Commit Graph

108 Commits

Author SHA1 Message Date
Justus Winter
625f1e8a17
Use cert designators for sq key subkey delete.
- See #207.
2024-10-24 14:40:27 +02:00
Justus Winter
74e7f4dd33
Use cert designators for sq key subkey add.
- See #207.
2024-10-23 18:04:13 +02:00
Justus Winter
77d9edf039
Use cert designators for sq key userid revoke.
- See #207.
2024-10-23 17:53:32 +02:00
Justus Winter
31ca4e2943
Use cert designators for sq key userid add.
- See #207.
2024-10-23 17:47:12 +02:00
Justus Winter
37e2b65c6f
Use cert designators for sq key revoke.
- See #207.
2024-10-23 17:02:42 +02:00
Justus Winter
5c392b7d0a
Use cert designators for sq key expire.
- See #207.
2024-10-23 16:15:24 +02:00
Justus Winter
eb784ff84c
Use cert designators for sq key password.
- See #207.
2024-10-23 16:08:42 +02:00
Justus Winter
e15852d2f7
Use cert designators for sq cert lint.
- See #207.
2024-10-23 15:28:26 +02:00
Justus Winter
fd8466564c
Make sq key delete --file require --output.
- Previously, the certificate was imported.
2024-10-22 18:13:31 +02:00
Justus Winter
14cef16528
Use cert designators for sq key delete.
- See #207.
2024-10-22 18:12:48 +02:00
Justus Winter
8c47caaee9
Change --cert to only look up by primary key fingerprint.
- See #207.
2024-10-22 15:45:59 +02:00
Justus Winter
af7b7e3dc9
Merge sq autocrypt import into sq cert import, remove others.
- Merge `sq autocrypt import` has been merged into `sq cert import`.

  - Remove `sq autocrypt decode` and `sq autocrypt encode-sender`
    without substitute.

  - Fixes #187.
2024-10-21 16:56:55 +02:00
Justus Winter
bcb5c39aca
Remove the DWIM interface from sq cert export.
- The cert designator framework is expressive enough.  Just be
    explicit.
2024-10-21 12:39:57 +02:00
Justus Winter
1d1a41ac3d
Only export certificates with authenticated bindings.
- When exporting certificates selected by user IDs (i.e. --email,
    --userid, --domain, or --grep), authenticate the bindings and
    export only those certificates that can be authenticated.

  - Fixes #182.
2024-10-21 11:37:10 +02:00
Justus Winter
eb1545591c
Split sq network wkd publish --rsync into two to avoid ambiguity.
- The argument `sq network wkd --rsync` which previously had an
    optional value argument has been split into two arguments, a
    boolean `--rsync` to enable the use of rsync, and `--rsync-path`,
    which implies `--rsync`, to specify a path to the local rsync
    executable.

  - Fixes #370.
2024-10-18 17:02:02 +02:00
Justus Winter
d07e387eab
Rename sq verify --signer-cert to --signer.
- Fixes #372.
2024-10-18 16:32:11 +02:00
Justus Winter
2a40afef11
Add --all flag to sq network wkd publish and dane generate.
- Fixes #273.
2024-10-18 16:01:51 +02:00
Neal H. Walfield
f934cd2e31
Move sq pki list to sq cert list.
- Move the command `sq pki list` to `sq cert list`.

  - See #358.
2024-10-18 12:17:50 +02:00
Neal H. Walfield
9d2d34b990
Move sq pki {certify,authorize} under sq pki vouch.
- Move `sq pki certify` and `sq pki authorize` under `sq pki vouch`.

  - This mirrors `sq pki link`.
2024-10-18 08:49:07 +02:00
Neal H. Walfield
609c5aab16
Split authorization functionality out of sq pki link add.
- Split authorization functionality out of `sq pki link add` into a
    new command, `sq pki link authorize`.

  - Align `sq pki link authorize`'s arguments with `sq pki authorize`
    arguments.
2024-10-17 16:42:35 +02:00
Neal H. Walfield
7dee04b9b3
Align sq pki link add's user ID specification with sq pki certify.
- Align how user IDs are specified using `sq pki link add` with `sq
    pki certify`.  Specifically, add a `--add-userid` argument and
    remove the `--petname` argument.
2024-10-15 17:32:29 +02:00
Neal H. Walfield
dd75de8178
Remove sq pki link add's positional argument for specifying a user ID.
- `sq pki link add` has a positional argument for specifying a user
    ID directly or by email address.  Remove it in favor of the named
    arguments, `--userid` and `--email`.

  - See #318.
2024-10-15 17:31:49 +02:00
Neal H. Walfield
34df026d87
Change sq pki link retract to use a named argument for the certificate.
- `sq pki link retract` uses a positional argument to specify the
    certificate to retract.  Change it to be a named argument, `--cert`.

  - See #318.
2024-10-15 17:30:57 +02:00
Neal H. Walfield
bc075f9328
Change sq pki link add to use a named argument for the certificate.
- `sq pki link add` uses a positional argument to specify the
    certificate to link.  Change it to be a named argument, `--cert`.

  - See #318.
2024-10-15 17:30:22 +02:00
Neal H. Walfield
f11b3f6b59
Extend sq pki authorize to constrain by domain.
- Constraining an introducer by regex is error prone.  Add an option
    to `sq pki authorize` to constrain an introducer by domain name.
2024-10-14 17:46:18 +02:00
Neal H. Walfield
22284ed9b1
Add new subcommand sq pki authorize.
- Previously `sq pki certify` could create certifications, and mark
    a certificate as a trusted introducer (when the user set `--depth`
    to be greater than zero).  Anecdotal evidence indicates that
    combining these two actions in a single command is confusing.

  - Split the latter functionality off, and put it in a new subcommand,
    `sq pki authorize`.

  - See https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/249#note_1865470753
2024-10-14 17:46:18 +02:00
Neal H. Walfield
3d63b8de96
Change sq pki certify to use a named argument for the certificate.
- `sq pki certify` uses a positional argument to specify the
    certificate to certify.  Change it to be a named argument, either
    `--cert`, or `--cert-file`.

  - See #318.
2024-10-14 17:46:12 +02:00
Neal H. Walfield
b40f545a24
Change sq pki certify to use a named argument for the user ID.
- `sq pki certify` uses a positional argument to specify the user
    ID to certify.  Change it to be a named argument, either
    `--userid`, or `--email`.

  - This changes the meaning of `--email` from a flag that changes how
    `--userid` interprets its argument, to an argument.

  - This also allows multiple user IDs to be specified at once.

  - See #318.
2024-10-14 17:13:08 +02:00
Justus Winter
e2fbc4b9b5
Rename sq network fetch to search, likewise hkp, WKD, and DANE.
- Rename `sq network fetch` to `sq network search` to emphasize that
    this is key discovery, and may return related or even wrong results.
    Likewise for the key server, WKD, and DANE methods.

  - See #296.
2024-10-14 10:50:11 +02:00
Justus Winter
72de5d1234
Make --rev-cert argument mandatory if --output has been given.
- Fixes #132.
2024-10-11 16:55:35 +02:00
Justus Winter
8f337bbd1e
Remove sq network keyserver publish --require-all.
- This should be the default, and ignoring errors should be done
    explicitly by the caller.

  - Fixes #359.
2024-10-11 16:11:58 +02:00
Justus Winter
b885328662
Make sq toolbox keyring filter --handle robust.
- By splitting `--handle` into `--cert` and `--key`, where the
    former only matches on primary keys, and the latter matches on
    both primary keys and subkeys.

  - Fixes #287.
2024-10-09 16:58:04 +02:00
Neal H. Walfield
62d7813900
Change sq pki certify to reject expired and revoked certs.
- It was possible to use `--allow-not-alive-certifier` and
    `--allow-revoked-certifier` to force `sq pki certify` to use
    expired and revoked certificates.

  - Consistent with the principle that `sq` should support a lot, but
    not everything, remove them.

  - Fixes #365.
2024-10-09 14:57:02 +02:00
Justus Winter
54b0613e19
Add an explicit output parameter for sq toolbox packet split.
- Fixes #357.
2024-10-08 16:14:13 +02:00
Justus Winter
6517b63378
Rename environment variables to override cert and key store.
- This makes them more consistent with the other environment
    variables SEQUOIA_HOME and SEQUOIA_CRYPTO_POLICY.

  - Fixes #364.
2024-10-08 16:14:09 +02:00
Justus Winter
20df76538e
Rename sq encrypt --recipient to sq encrypt --for`.
- Fixes #356.
2024-10-04 11:54:53 +02:00
Justus Winter
ba121b2339
Rename --recipient-cert to --recipient.
- Fixes #355.
2024-10-04 11:16:33 +02:00
Justus Winter
20fb370de7
Rename --signer-key to --signer.
- See #355.
2024-10-04 11:16:24 +02:00
Justus Winter
dff6664f47
Rename the global --force flag to --overwrite.
- This flag now only controls whether existing files are
    overwritten.

  - Fixes #31.
2024-10-02 18:42:31 +02:00
Justus Winter
80d51a9a87
New flag sq pki link add --recreate instead of --force.
- Likewise for `sq pki link retract --recreate`.

  - See #31.
2024-10-02 18:40:29 +02:00
Justus Winter
527e207067
New flag sq key userid revoke --add-userid instead of --force.
- See #31.
2024-10-02 18:37:28 +02:00
Justus Winter
63ae7dbb8c
Rename sq verify --detached to sq verify --signature-file.
- Fixes #255.
2024-10-02 17:37:35 +02:00
Justus Winter
c079a350b4
Add missing NEWS entry. 2024-10-02 16:03:55 +02:00
Justus Winter
a2440d7cf0
Introduce a switch to select the type of DNS resource records.
- Fixes #353.
2024-10-02 11:31:19 +02:00
Neal H. Walfield
99689fd405
When adopting a key, if the creation time is unset, set it.
- When adopting a bare key, the creation time is the Unix epoch.
    If the user doesn't manually override this using
    `--creation-time`, use the current time (while respecting
    `--time`).
2024-09-26 13:07:28 +02:00
Neal H. Walfield
6451e0416f
Add the --creation-time argument to sq key adopt.
- Add an argument to `sq key adopt`, `--creation_time`, to allow the
    user to override the key's creation time.
2024-09-26 13:06:34 +02:00
Neal H. Walfield
5ec89e8abe
Allow modifying the key flags when adopting a key.
- Add `--can-sign`, `--cannot-sign`, `--can-authenticate`,
    `--cannot-authenticate`, `--can-encrypt`, `--cannot-encrypt` to `sq
    key adopt`, which modify the key flags of the adopted key.
2024-09-26 13:05:36 +02:00
Neal H. Walfield
331da9d600
Don't require a key being adopted to have a binding signature.
- Change `sq key adopt` to not require the key that is being adopted
    to have a binding signature.

  - This allows adopting "bare keys," i.e., a certificate consisting
    of just a primary key.  Bare keys are useful when working with raw
    keys, e.g., keys generated on an OpenPGP card, a TPM device, etc.
    To add them to a certificate, they just need to be wrapped in a
    minimal amount of OpenPGP framing; no signatures are required.

  - Fixes #25.
2024-09-26 13:05:36 +02:00
Justus Winter
f88b433d8b
Move implementation, add NEWS entry.
- Fixes e2d5bc1de4.
2024-09-24 15:10:29 +02:00
Neal H. Walfield
cee60e89df
Make sq cert export more consistent with other commands.
- Unlike other commands, `sq cert export`'s `--cert` argument only
    matches on the certificate's key handle (i.e., the primary key's
    key handle).  It also has a `--key` argument to match on the
    primary key's key handle or a subkey's key handle, which are
    the semantics of the `--cert` argument for other commands.

  - Change the semantics of `--cert` to that of `--key`, i.e., change
    `--cert` to also match on subkey key handles.  Remove the `--key`
    argument since it is now redundant.
2024-08-22 11:13:54 +02:00