1356 Commits

Author SHA1 Message Date
Justus Winter
6688e0a6d7
Rename sq pki vouch certify to sq pki vouch add.
- This makes it consistent with `sq pki link add` and all the other
    commands that add components to certs.

  - Fixes #433.
2024-11-20 12:00:23 +01:00
Justus Winter
c4bfad0d15
Make sq key import read from stdin if no files are given.
- This aligns the behavior with `sq cert import`.

  - Fixes #445.
2024-11-20 10:34:41 +01:00
Justus Winter
5ed656b789
Move the CLI parser for sq key import to its own module. 2024-11-20 10:22:51 +01:00
Devan Carpenter
da9afcb242
update container examples in readme 2024-11-20 02:12:26 +00:00
Devan Carpenter
f499cc1ddf
make container a single-user environment
this simplifies permissions wrangling when bind mounting to host.
rootless podman is a preferred OCI runtime to docker, wherein superuser
within a container is simulated and not a security concern.
2024-11-20 02:07:59 +00:00
Devan Carpenter
8b49656c74
add dockerignore file
this helps prevent cache poisoning, reducing uncessesary rebuilds
2024-11-20 02:07:59 +00:00
Devan Carpenter
c08c5653cc
add bash completion and manpages to container 2024-11-20 02:07:59 +00:00
Devan Carpenter
864e37ac6c
improve OCI compatibility of Containerfile 2024-11-20 01:37:41 +00:00
Devan Carpenter
84314d4bfa
rename Dockerfile to vendor-neutral Containerfile
Aiming for OCI compatibility, not vendor-lockin

https://lists.podman.io/archives/list/podman@lists.podman.io/thread/DXJBNFCQETRX5M2HQR7IQ4TIMZAK7FG7/
2024-11-20 01:37:40 +00:00
Neal H. Walfield
ebea842729
Change sq network wkd generate to avoid unnecessary churn.
- When updating a WKD in `sq network wkd generate`, if a certificate
    is not changed, don't insert it.

  - If no certificates changed, and none were inserted, then don't
    bother copying the WKD back.
2024-11-19 17:56:16 +01:00
Neal H. Walfield
a57f6e1484
Improve sq network wkd generate's error messages. 2024-11-19 17:56:16 +01:00
Neal H. Walfield
a001abd268
Fail if the user tries to create an empty WKD.
- If the user passes `--create` to `sq network wkd publish`, but
    doesn't specify any certificates, fail.  Also, show a hint.

  - Fixes #447.
2024-11-19 17:56:08 +01:00
Neal H. Walfield
8805a51e2a
Make sq network wkd publish more chatty.
- Change `sq network wkd publish` to indicate which certificates are
    updated, which ones are unchanged, and which ones are new.

  - Note: the messages can be suppressed with `--quiet`.
2024-11-19 17:08:23 +01:00
Neal H. Walfield
0944fa49f7
Make sq network wkd publish more robust.
- When updating a WKD, be careful to not lose updates that are in
    the WKD, but not in the local certificate store.
2024-11-19 17:06:41 +01:00
Neal H. Walfield
be5d7367d1
Fix sq packet join to not panic if there is no input.
- Fix `sq packet join` to not panic if there is no input.  Instead,
    open the output file in the usual manner.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
abda393999
Show an issuer's user ID, if we know it.
- To make it easier to work with signature packets, also include the
    user ID as a comment, if we know it.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
f9ea97c1dd
Rename sq packet split --prefix to --output-prefix.
- To make it easier to recognize that `--prefix` is a variant of
    `--output`, rename it to `--output-prefix`.
2024-11-19 15:18:38 +01:00
Neal H. Walfield
2819efd1cf
Add a hint to sq packet split's output.
- When writing to a file or stdout, add a hint at the beginning of
    the output that the user can edit the file with an editor, and
    then recombine the result using `sq packet join`.
2024-11-19 15:18:37 +01:00
Neal H. Walfield
2ba6037362
Change sq packet split to write to stdout by default.
- Change `sq packet split` to not require `output` or `prefix`, but
    to write to `stdout` by default.

  - This is closer to the behavior of other commands.
2024-11-19 15:18:11 +01:00
Neal H. Walfield
fdc963cd59
Improve the "waiting for input on stdin" message.
- Require the caller to indicate what they are waiting for, and
    include that in the warning.

  - For instance, `sq decrypt` now says "Waiting for an encrypted
    message on stdin..."
2024-11-19 14:17:04 +01:00
Justus Winter
5f84605a4b
Limit width when wrapping help texts to increase readability. 2024-11-19 13:49:10 +01:00
Justus Winter
14c6c12a96
Use a simpler word separator algorithm to keep URLs intact. 2024-11-19 13:49:10 +01:00
Justus Winter
c35efb18eb
Don't break lines if stderr is not a terminal.
- If piped, e.g. to a pager, wrapping should be disabled.

  - Fixes #443.
2024-11-19 13:49:10 +01:00
Justus Winter
1806a215aa
Don't limit the width of emitted text.
- Previously, we limited the width to 100 characters in an effort to
    improve readability.  Arguably, that is interfering with the
    wishes of the users that use wider terminals.

  - The alternative is to structure the human-readable output in such
    a way that overly long lines do not occur, but when they do occur,
    they can be displayed as is.

  - See #443.
2024-11-19 13:42:20 +01:00
Justus Winter
19401ef551
Remove sq toolbox extract-cert.
- Fixes #389.
2024-11-19 13:39:46 +01:00
Justus Winter
784e011922
Remove test framework for toolbox strip-userid.
- Fixes e61a03f863eeb8a777c1c38d543d1aaa5e798ace.
2024-11-19 13:39:46 +01:00
Justus Winter
e1da05bc6f
Fix hints to do packet dump.
- Fixes d46844ca35aa3a211e05655af7ee62ce4df9b178.
2024-11-19 13:39:46 +01:00
Neal H. Walfield
f5160e4b68
Change sq decrypt to not use rpassword directly.
- `sq decrypt` calls rpassword::prompt_password.  Change it to use
    our wrapper functions, which also support skipping a key.
2024-11-19 12:45:07 +01:00
Neal H. Walfield
d9d3da6e1e
Change sq decrypt to respect --batch.
- `sq decrypt` prompts for a password even if the user specified
    `--batch`.

  - Fix it to not prompt the user when the user provides `--batch`.
2024-11-19 12:45:02 +01:00
Justus Winter
424c7a020d
Make sq cert lint read from stdin again.
- Reverts 22cc90e11f29437d589db8e78594ad7859f9349e.

  - Fixes #257.
2024-11-19 12:13:09 +01:00
Justus Winter
d8082ce99e
Only display hint for live certs. 2024-11-19 11:58:16 +01:00
Justus Winter
176aa69748
Align spelling of cert-store with the command line argument. 2024-11-19 11:58:04 +01:00
Justus Winter
9f64d05a08
Show sources of data when fetching certs over the network.
- Fixes #432.
2024-11-19 11:57:20 +01:00
Neal H. Walfield
51039b3341
In sq key list, prefer weakly bound user IDs to nothing.
- `sq key list` prefers to show authenticated, and self-signed user
    IDs.  If there are none, it says "no user IDs," which is not very
    helpful.  In this case, prefer self-signed user IDs that are valid
    under the NULL policy.  Note: these will still show up as
    unauthenticated.
2024-11-19 09:32:28 +01:00
Neal H. Walfield
149254b756
Change sq key list to display more user IDs.
- Currently, `sq key list` only displays a single best user ID for
    each certificate.

  - Instead, display all user IDs that can be authenticated, or are
    self-signed.  Also indicate the degree to which they can be
    authenticated, and whether the user ID has been revoked.

  - Fixes #360.
2024-11-19 00:05:37 +01:00
Neal H. Walfield
60b369274b
Refactor common::get_keys to be less clever.
- Refactor `common::get_keys` to have two loops that are relatively
    straightforward instead of having a single loop that is clever.
2024-11-18 17:59:19 +01:00
Neal H. Walfield
1374ff8458
Fix sq pki path to use Sq::resolve_cert.
- Certificates designated by the use should be looked up using
    `Sq::resolve_cert`, and not `Sq::lookup_one`, which also considers
    subkeys.

  - Change `sq pki path` to use `Sq::resolve_cert`.

  - Fixes #207.
2024-11-18 17:58:43 +01:00
Neal H. Walfield
b49386a886
Remove unnecessary lookup.
- `Sq::resolve_cert` already returns the certificate.  Don't look it
    up again.
2024-11-18 17:58:38 +01:00
Neal H. Walfield
6ffdd4aab7
Fix documentation.
- It's called `--cert-grep` now, not `--grep`.
2024-11-18 17:41:27 +01:00
Neal H. Walfield
2fb5cc4abf
Don't add approvals for non-exportable certifications or certs.
- Change `sq key approvals list` and `sq key approvals update` to
    ignore certifications that are not exportable, and certificates
    that are not exportable, or are a shadow CA.

  - Fixes #402.
2024-11-18 16:40:48 +01:00
Neal H. Walfield
915e8da4da
Move the ca_creation_time function to the common module.
- Move the `ca_creation_time` function to the `common` module so
    that other code can use it.
2024-11-18 16:40:48 +01:00
Neal H. Walfield
5619472ae2
Change the packet dumper to show the issuer, when available.
- When dumping a signature, look up the issuer listed in in any
    issuer or issuer fingerprint subpackets.  If we have a
    certificate, show a user ID.
2024-11-18 16:40:47 +01:00
Justus Winter
382c587fa9
Remove the --binary flag from all commands emitting certs or keys.
- Fixes #384.
2024-11-18 16:19:54 +01:00
Justus Winter
91f4400c26
Use --cert- prefix for all cert designators.
- Resolves a conflict with the user ID designators, and makes the
    interface more consistent.

  - Fixes #385.
2024-11-18 14:57:09 +01:00
Justus Winter
e61a03f863
Remove sq toolbox strip-userid.
- Fixes #439.
2024-11-18 14:15:37 +01:00
Justus Winter
db5a2bbe3b
Turn sq key approvals --add-authenticated into a flag.
- And require full authentication of peers.

  - Fixes #440.
2024-11-18 13:56:35 +01:00
Neal H. Walfield
01aa1d1619
When searching by fingerprint, show any unauthenticated certificate.
- `sq cert list FINGERPRINT` does not show the certificate if the
    certificate could not be authenticated.  Since the user is
    searching by fingerprint, which is self authenticating, we don't
    run the risk of showing something irrelevant.  As such, always
    show the certificate in this case.

  - Fixes #408.
2024-11-18 11:23:46 +01:00
Neal H. Walfield
7d44c8e3d5
Rearrange the order of the user ID designator arguments.
- Rearrange the order of the user ID designators arguments so that
    the help output is easier to scan.  Specifically, move
    `--userid-or-add` immediately after `--userid`, `--email-or-add`
    immediately after `--email`, and `--name-or-add` immediately after
    `--name`.
2024-11-18 10:40:34 +01:00
Neal H. Walfield
cef1542ee4
Rename --add-userid to --userid-or-add, etc.
- Rename `--add-userid` to `--userid-or-add`, `--add-email` to
    `--email-or-add`, and `--add-name` to `--name-or-add`.  The new
    names better reflect the semantics: we first try to select a user
    ID based on the designator, and then fall back to adding it as it.
2024-11-18 10:40:18 +01:00
Neal H. Walfield
df5eb0c4d2
Add support for examples that are only syntax checked.
- Currently, we execute all examples.  Unfortunately, some examples
    can't be executed reliably, e.g., those that require network access.

  - Add a new example variant that is only syntax checked.

  - Fixes #423.

  - Add some examples for `sq network search`.
2024-11-16 22:01:18 +01:00