Commit Graph

1275 Commits

Author SHA1 Message Date
Justus Winter
df23d2bb25
Update to subplot 0.11.0.
- Fixes #158.
2024-11-21 17:28:01 +01:00
Justus Winter
574edf61bb
Fix hint. 2024-11-21 16:58:02 +01:00
Justus Winter
7eac986d5f
Improve documentation. 2024-11-21 16:56:50 +01:00
Justus Winter
fea18da98d
New mandatory switches sq key generate <--own-key|--shared-key>.
- When generating keys, either `--own-key` or `--shared-key` has to
    be given.  The former marks the key's user IDs as authenticated
    and makes it a trusted introducer.  The latter marks the key's
    user IDs as authenticated, and marks the key as a group key.

  - Fixes #452.
2024-11-21 16:36:39 +01:00
Justus Winter
6e0e4fb502
Improve status messages when publishing a WKD. 2024-11-21 15:57:40 +01:00
Justus Winter
a77389a51c
Fix copying the policy file if no updates happened. 2024-11-21 15:57:40 +01:00
Justus Winter
15c687af00
Make sq network wkd publish work without a cert store.
- Fixes #453.
2024-11-21 15:57:40 +01:00
Neal H. Walfield
4a5ce6603c
Change sq key subkey {password,delete} to work with weak bindings.
- Currently, it is not possible to delete secret key material that
    is only associated with a certificate that is not valid under the
    current policy.  The same goes for changing the password protecting
    the secret key material.

  - Users shouldn't have to first update a key's binding signature to
    delete it, or change its password.

  - Change `sq key subkey delete` and `sq key subkey password` to use
    the null policy.  This is not a security concern, because even if
    the binding signature is weak, both the certificate and the key
    are explicitly named.

  - See #375
2024-11-21 12:14:24 +01:00
Justus Winter
c37bfe5e7b
Rename --notation to --signature-notation.
- This aligns with `sq encrypt --signature-notation` and makes it
    clearer that notations are being put on signatures.

  - Fixes #454.
2024-11-21 11:38:59 +01:00
Justus Winter
7753d92f13
Add sq encrypt --signature-notation.
- This adds any relevant flags to `sq encrypt` that are present in
    `sq sign`.

  - Fixes #450.
2024-11-20 17:47:18 +01:00
Justus Winter
add58a88ac
Fix examples.
- Fixes 1989acaf7a.
2024-11-20 17:32:38 +01:00
Justus Winter
1989acaf7a
Add missing examples for the network commands.
- Except for `sq version`, and the intermediate subcommands (like
    `sq cert`), all commands now have examples.

  - Fixes #196.
2024-11-20 16:53:09 +01:00
Justus Winter
356781e535
Add a builder-style interface to the example framework.
- Also, port the examples for `sq cert export` over, and thin them
    out a little (see #451).
2024-11-20 16:42:43 +01:00
Justus Winter
797ab7a003
Certify newly created keys with a per-host shadow CA.
- This tracks the origin, like we do when we download certificates
    over the network.

  - This also has the benefit that newly created keys also show up in
    the cert listing.

  - Fixes #377.
2024-11-20 14:13:52 +01:00
Justus Winter
23f4e9150e
Differentiate the help texts for --notation slightly. 2024-11-20 13:54:37 +01:00
Neal H. Walfield
e9155823e7
Fix sq cert lint.
- If there are no certificate designators, we add one for stdin.

  - Do this before we inspect the certificate designators.
2024-11-20 13:34:29 +01:00
Neal H. Walfield
5cc0115b9c
Check for the cert / key store before doing work.
- Some commands only access the cert or key store after they do a
    lot of work.  If the cert or key store is disabled, this is
    annoying.

  - Change `sq key generate`, `sq cert import`, `sq network search`,
    `sq network keyserver search`, `sq network wkd search`, and `sq
    network dane search` to error out early if they will save
    something to the key store or the certificate, and it is disabled.

  - Fixes #264.
2024-11-20 13:32:34 +01:00
Neal H. Walfield
b89041d9d6
Improve no cert store / no key store error messages.
- When there is no certificate or key store, but the command
    requires it, return use a `clap::Error` instead of an
    `anyhow::Error` so that the error is formatted better.
2024-11-20 13:26:15 +01:00
Neal H. Walfield
ecfc6711c2
Catch clap errors, and display them better.
- If a command returns a `clap:Error`, format it using clap's
    formatter.
2024-11-20 13:22:51 +01:00
Justus Winter
6688e0a6d7
Rename sq pki vouch certify to sq pki vouch add.
- This makes it consistent with `sq pki link add` and all the other
    commands that add components to certs.

  - Fixes #433.
2024-11-20 12:00:23 +01:00
Justus Winter
c4bfad0d15
Make sq key import read from stdin if no files are given.
- This aligns the behavior with `sq cert import`.

  - Fixes #445.
2024-11-20 10:34:41 +01:00
Justus Winter
5ed656b789
Move the CLI parser for sq key import to its own module. 2024-11-20 10:22:51 +01:00
Devan Carpenter
da9afcb242
update container examples in readme 2024-11-20 02:12:26 +00:00
Devan Carpenter
f499cc1ddf
make container a single-user environment
this simplifies permissions wrangling when bind mounting to host.
rootless podman is a preferred OCI runtime to docker, wherein superuser
within a container is simulated and not a security concern.
2024-11-20 02:07:59 +00:00
Devan Carpenter
8b49656c74
add dockerignore file
this helps prevent cache poisoning, reducing uncessesary rebuilds
2024-11-20 02:07:59 +00:00
Devan Carpenter
c08c5653cc
add bash completion and manpages to container 2024-11-20 02:07:59 +00:00
Devan Carpenter
864e37ac6c
improve OCI compatibility of Containerfile 2024-11-20 01:37:41 +00:00
Devan Carpenter
84314d4bfa
rename Dockerfile to vendor-neutral Containerfile
Aiming for OCI compatibility, not vendor-lockin

https://lists.podman.io/archives/list/podman@lists.podman.io/thread/DXJBNFCQETRX5M2HQR7IQ4TIMZAK7FG7/
2024-11-20 01:37:40 +00:00
Neal H. Walfield
ebea842729
Change sq network wkd generate to avoid unnecessary churn.
- When updating a WKD in `sq network wkd generate`, if a certificate
    is not changed, don't insert it.

  - If no certificates changed, and none were inserted, then don't
    bother copying the WKD back.
2024-11-19 17:56:16 +01:00
Neal H. Walfield
a57f6e1484
Improve sq network wkd generate's error messages. 2024-11-19 17:56:16 +01:00
Neal H. Walfield
a001abd268
Fail if the user tries to create an empty WKD.
- If the user passes `--create` to `sq network wkd publish`, but
    doesn't specify any certificates, fail.  Also, show a hint.

  - Fixes #447.
2024-11-19 17:56:08 +01:00
Neal H. Walfield
8805a51e2a
Make sq network wkd publish more chatty.
- Change `sq network wkd publish` to indicate which certificates are
    updated, which ones are unchanged, and which ones are new.

  - Note: the messages can be suppressed with `--quiet`.
2024-11-19 17:08:23 +01:00
Neal H. Walfield
0944fa49f7
Make sq network wkd publish more robust.
- When updating a WKD, be careful to not lose updates that are in
    the WKD, but not in the local certificate store.
2024-11-19 17:06:41 +01:00
Neal H. Walfield
be5d7367d1
Fix sq packet join to not panic if there is no input.
- Fix `sq packet join` to not panic if there is no input.  Instead,
    open the output file in the usual manner.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
abda393999
Show an issuer's user ID, if we know it.
- To make it easier to work with signature packets, also include the
    user ID as a comment, if we know it.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
f9ea97c1dd
Rename sq packet split --prefix to --output-prefix.
- To make it easier to recognize that `--prefix` is a variant of
    `--output`, rename it to `--output-prefix`.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
2819efd1cf
Add a hint to sq packet split's output.
- When writing to a file or stdout, add a hint at the beginning of
    the output that the user can edit the file with an editor, and
    then recombine the result using `sq packet join`.
2024-11-19 15:18:37 +01:00
Neal H. Walfield
2ba6037362
Change sq packet split to write to stdout by default.
- Change `sq packet split` to not require `output` or `prefix`, but
    to write to `stdout` by default.

  - This is closer to the behavior of other commands.
2024-11-19 15:18:11 +01:00
Neal H. Walfield
fdc963cd59
Improve the "waiting for input on stdin" message.
- Require the caller to indicate what they are waiting for, and
    include that in the warning.

  - For instance, `sq decrypt` now says "Waiting for an encrypted
    message on stdin..."
2024-11-19 14:17:04 +01:00
Justus Winter
5f84605a4b
Limit width when wrapping help texts to increase readability. 2024-11-19 13:49:10 +01:00
Justus Winter
14c6c12a96
Use a simpler word separator algorithm to keep URLs intact. 2024-11-19 13:49:10 +01:00
Justus Winter
c35efb18eb
Don't break lines if stderr is not a terminal.
- If piped, e.g. to a pager, wrapping should be disabled.

  - Fixes #443.
2024-11-19 13:49:10 +01:00
Justus Winter
1806a215aa
Don't limit the width of emitted text.
- Previously, we limited the width to 100 characters in an effort to
    improve readability.  Arguably, that is interfering with the
    wishes of the users that use wider terminals.

  - The alternative is to structure the human-readable output in such
    a way that overly long lines do not occur, but when they do occur,
    they can be displayed as is.

  - See #443.
2024-11-19 13:42:20 +01:00
Justus Winter
19401ef551
Remove sq toolbox extract-cert.
- Fixes #389.
2024-11-19 13:39:46 +01:00
Justus Winter
784e011922
Remove test framework for toolbox strip-userid.
- Fixes e61a03f863.
2024-11-19 13:39:46 +01:00
Justus Winter
e1da05bc6f
Fix hints to do packet dump.
- Fixes d46844ca35.
2024-11-19 13:39:46 +01:00
Neal H. Walfield
f5160e4b68
Change sq decrypt to not use rpassword directly.
- `sq decrypt` calls rpassword::prompt_password.  Change it to use
    our wrapper functions, which also support skipping a key.
2024-11-19 12:45:07 +01:00
Neal H. Walfield
d9d3da6e1e
Change sq decrypt to respect --batch.
- `sq decrypt` prompts for a password even if the user specified
    `--batch`.

  - Fix it to not prompt the user when the user provides `--batch`.
2024-11-19 12:45:02 +01:00
Justus Winter
424c7a020d
Make sq cert lint read from stdin again.
- Reverts 22cc90e11f.

  - Fixes #257.
2024-11-19 12:13:09 +01:00
Justus Winter
d8082ce99e
Only display hint for live certs. 2024-11-19 11:58:16 +01:00