Commit Graph

86 Commits

Author SHA1 Message Date
Neal H. Walfield
34df026d87
Change sq pki link retract to use a named argument for the certificate.
- `sq pki link retract` uses a positional argument to specify the
    certificate to retract.  Change it to be a named argument, `--cert`.

  - See #318.
2024-10-15 17:30:57 +02:00
Neal H. Walfield
bc075f9328
Change sq pki link add to use a named argument for the certificate.
- `sq pki link add` uses a positional argument to specify the
    certificate to link.  Change it to be a named argument, `--cert`.

  - See #318.
2024-10-15 17:30:22 +02:00
Neal H. Walfield
f11b3f6b59
Extend sq pki authorize to constrain by domain.
- Constraining an introducer by regex is error prone.  Add an option
    to `sq pki authorize` to constrain an introducer by domain name.
2024-10-14 17:46:18 +02:00
Neal H. Walfield
22284ed9b1
Add new subcommand sq pki authorize.
- Previously `sq pki certify` could create certifications, and mark
    a certificate as a trusted introducer (when the user set `--depth`
    to be greater than zero).  Anecdotal evidence indicates that
    combining these two actions in a single command is confusing.

  - Split the latter functionality off, and put it in a new subcommand,
    `sq pki authorize`.

  - See https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/249#note_1865470753
2024-10-14 17:46:18 +02:00
Neal H. Walfield
3d63b8de96
Change sq pki certify to use a named argument for the certificate.
- `sq pki certify` uses a positional argument to specify the
    certificate to certify.  Change it to be a named argument, either
    `--cert`, or `--cert-file`.

  - See #318.
2024-10-14 17:46:12 +02:00
Neal H. Walfield
b40f545a24
Change sq pki certify to use a named argument for the user ID.
- `sq pki certify` uses a positional argument to specify the user
    ID to certify.  Change it to be a named argument, either
    `--userid`, or `--email`.

  - This changes the meaning of `--email` from a flag that changes how
    `--userid` interprets its argument, to an argument.

  - This also allows multiple user IDs to be specified at once.

  - See #318.
2024-10-14 17:13:08 +02:00
Justus Winter
e2fbc4b9b5
Rename sq network fetch to search, likewise hkp, WKD, and DANE.
- Rename `sq network fetch` to `sq network search` to emphasize that
    this is key discovery, and may return related or even wrong results.
    Likewise for the key server, WKD, and DANE methods.

  - See #296.
2024-10-14 10:50:11 +02:00
Justus Winter
72de5d1234
Make --rev-cert argument mandatory if --output has been given.
- Fixes #132.
2024-10-11 16:55:35 +02:00
Justus Winter
8f337bbd1e
Remove sq network keyserver publish --require-all.
- This should be the default, and ignoring errors should be done
    explicitly by the caller.

  - Fixes #359.
2024-10-11 16:11:58 +02:00
Justus Winter
b885328662
Make sq toolbox keyring filter --handle robust.
- By splitting `--handle` into `--cert` and `--key`, where the
    former only matches on primary keys, and the latter matches on
    both primary keys and subkeys.

  - Fixes #287.
2024-10-09 16:58:04 +02:00
Neal H. Walfield
62d7813900
Change sq pki certify to reject expired and revoked certs.
- It was possible to use `--allow-not-alive-certifier` and
    `--allow-revoked-certifier` to force `sq pki certify` to use
    expired and revoked certificates.

  - Consistent with the principle that `sq` should support a lot, but
    not everything, remove them.

  - Fixes #365.
2024-10-09 14:57:02 +02:00
Justus Winter
54b0613e19
Add an explicit output parameter for sq toolbox packet split.
- Fixes #357.
2024-10-08 16:14:13 +02:00
Justus Winter
6517b63378
Rename environment variables to override cert and key store.
- This makes them more consistent with the other environment
    variables SEQUOIA_HOME and SEQUOIA_CRYPTO_POLICY.

  - Fixes #364.
2024-10-08 16:14:09 +02:00
Justus Winter
20df76538e
Rename sq encrypt --recipient to sq encrypt --for`.
- Fixes #356.
2024-10-04 11:54:53 +02:00
Justus Winter
ba121b2339
Rename --recipient-cert to --recipient.
- Fixes #355.
2024-10-04 11:16:33 +02:00
Justus Winter
20fb370de7
Rename --signer-key to --signer.
- See #355.
2024-10-04 11:16:24 +02:00
Justus Winter
dff6664f47
Rename the global --force flag to --overwrite.
- This flag now only controls whether existing files are
    overwritten.

  - Fixes #31.
2024-10-02 18:42:31 +02:00
Justus Winter
80d51a9a87
New flag sq pki link add --recreate instead of --force.
- Likewise for `sq pki link retract --recreate`.

  - See #31.
2024-10-02 18:40:29 +02:00
Justus Winter
527e207067
New flag sq key userid revoke --add-userid instead of --force.
- See #31.
2024-10-02 18:37:28 +02:00
Justus Winter
63ae7dbb8c
Rename sq verify --detached to sq verify --signature-file.
- Fixes #255.
2024-10-02 17:37:35 +02:00
Justus Winter
c079a350b4
Add missing NEWS entry. 2024-10-02 16:03:55 +02:00
Justus Winter
a2440d7cf0
Introduce a switch to select the type of DNS resource records.
- Fixes #353.
2024-10-02 11:31:19 +02:00
Neal H. Walfield
99689fd405
When adopting a key, if the creation time is unset, set it.
- When adopting a bare key, the creation time is the Unix epoch.
    If the user doesn't manually override this using
    `--creation-time`, use the current time (while respecting
    `--time`).
2024-09-26 13:07:28 +02:00
Neal H. Walfield
6451e0416f
Add the --creation-time argument to sq key adopt.
- Add an argument to `sq key adopt`, `--creation_time`, to allow the
    user to override the key's creation time.
2024-09-26 13:06:34 +02:00
Neal H. Walfield
5ec89e8abe
Allow modifying the key flags when adopting a key.
- Add `--can-sign`, `--cannot-sign`, `--can-authenticate`,
    `--cannot-authenticate`, `--can-encrypt`, `--cannot-encrypt` to `sq
    key adopt`, which modify the key flags of the adopted key.
2024-09-26 13:05:36 +02:00
Neal H. Walfield
331da9d600
Don't require a key being adopted to have a binding signature.
- Change `sq key adopt` to not require the key that is being adopted
    to have a binding signature.

  - This allows adopting "bare keys," i.e., a certificate consisting
    of just a primary key.  Bare keys are useful when working with raw
    keys, e.g., keys generated on an OpenPGP card, a TPM device, etc.
    To add them to a certificate, they just need to be wrapped in a
    minimal amount of OpenPGP framing; no signatures are required.

  - Fixes #25.
2024-09-26 13:05:36 +02:00
Justus Winter
f88b433d8b
Move implementation, add NEWS entry.
- Fixes e2d5bc1de4.
2024-09-24 15:10:29 +02:00
Neal H. Walfield
cee60e89df
Make sq cert export more consistent with other commands.
- Unlike other commands, `sq cert export`'s `--cert` argument only
    matches on the certificate's key handle (i.e., the primary key's
    key handle).  It also has a `--key` argument to match on the
    primary key's key handle or a subkey's key handle, which are
    the semantics of the `--cert` argument for other commands.

  - Change the semantics of `--cert` to that of `--key`, i.e., change
    `--cert` to also match on subkey key handles.  Remove the `--key`
    argument since it is now redundant.
2024-08-22 11:13:54 +02:00
Justus Winter
3836dcdbae
Add missing NEWS item for sq key approvals list. 2024-08-16 17:35:07 +02:00
Neal H. Walfield
cd8283d851
Prompt for a password by default.
- Change `sq key generate` and `sq key subkey add` to prompt for a
    password by default.

  - Fixes #226.
2024-08-14 18:19:14 +02:00
Neal H. Walfield
93344e71a6
New subcommand sq key subkey export.
- `sq key export` can either export all keys associated with a
    certificate or individual keys.

  - Split the subkey-related functionality out of `sq key export` and
    into the new subcommand `sq key subkey export`

  - Fixes #294.
2024-08-14 15:21:30 +02:00
Justus Winter
20eb29930f
Remove the dot output.
- The dot output does not fit into the output framework: it can only
    describe graphs, and most of what sq emits are not graphs.  Once
    sq gains machine-readable output, the current functionality can be
    implemented by emitting the graph data as machine-readable data,
    then transforming it into dot.

  - Fixes #290.

  - Fixes #137.
2024-08-14 14:29:04 +02:00
Justus Winter
b2d7f48230
Add missing NEWS items. 2024-08-14 14:29:04 +02:00
Neal H. Walfield
a92ab98f4f
New subcommand sq key subkey password.
- Add a new subcommand, `sq key subkey password`, which changes the
    password protecting the secret key material of a primary key or a
    subkey.

  - Fixes #106.
2024-08-13 10:08:04 +02:00
Justus Winter
87806baf6a
Implement sq network wkd publish. 2024-07-11 14:52:35 +02:00
Neal H. Walfield
9b991045ca
New subcommand sq key subkey delete to delete secret key material. 2024-07-05 09:50:37 +02:00
Neal H. Walfield
ae392296f5
Add a top-level --password-file argument to seed the password cache.
- `sq key password`, and `sq sign --symmetric` have local arguments
    to seed the password cache.

  - Many commands could benefit from similar functionality.

  - Add a new top-level argument, `--password-file`, to seed the
    password cache.
2024-06-13 11:39:09 +02:00
Neal H. Walfield
2ed7435b63
Rename sq key password's --clear argument to --clear-password.
- This makes the argument's intent clearer and more closely mirrors
    the other arguments, like `--new-password-file`.
2024-06-13 10:56:10 +02:00
Neal H. Walfield
bc5c0cf9f1
Rename the --expiry argument to --expiration.
- Rename the `--expiry` argument to `--expiration`, and adjust the
    name of the corresponding fields, and data structures.

  - Expiration and expiry have about the same meaning.  According to
    my research, "expiration" is used in American English whereas
    both are used in British English.

  - This change aligns the usage with RFC 4880's terminology, which
    uses the word "expiration" many times, but never uses "expiry".
2024-06-11 22:51:40 +02:00
Neal H. Walfield
d76e1ae4db
Change sq key attest-certifications to support the key store and cert store.
- Change `sq key attest-certifications` to use the key store and the
    cert store.

  - See #205.
2024-06-10 23:24:33 +02:00
Neal H. Walfield
353c21554a
Don't have sq key attest-certifications' --all be the default.
- In `sq key attest-certifications`, don't make `--all` the
    default, but require the user to specify it explicitly.

  - This makes it easier to introduce more fine-grained selectors in
    the future.

  - See #262.
2024-06-10 23:24:33 +02:00
Neal H. Walfield
6dcfb270ad
Make sq key attest-certifications' positional parameter a named parameter.
- In `sq key attest-certifications`, change the certificate file
     parameter from a positional parameter to a named parameter,
     `--cert-file`.
2024-06-10 23:24:33 +02:00
Neal H. Walfield
f1a99b10d9
Change sq key adopt to support the cert store.
- Change `sq key adopt` to use the cert store.

  - See #205.
2024-06-10 23:24:33 +02:00
Neal H. Walfield
f3037392f6
Change sq key adopt to support the key store.
- Change `sq key adopt` to use the key store.

  - See #205.
2024-06-10 23:24:32 +02:00
Neal H. Walfield
cb13f883be
Make sq key adopt's positional parameter a named parameter.
- In `sq key adopt`, change the certifier file parameter from a
     positional parameter to a named parameter, `--cert-file`.
2024-06-10 23:24:32 +02:00
Neal H. Walfield
a82d9908f9
Change sq pki certify to support the cert store and key store.
- Change `sq pki certify` to support the cert store and key store.

  - See #205.
2024-06-10 23:10:44 +02:00
Neal H. Walfield
b55d1f3239
Make sq pki certify's positional parameter a named parameter.
- In `sq pki certify`, change the certifier file parameter from a
     positional parameter to a named parameter, `--certifier-file`.
2024-06-05 12:33:07 +02:00
Neal H. Walfield
4b3e459cea
Change sq pki certify's certifier parameter to understand -.
- Change `sq pki certify`'s certifier parameter from a `PathBuf` to
    a `FileOrStdin` so that it interprets `-` as meaning it should
    read the certificate from stdin.
2024-06-05 09:57:53 +02:00
Neal H. Walfield
721d680627
Make sq key password's positional parameter a named parameter.
- In `sq key password`, change the certificate file parameter from a
    positional parameter to a named parameter, `--cert-file`.
2024-06-05 00:50:36 +02:00
Neal H. Walfield
178679e838
Add the --password-file argument to sq sign.
- Add the `--password-file` argument to the `sq sign` command to
    allow the user to prefill the password cache with a password from a
    file.
2024-06-05 00:50:36 +02:00