IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- Add a new paramter to `sq pki link add`, `sq pki link authorize`,
and `sq pki link retract`, `--cert-special`, which allows addressing
shadow CAs by symbolic names.
- If the shadow CA doesn't exist yet, we create it.
- This means `sq pki link authorize --cert-special keys.openpgp.org
--all --unconstrained` can be used to fully trust the
`keys.openpgp.org` key server, for instance. This is more
convenient, and especially useful for documentation.
- Fixes#337.
- Invoking it now requires the `--experimental` flag. This is a
template that we may use to introduce features into sq with a bit
of a chance to stabilize it over time.
- Fixes#455.
- Add a configuration file for sq, and sq config get to
programmatically query configuration values, and sq config template
to create a template as a starting point for a custom configuration
file.
- As a first step, the following things have been made configurable:
- The cipher suite for key generation.
- The set of keyservers.
- The cryptographic policy, which can be sourced from an external
file as well as modified inline.
- If there is no configuration file, sq config template can be used to
create a template for the user to modify.
- If a default has been overridden using the configuration file,
sq's --help output is augmented with the configured value.
- When generating keys, either `--own-key` or `--shared-key` has to
be given. The former marks the key's user IDs as authenticated
and makes it a trusted introducer. The latter marks the key's
user IDs as authenticated, and marks the key as a group key.
- Fixes#452.
- This tracks the origin, like we do when we download certificates
over the network.
- This also has the benefit that newly created keys also show up in
the cert listing.
- Fixes#377.
- Change `sq packet split` to not require `output` or `prefix`, but
to write to `stdout` by default.
- This is closer to the behavior of other commands.
- Rename `--add-userid` to `--userid-or-add`, `--add-email` to
`--email-or-add`, and `--add-name` to `--name-or-add`. The new
names better reflect the semantics: we first try to select a user
ID based on the designator, and then fall back to adding it as it.
- When a user ID designator designates a user ID that is not
self-signed, and the command would add it to the certificate, check
that it is in canonical form.
- The relevant commands are: `sq key userid revoke`, `sq pki link
add`, `sq pki link authorize`, `sq pki vouch certify`, and `sq pki
vouch authorize`
- Allow the user to disable the check with a new flag,
`--allow-non-canonical-userids`.
- Fixes#437.
- Port `sq cert list`, `sq pki authenticate` and `sq pki lookup` to
the user ID designator framework. See #434.
- This changes the user ID parameter from a positional parameter
to a named parameter, and drops the `--email` flag. See #318.
- Port `sq pki authenticate` and `sq pki identify` to the cert
designator framework. See #207.
- This changes the certificate parameter from a positional parameter
to a named parameter. See #318.
- Previously, the file name was constructed from the path of the
input file, using some transformations that may be considered
surprising (notably, the file name of unspecified encoding was
transformed into UTF-8 using a lossy mechanism).
- Avoid this opaque transformation by taking an explicit string
argument.
- Fixes#351.
- The literal data packet's time field is problematic for a variety
of reasons. The previous timestamp interface allows a number of
time sources (ctime, mtime, message time (that is way better
encoded in the signature creation time), explicit timestamp), but
the information about what kind of timestamp this should be is
lost when the time is encoded, without warning.
- Remove it.
- See #351.
- Port `sq key userid revoke` to the user ID designator framework.
See #434.
- This replaces the `--add-userid` flag with the `--add-userid`,
`--add-email` and `--add-name` arguments. See #318.
- This change also makes a user ID mandatory, which fixes#428.
- Commands like `sq pki vouch certify` allow designating a user ID
by email address. Currently, if multiple self-signed user IDs
include the specified email address, all are used. Change the
semantics of `--email` and --add-email` to only match
unambiguously.
- Fixes#309.
- `sq pki link add`, `sq pki link authorize`, `sq pki vouch
certify`, and `sq pki vouch authorize` have a `--add-userid` flag.
- Replace the `--add-userid` flag with an `--add-userid` argument,
and an `--add-email` argument.
- This change means that a flag does not change how an argument is
interpreted. It also makes it more explicit whether a user ID
should be added, because `--userid` and `--email` could be given
multiple times.
- See #309 and #318.
- Replace the flag `sq --no-cert-store` with `sq
--cert-store=none`.
- Replace the flag `sq --no-key-store` with `sq --key-store=none`.
- Similarly, `sq --home=none` disables all state, unless explicitly
re-enabled using `--cert-store` or `--key-store`.
- Fixes#427.
- The flag `sq sign --detached` is now called `sq sign
--signature-file`.
- The flag `sq sign --clearsign` is now called `sq sign
--cleartext`.
- Both `sq sign` and `sq verify` now require an explicit mode,
one of `--signature-file`, `--message`, or `--cleartext`.
- Fixes#430.
- Add a DWIM search parameter to `sq key list`. If the pattern
appears to be a fingerprint or key ID, treat it as if it were passed
to `--cert` and match on the certificate's fingerprint. Otherwise,
treat it as if it were passed via `--grep`, and match on user IDs.
- This aligns `sq key list` with `sq cert list`.
- See #293.
- Previously, the signers cert designators added to the set of certs
in the store, and marked them as trusted.
- Change this so that only the designated certs are used to verify
the signatures, and they are marked as trusted. This allows
useful semantics like requiring a signature from a set of
explicitly provided signers.
- If no signers are designated, the cert store is consulted.
- Fixes#248.
- We want a top-level `help` subcommand, but we don't want
subcommand groups (like `sq pki`) to have a `help` subcommand.
Users get used to being able to use `help` instead of `--help`,
and then are confused when `sq pki authenticate help` (i.e., using
the `help` subcommand on an action) doesn't work.
- Fixes#418.
- Add a new argument, `--cli-version`, which the user can use to
request a particular semver-compatible version of the CLI.
- This enables breaking changes to the CLI, and enables `sq` to
support multiple CLI versions.
- Fixes#75.
- `sq key subkey export` currently takes a list of keys to export.
This is ambiguous if a key is associated with multiple certificates.
- Add a new required parameter, `--cert`, which specifies what
certificate to export. The specified keys must be attached to that
certificate under the NULL policy.
- This change means that `sq key subkey export` can only export a
single certificate at a time.
- As the implementations of `sq key export` and `sq key subkey
export` have diverged, don't try to consolidate them any more.
- Fixes#386.
- When working with older messages, it may be necessary to use a
different cryptographic policy. Add an option, `--policy-as-of`, to
select the cryptographic policy that was in effect at the specified
time.
- Fixes#123.
Co-authored-by: Neal H. Walfield <neal@sequoia-pgp.org>