1212 Commits

Author SHA1 Message Date
Justus Winter
797ab7a003
Certify newly created keys with a per-host shadow CA.
- This tracks the origin, like we do when we download certificates
    over the network.

  - This also has the benefit that newly created keys also show up in
    the cert listing.

  - Fixes #377.
2024-11-20 14:13:52 +01:00
Justus Winter
23f4e9150e
Differentiate the help texts for --notation slightly. 2024-11-20 13:54:37 +01:00
Neal H. Walfield
e9155823e7
Fix sq cert lint.
- If there are no certificate designators, we add one for stdin.

  - Do this before we inspect the certificate designators.
2024-11-20 13:34:29 +01:00
Neal H. Walfield
5cc0115b9c
Check for the cert / key store before doing work.
- Some commands only access the cert or key store after they do a
    lot of work.  If the cert or key store is disabled, this is
    annoying.

  - Change `sq key generate`, `sq cert import`, `sq network search`,
    `sq network keyserver search`, `sq network wkd search`, and `sq
    network dane search` to error out early if they will save
    something to the key store or the certificate, and it is disabled.

  - Fixes #264.
2024-11-20 13:32:34 +01:00
Neal H. Walfield
b89041d9d6
Improve no cert store / no key store error messages.
- When there is no certificate or key store, but the command
    requires it, return use a `clap::Error` instead of an
    `anyhow::Error` so that the error is formatted better.
2024-11-20 13:26:15 +01:00
Neal H. Walfield
ecfc6711c2
Catch clap errors, and display them better.
- If a command returns a `clap:Error`, format it using clap's
    formatter.
2024-11-20 13:22:51 +01:00
Justus Winter
6688e0a6d7
Rename sq pki vouch certify to sq pki vouch add.
- This makes it consistent with `sq pki link add` and all the other
    commands that add components to certs.

  - Fixes #433.
2024-11-20 12:00:23 +01:00
Justus Winter
c4bfad0d15
Make sq key import read from stdin if no files are given.
- This aligns the behavior with `sq cert import`.

  - Fixes #445.
2024-11-20 10:34:41 +01:00
Justus Winter
5ed656b789
Move the CLI parser for sq key import to its own module. 2024-11-20 10:22:51 +01:00
Devan Carpenter
da9afcb242
update container examples in readme 2024-11-20 02:12:26 +00:00
Devan Carpenter
f499cc1ddf
make container a single-user environment
this simplifies permissions wrangling when bind mounting to host.
rootless podman is a preferred OCI runtime to docker, wherein superuser
within a container is simulated and not a security concern.
2024-11-20 02:07:59 +00:00
Devan Carpenter
8b49656c74
add dockerignore file
this helps prevent cache poisoning, reducing uncessesary rebuilds
2024-11-20 02:07:59 +00:00
Devan Carpenter
c08c5653cc
add bash completion and manpages to container 2024-11-20 02:07:59 +00:00
Devan Carpenter
864e37ac6c
improve OCI compatibility of Containerfile 2024-11-20 01:37:41 +00:00
Devan Carpenter
84314d4bfa
rename Dockerfile to vendor-neutral Containerfile
Aiming for OCI compatibility, not vendor-lockin

https://lists.podman.io/archives/list/podman@lists.podman.io/thread/DXJBNFCQETRX5M2HQR7IQ4TIMZAK7FG7/
2024-11-20 01:37:40 +00:00
Neal H. Walfield
ebea842729
Change sq network wkd generate to avoid unnecessary churn.
- When updating a WKD in `sq network wkd generate`, if a certificate
    is not changed, don't insert it.

  - If no certificates changed, and none were inserted, then don't
    bother copying the WKD back.
2024-11-19 17:56:16 +01:00
Neal H. Walfield
a57f6e1484
Improve sq network wkd generate's error messages. 2024-11-19 17:56:16 +01:00
Neal H. Walfield
a001abd268
Fail if the user tries to create an empty WKD.
- If the user passes `--create` to `sq network wkd publish`, but
    doesn't specify any certificates, fail.  Also, show a hint.

  - Fixes #447.
2024-11-19 17:56:08 +01:00
Neal H. Walfield
8805a51e2a
Make sq network wkd publish more chatty.
- Change `sq network wkd publish` to indicate which certificates are
    updated, which ones are unchanged, and which ones are new.

  - Note: the messages can be suppressed with `--quiet`.
2024-11-19 17:08:23 +01:00
Neal H. Walfield
0944fa49f7
Make sq network wkd publish more robust.
- When updating a WKD, be careful to not lose updates that are in
    the WKD, but not in the local certificate store.
2024-11-19 17:06:41 +01:00
Neal H. Walfield
be5d7367d1
Fix sq packet join to not panic if there is no input.
- Fix `sq packet join` to not panic if there is no input.  Instead,
    open the output file in the usual manner.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
abda393999
Show an issuer's user ID, if we know it.
- To make it easier to work with signature packets, also include the
    user ID as a comment, if we know it.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
f9ea97c1dd
Rename sq packet split --prefix to --output-prefix.
- To make it easier to recognize that `--prefix` is a variant of
    `--output`, rename it to `--output-prefix`.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
2819efd1cf
Add a hint to sq packet split's output.
- When writing to a file or stdout, add a hint at the beginning of
    the output that the user can edit the file with an editor, and
    then recombine the result using `sq packet join`.
2024-11-19 15:18:37 +01:00
Neal H. Walfield
2ba6037362
Change sq packet split to write to stdout by default.
- Change `sq packet split` to not require `output` or `prefix`, but
    to write to `stdout` by default.

  - This is closer to the behavior of other commands.
2024-11-19 15:18:11 +01:00
Neal H. Walfield
fdc963cd59
Improve the "waiting for input on stdin" message.
- Require the caller to indicate what they are waiting for, and
    include that in the warning.

  - For instance, `sq decrypt` now says "Waiting for an encrypted
    message on stdin..."
2024-11-19 14:17:04 +01:00
Justus Winter
5f84605a4b
Limit width when wrapping help texts to increase readability. 2024-11-19 13:49:10 +01:00
Justus Winter
14c6c12a96
Use a simpler word separator algorithm to keep URLs intact. 2024-11-19 13:49:10 +01:00
Justus Winter
c35efb18eb
Don't break lines if stderr is not a terminal.
- If piped, e.g. to a pager, wrapping should be disabled.

  - Fixes #443.
2024-11-19 13:49:10 +01:00
Justus Winter
1806a215aa
Don't limit the width of emitted text.
- Previously, we limited the width to 100 characters in an effort to
    improve readability.  Arguably, that is interfering with the
    wishes of the users that use wider terminals.

  - The alternative is to structure the human-readable output in such
    a way that overly long lines do not occur, but when they do occur,
    they can be displayed as is.

  - See #443.
2024-11-19 13:42:20 +01:00
Justus Winter
19401ef551
Remove sq toolbox extract-cert.
- Fixes #389.
2024-11-19 13:39:46 +01:00
Justus Winter
784e011922
Remove test framework for toolbox strip-userid.
- Fixes e61a03f863eeb8a777c1c38d543d1aaa5e798ace.
2024-11-19 13:39:46 +01:00
Justus Winter
e1da05bc6f
Fix hints to do packet dump.
- Fixes d46844ca35aa3a211e05655af7ee62ce4df9b178.
2024-11-19 13:39:46 +01:00
Neal H. Walfield
f5160e4b68
Change sq decrypt to not use rpassword directly.
- `sq decrypt` calls rpassword::prompt_password.  Change it to use
    our wrapper functions, which also support skipping a key.
2024-11-19 12:45:07 +01:00
Neal H. Walfield
d9d3da6e1e
Change sq decrypt to respect --batch.
- `sq decrypt` prompts for a password even if the user specified
    `--batch`.

  - Fix it to not prompt the user when the user provides `--batch`.
2024-11-19 12:45:02 +01:00
Justus Winter
424c7a020d
Make sq cert lint read from stdin again.
- Reverts 22cc90e11f29437d589db8e78594ad7859f9349e.

  - Fixes #257.
2024-11-19 12:13:09 +01:00
Justus Winter
d8082ce99e
Only display hint for live certs. 2024-11-19 11:58:16 +01:00
Justus Winter
176aa69748
Align spelling of cert-store with the command line argument. 2024-11-19 11:58:04 +01:00
Justus Winter
9f64d05a08
Show sources of data when fetching certs over the network.
- Fixes #432.
2024-11-19 11:57:20 +01:00
Neal H. Walfield
51039b3341
In sq key list, prefer weakly bound user IDs to nothing.
- `sq key list` prefers to show authenticated, and self-signed user
    IDs.  If there are none, it says "no user IDs," which is not very
    helpful.  In this case, prefer self-signed user IDs that are valid
    under the NULL policy.  Note: these will still show up as
    unauthenticated.
2024-11-19 09:32:28 +01:00
Neal H. Walfield
149254b756
Change sq key list to display more user IDs.
- Currently, `sq key list` only displays a single best user ID for
    each certificate.

  - Instead, display all user IDs that can be authenticated, or are
    self-signed.  Also indicate the degree to which they can be
    authenticated, and whether the user ID has been revoked.

  - Fixes #360.
2024-11-19 00:05:37 +01:00
Neal H. Walfield
60b369274b
Refactor common::get_keys to be less clever.
- Refactor `common::get_keys` to have two loops that are relatively
    straightforward instead of having a single loop that is clever.
2024-11-18 17:59:19 +01:00
Neal H. Walfield
1374ff8458
Fix sq pki path to use Sq::resolve_cert.
- Certificates designated by the use should be looked up using
    `Sq::resolve_cert`, and not `Sq::lookup_one`, which also considers
    subkeys.

  - Change `sq pki path` to use `Sq::resolve_cert`.

  - Fixes #207.
2024-11-18 17:58:43 +01:00
Neal H. Walfield
b49386a886
Remove unnecessary lookup.
- `Sq::resolve_cert` already returns the certificate.  Don't look it
    up again.
2024-11-18 17:58:38 +01:00
Neal H. Walfield
6ffdd4aab7
Fix documentation.
- It's called `--cert-grep` now, not `--grep`.
2024-11-18 17:41:27 +01:00
Neal H. Walfield
2fb5cc4abf
Don't add approvals for non-exportable certifications or certs.
- Change `sq key approvals list` and `sq key approvals update` to
    ignore certifications that are not exportable, and certificates
    that are not exportable, or are a shadow CA.

  - Fixes #402.
2024-11-18 16:40:48 +01:00
Neal H. Walfield
915e8da4da
Move the ca_creation_time function to the common module.
- Move the `ca_creation_time` function to the `common` module so
    that other code can use it.
2024-11-18 16:40:48 +01:00
Neal H. Walfield
5619472ae2
Change the packet dumper to show the issuer, when available.
- When dumping a signature, look up the issuer listed in in any
    issuer or issuer fingerprint subpackets.  If we have a
    certificate, show a user ID.
2024-11-18 16:40:47 +01:00
Justus Winter
382c587fa9
Remove the --binary flag from all commands emitting certs or keys.
- Fixes #384.
2024-11-18 16:19:54 +01:00
Justus Winter
91f4400c26
Use --cert- prefix for all cert designators.
- Resolves a conflict with the user ID designators, and makes the
    interface more consistent.

  - Fixes #385.
2024-11-18 14:57:09 +01:00