IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
When providing `--with-password` to `sq key subkey add`, prompt the user
for a password, which will be added to encrypt the new subkey.
If the option is not provided and the key material is encrypted, the
password of the primary key is used.
When decrypting encrypted key material in `get_keys()` first attempt to
use passwords previously provided and only afterwards prompt the user
for a password.
Without providing a password to the `KeyBuilder` and setting a primary
key signer for the `SubKeyBuilder`, it is not possible to add a new
subkey to a certificate with encrypted secret key material.
Adapt the helper function `get_primary_keys()` to return the optional
`Password` as provided by the user input, so that it may be used when
attaching a new subkey.
* New functionality
- `sq key subkey add` allows to create and add a new subkey to an
existing certificate.
- The functionality of `sq-keyring-linter` is now available as
`sq keyring lint`.
- The new subcommands `sq key revoke`, `sq key subkey revoke` and
`sq key userid revoke`, allow writing to a file using the
`--output` option.
* Notable changes
- The `--keyring` option is now global and can be specified anywhere
when calling `sq`.
* Deprecated functionality
- The `--expires` and `--expires-in` options used in various
subcommands are deprecated in favor of the unifying `--expiry`.
- `sq key generate --export FILE` is deprecated in favor of the more
generic `sq key generate --output FILE`.
- The `sq revoke certificate` command has been renamed to `sq key
revoke`.
- The `sq revoke subkey` command has been renamed to `sq key subkey
revoke`.
- The `sq revoke userid` command has been renamed to `sq key userid
revoke`.
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes#93
This commit is mostly a copy over from the keyring-linter repository,
with a few changes included to make it work in the sq codebase. These
changes are:
- replaced calls to atty with calls to is-terminal. This was done due
to is-terminal already being in the dependency tree of sq, and atty
being unmaintained.
- replace ansi_term with termcolor, because ansi_term is unmaintained
- removed a few things from the keyring linter, that were also present
in sq itself, to avoid duplication. This included the reference time
parameter, key decryption and IO handling
- added output file and binary parameters to the linter, so that I
could handle output the same as the other commands do
- As clap can not use `Default` as advertised for certain types [1], use
`Option<FileOrStdout>` instead in cases where the default is to import
to cert-store. Semantically, this works as before: By default import
to cert-store, when providing "-" output to stdout and when providing
a file name output to the file.
- Since `FileOrCertStore` can not wrap any other type under the given
circumstances, turn it into an empty struct that only implements
`ClapData` to provide static strings for the clap setup.
- Adapt the help message for `FileOrCertStore` to mention, that
providing "-" leads to output on stdout.
Fixes#133
[1] https://github.com/clap-rs/clap/issues/4558
Instead of using a non-uniform `--export` for `sq key generate` to
indicate the file path to output to, rely on the generic `--output`,
provided by `sq_cli::types::FileOrStdout`.
- Replace `sq_cli::types::IoArgs` with the more granular
`sq_cli::types::FileOrStdin`, `sq_cli::types::FileOrCertStore` and
`sq_cli::types::FileOrStdout`.
- Replace all generic `input` (describing single files) and `output`
arguments with the respective new facilities to share code and not
repeat ourselves.
- Replace the `open_or_stdin()` function with `FileOrStdin::open()`.
- Replace the `create_or_stdout()` function with the private
`FileOrStdout::create()`, so that it can not be called directly.
- Replace the `emit_unstable_cli_warning()`
and `create_or_stdout_unsafe()` functions with
`FileOrStdout::create_unsafe()`.
- Replace the `create_or_stdout_safe()` function with
`FileOrStdout::create_safe()`.
- Replace the `create_or_stdout_pgp()` function with
`FileOrStdout::create_pgp_safe()`.
- Remove the field `unstable_cli_warning_emitted` from `Config`, as
it is replaced by the static `UNSTABLE_CLI_WARNING`, which allows for
tracking whether a warning has been emitted across several instances
of `FileOrStdout`.
- Replace `Option<String>` and `Vec<String>` based CLI options dealing
with files with `Option<PathBuf>` and `Vec<PathBuf>` based ones
(respectively).
This allows us to unify the use of input and output facilities using
globally available CLI options while ensuring (cross-platform) type
safety.
- Set the `--keyring` option to be globally available, allowing it to
be added anywhere on the commandline and not just as first parameter
before any subcommand.
- Replace the `Vec<String>` based `--keyring` option for `sq key adopt`
with the now globally available `Vec<PathBuf>` based `--keyring`
option and adopt the code accordingly.
- Add instructions on how to build the `sq` executable and its shell
completions.
- Add information on how to generate the man pages using the `SQ_MAN`
environment variable.
- Disable printing of info about `clap_mangen` generated man pages,
since they still lack features and are partially incorrect.
Make a specific connection between "both" and "universal", so that the
user has an easier time to infer, that with choosing "universal" both
encryption purposes are added.
Use `sq_cli:🔑:CipherSuite::as_ciphersuite()` in `sq key` subcommand
to derive a valid `openpgp::cert::CipherSuite` from a variant of
`sq_cli:🔑:CipherSuite`.
- Change the behavior of the `sq certify`, `sq key generate` and `sq
link add` subcommands to rely on a single `--expiry` input argument
(same as `sq key subkey generate`), which replaces `--expires` and
`--expires-in`. This allows to directly parse a specific ISO 8601
timestamp, a custom duration or `"never"` and create a verified data
type that can be used further.
- Use `Expiry::as_duration()` in `sq certify` and `sq key`
subcommands to calculate the validity (duration until expiration) of
certifications and keys.
- Add the constants `KEY_VALIDITY_IN_YEARS` and
`THIRD_PARTY_CERTIFICATION_VALIDITY_IN_YEARS` to `sq_cli` to allow
centralized modifications of the default validity duration of keys and
certifications (in years).
- Add the constants `KEY_VALIDITY_DURATION` and
`THIRD_PARTY_CERTIFICATION_VALIDITY_DURATION` to provide
the default `Duration` for keys/subkeys and third party
certifications (based on `KEY_VALIDITY_IN_YEARS` and
`THIRD_PARTY_CERTIFICATION_VALIDITY_IN_YEARS`).
- Add `sq key subkey add` to allow to add a newly generated `SubKey` to
an existing key.
- Add `sq_cli::types::Expiry` to allow providing expiry with a
single `--expiry` input argument, that covers providing an ISO 8601
timestamp, a custom duration and "never".
- Add impl block for `sq_cli:🔑:CipherSuite` to allow returning a
`sequoia_openpgp::cert::CipherSuite`.
Move the constants `SECONDS_IN_DAY` and `SECONDS_IN_YEAR` to the CLI
module so that they can be used there and export them in the top-level
module agaian so that they can be used elsewhere as well.
Move the code for `adopt`, `attest-certifications`, `extract-cert`,
`generate`, `password` and `userid` subcommands to their respective
own modules.
This separates the various features from one another and makes adding
new features less unwieldy.
* Changes in 0.30.1
* Notable changes
- The `crypto-botan` feature now selects Botan's v3 interface. Use
the new `crypto-botan2` feature to continue using Botan's v2
interface.
* Notable fixes
- Several parser bugs were fixed in sequoia-openpgp 1.16.0 and
buffered-reader 1.2.0. These are all low-severity as Rust
correctly detects the out of bounds access and panics. Update
Cargo.lock to make sure we use these versions.
- sequoia-openpgp 1.16 changed `sequoia-openpgp/crypto-botan` to
build against Botan's v3 interface, and exposed
`sequoia-openpgp/crypto-botan2` to build against the v2 interface.
- Do the same. Add a `crypto-botan2` feature to allow the user to
build against Botan's v2 interface.
- Add `deny.toml` for `cargo deny` with advisory error for `RUSTSEC-
2020-0071` disabled as it does not affect chrono (or us for that
matter).
Allow multiple versions as there is not much we can do about those
anyways and it clutters the output immensely.
Add all currently used licenses to allow list.
Deny the use of `ring` as it does not have a responsible disclosure
policy: https://github.com/briansmith/ring#bug-reporting
- Run `cargo deny` as further `test` step in GitLab CI, so that it is
among the last things that may fail in a merge request.
Installing sq from crates.io (cargo install sequoia-sq) was broken by a
semver-compatible change in Tera. Running cargo test uses the lockfile
and isn't affected.
This has the side benefit of reducing dependency bloat, the baseline
depends on check/build/build --release but in the case of a non-release
build the dependency count goes from 403 to 315.
Fixes#2.
The subplot/tera issue was likely triggered by this change in tera
1.18: <https://github.com/Keats/tera/pull/799>.
- Add the top-level option `--pep-cert-store` and the environment
variable `PEP_CERT_STORE`, which allow users to use pEp
certificate stores.
- By default, no pEp certificate store is used. Users can however
put `export PEP_CERT_STORE=$HOME/.pEp` in their `.bashrc` file, for
instance, to turn it on.
