938 Commits

Author SHA1 Message Date
Justus Winter
2604bf2e9c
Fix documentation. 2024-10-18 16:32:31 +02:00
Justus Winter
d07e387eab
Rename sq verify --signer-cert to --signer.
- Fixes #372.
2024-10-18 16:32:11 +02:00
Justus Winter
b2f0e579ba
Simplify crate::load_keys. 2024-10-18 16:17:06 +02:00
Justus Winter
a3d2becc90
Simplify crate::load_certs. 2024-10-18 16:15:37 +02:00
Justus Winter
2a40afef11
Add --all flag to sq network wkd publish and dane generate.
- Fixes #273.
2024-10-18 16:01:51 +02:00
Justus Winter
361e68a248
Use imperative mood to describe the cert and user ID designators. 2024-10-18 14:49:59 +02:00
Justus Winter
75577c65c0
Make sq --home=default work.
- Home::new(None) doesn't select the default location, it honors
    SEQUOIA_HOME.
2024-10-18 14:49:58 +02:00
Justus Winter
cea028e582
Remove sq network dane generate --skip.
- This didn't do what it said on the tin (it said to skip expired
    certs, but Cert::with_policy doesn't care about expiration).
    Further, asking to publish a cert that doesn't have a user ID in
    that domain should probably just be an error.

  - Previously, the now removed `sq network wkd generate` command also
    had a `--skip` flag, but the replacement `sq network wkd publish`
    never had that flag.

  - Fixes #371.
2024-10-18 14:49:57 +02:00
Neal H. Walfield
f934cd2e31
Move sq pki list to sq cert list.
- Move the command `sq pki list` to `sq cert list`.

  - See #358.
2024-10-18 12:17:50 +02:00
Neal H. Walfield
1f50f6fd79
Rename test files.
- Rename test files to reflect the commands they are testing.
2024-10-18 09:47:39 +02:00
Neal H. Walfield
a779fbb277
Add a test.
- `sq pki link authorize` certifies all self-signed user IDs when
    no user IDs are provided.  Add a test that checks that it silently
    ignores invalid self-signed user IDs (e.g., revoked user IDs) in
    this case.
2024-10-18 09:45:08 +02:00
Neal H. Walfield
9ad9355ed4
Don't try to certify invalid user IDs.
- `sq pki vouch authorize` certifies all self-signed user IDs when
    no user IDs are provided.  Change it to silently ignore invalid
    self-signed user IDs (e.g., revoked user IDs) in this case.
2024-10-18 09:41:07 +02:00
Neal H. Walfield
df727ab861
Make it easier to debug failing examples.
- When testing an example, print out where it came from so that it
    is easier to find.
2024-10-18 08:49:11 +02:00
Neal H. Walfield
9d2d34b990
Move sq pki {certify,authorize} under sq pki vouch.
- Move `sq pki certify` and `sq pki authorize` under `sq pki vouch`.

  - This mirrors `sq pki link`.
2024-10-18 08:49:07 +02:00
Neal H. Walfield
609c5aab16
Split authorization functionality out of sq pki link add.
- Split authorization functionality out of `sq pki link add` into a
    new command, `sq pki link authorize`.

  - Align `sq pki link authorize`'s arguments with `sq pki authorize`
    arguments.
2024-10-17 16:42:35 +02:00
Neal H. Walfield
cd7b79dbae
Generalize helper function.
- Generalize `Sq::pki_link_add` and `Sq::pki_link_add_maybe` to take
    zero or more user IDs.
2024-10-17 16:41:57 +02:00
Neal H. Walfield
2e8833bb1a
Reorder sq pki link add's options.
- Reorder `sq pki link add`'s arguments so that they appear in a more
    logical order when reading `--help` (required arguments first,
    then grouped and approximately ordered by how often they are
    likely to be used).
2024-10-17 16:41:57 +02:00
Neal H. Walfield
92d6303b09
Dedup user IDs.
- Change `UserIDDesignators::resolve` to dedup the user IDs.
2024-10-17 16:41:57 +02:00
Justus Winter
d1a10b9346
Identify common user errors when verifying detached signatures.
- And try to give helpful advice.

  - Fixes #162.
2024-10-17 15:02:08 +02:00
Justus Winter
7c1296da56
Fix example description. 2024-10-17 15:02:07 +02:00
Justus Winter
0789cd57db
Make inspect return the kind of data it thinks it is looking at. 2024-10-17 15:02:06 +02:00
Neal H. Walfield
50085f3c50
Port sq pki link retract to the user ID designator framework.
- Change `sq pki link retract` to use the user ID designator
    framework.
2024-10-16 13:40:00 +02:00
Neal H. Walfield
d2f762ed36
Don't require --add-userid if that option isn't enabled.
- `UserIDDesignators::resolve` required the `--add-userid` option be
    present to designate a non-self-signed user ID.

  - Relax this requirement if the `--add-userid` option is not
    enabled.
2024-10-16 13:40:00 +02:00
Neal H. Walfield
f2566473e1
Improve output when retracting a link. 2024-10-16 12:38:24 +02:00
Neal H. Walfield
386992f14f
Fix sq pki link retract when retracting all certifications.
- When retracting all certifications, don't just retract
    certifications on the self-signed user IDs, retract them on all
    user IDs.
2024-10-16 12:38:22 +02:00
Neal H. Walfield
43db8fa44c
Check all user IDs, not just self-signed user IDs.
- When checking if a user ID was already signed, don't just check
    valid self-signed user IDs.
2024-10-16 12:36:45 +02:00
Neal H. Walfield
7dee04b9b3
Align sq pki link add's user ID specification with sq pki certify.
- Align how user IDs are specified using `sq pki link add` with `sq
    pki certify`.  Specifically, add a `--add-userid` argument and
    remove the `--petname` argument.
2024-10-15 17:32:29 +02:00
Neal H. Walfield
f0bfdfd1cd
Remove sq pki link retract's positional argument for specifying a user ID.
- `sq pki link retract` has a positional argument for specifying a user
    ID directly or by email address.  Remove it in favor of the named
    arguments, `--userid` and `--email`.

  - See #318.
2024-10-15 17:32:25 +02:00
Neal H. Walfield
dd75de8178
Remove sq pki link add's positional argument for specifying a user ID.
- `sq pki link add` has a positional argument for specifying a user
    ID directly or by email address.  Remove it in favor of the named
    arguments, `--userid` and `--email`.

  - See #318.
2024-10-15 17:31:49 +02:00
Neal H. Walfield
34df026d87
Change sq pki link retract to use a named argument for the certificate.
- `sq pki link retract` uses a positional argument to specify the
    certificate to retract.  Change it to be a named argument, `--cert`.

  - See #318.
2024-10-15 17:30:57 +02:00
Neal H. Walfield
bc075f9328
Change sq pki link add to use a named argument for the certificate.
- `sq pki link add` uses a positional argument to specify the
    certificate to link.  Change it to be a named argument, `--cert`.

  - See #318.
2024-10-15 17:30:22 +02:00
Justus Winter
0a55f6cdc4
Add sq cert export --local to export non-exportable sigs.
- Fixes #185.
2024-10-15 16:04:58 +02:00
Justus Winter
8fc420ddac
Show more information about downloaded certificates.
- Fixes #189.
2024-10-15 14:43:33 +02:00
Justus Winter
d2df48da93
Support indentation parameters in qprintln. 2024-10-15 14:43:33 +02:00
Justus Winter
fda522a13e
Fix hint. 2024-10-15 14:43:33 +02:00
Neal H. Walfield
a9d419973c
Check that we don't certify our own certificate.
- `sq pki certify` and `sq pki authorize` are for creating
    third-party certifications.

  - Error out if the certifier is the same as the certificate being
    certified.
2024-10-15 12:55:56 +02:00
Neal H. Walfield
2caba0758e
Refactor user ID resolution.
- Add `UserIDDesignators::resolve` to resolve user ID designators
    for a given certificate.

  - Use it from `sq pki certify` and `sq pki authorize`.
2024-10-15 12:49:52 +02:00
Neal H. Walfield
1a32d11c8f
Add a user ID designator abstraction.
- Add a new type, `UserIDDesignators`, which can be flattened into a
    clap subcommand, and exposes one or more user ID designator
    arguments (`--userid`, `--email`), and an optional `--add-userid`
    flag.

  - Change `sq pki certify` and `sq pki authorize` to use it.
2024-10-15 12:15:49 +02:00
Neal H. Walfield
f11b3f6b59
Extend sq pki authorize to constrain by domain.
- Constraining an introducer by regex is error prone.  Add an option
    to `sq pki authorize` to constrain an introducer by domain name.
2024-10-14 17:46:18 +02:00
Neal H. Walfield
d303694e9d
Move the domain to regex conversion functionality to common.
- Move the code that converts a domain to a regular expression in
    `src/commands/pki/link.rs` to `src/common/pki/certify.rs`.
2024-10-14 17:46:18 +02:00
Neal H. Walfield
712bb1991b
Don't specify value_name twice for a single argument. 2024-10-14 17:46:18 +02:00
Neal H. Walfield
22284ed9b1
Add new subcommand sq pki authorize.
- Previously `sq pki certify` could create certifications, and mark
    a certificate as a trusted introducer (when the user set `--depth`
    to be greater than zero).  Anecdotal evidence indicates that
    combining these two actions in a single command is confusing.

  - Split the latter functionality off, and put it in a new subcommand,
    `sq pki authorize`.

  - See https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/249#note_1865470753
2024-10-14 17:46:18 +02:00
Neal H. Walfield
bea0a5b732
Generalize Sq::pki_certify to certify multiple user IDs at once.
- Generalize `Sq::pki_certify` to certify multiple user IDs at once.
2024-10-14 17:46:18 +02:00
Neal H. Walfield
8ecae27594
Reorder sq pki certify's options.
- Reorder `sq pki certify`'s arguments so that they appear in a more
    logical order when reading `--help` (required arguments first,
    then grouped and approximately ordered by how often they are
    likely to be used).
2024-10-14 17:46:17 +02:00
Neal H. Walfield
3d63b8de96
Change sq pki certify to use a named argument for the certificate.
- `sq pki certify` uses a positional argument to specify the
    certificate to certify.  Change it to be a named argument, either
    `--cert`, or `--cert-file`.

  - See #318.
2024-10-14 17:46:12 +02:00
Neal H. Walfield
e40181bb57
Extend the cert designator framework to support required arguments.
- Rename the `CertDesignators`'s generic type `Options` to
    `Arguments` and add a generic type `Options`.

  - Define two options, `OneValue`, and `OptionalValue`.

  - When creating an argument group make the group required by
    default (i.e., at least one argument from the group must be given).
    If `OneValue` is set, disallow more than one value.  If
    `OptionalValue` is set, allow zero values.
2024-10-14 17:13:08 +02:00
Neal H. Walfield
b40f545a24
Change sq pki certify to use a named argument for the user ID.
- `sq pki certify` uses a positional argument to specify the user
    ID to certify.  Change it to be a named argument, either
    `--userid`, or `--email`.

  - This changes the meaning of `--email` from a flag that changes how
    `--userid` interprets its argument, to an argument.

  - This also allows multiple user IDs to be specified at once.

  - See #318.
2024-10-14 17:13:08 +02:00
Neal H. Walfield
4a3c360f41
Refactor sq pki certify, sq pki link add and sq pki link retract.
- Pull similar functionality out of the implementation of `sq pki
    certify`, `sq pki link add`, and `sq pki link retract`, and put it
    in a new module, `common::pki::certify`.

  - This slightly changes the human readable output.
2024-10-14 17:13:08 +02:00
Neal H. Walfield
56b8065b82
Add a None variant to the TrustAmount enum. 2024-10-14 17:07:57 +02:00
Neal H. Walfield
0e8ae33b22
Simplify the active_certification utility function.
- `active_certification` takes a fingerprint, and looks up the
    corresponding certificate in the certificate store.  But, all
    callers already have the certificate.  Avoid a lookup by taking a
    reference to the certificate.
2024-10-14 17:07:57 +02:00