, she would also delete her new secret key material.
    Ouch!  Admittedly, this attack is a bit contrived.

  - Alternatively, we could skip subkeys whose bindings rely on
    weak cryptography.  This behavior would probably surprise most
    users.  It could have serious consequences as well, since the
    user thought they deleted the secret key material, but didn't.

  - Instead, we are conservative: if a subkey's binding signature
    relies on weak cryptography AND we have secret key material for
    it, we abort, and suggest using `sq key subkey delete` instead.

  - See #375 and #457.
2024-11-22 16:01:02 +01:00