IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- Previously, there was a chance of running out of file descriptors
while or after fetching a large number of certificates using sq
network fetch.
- The root cause of that was the use of getaddrinfo(3) to resolve
names, which is a blocking interface, which has to be executed on
a special thread for blocking tasks on the tokio runtime. The
maximum number of these threads is capped at 512 by default, and
these threads can tie up a significant number of file descriptors
in sockets. The threads do close their sockets and go away after
a while, presumably after a timeout. Further, blocking tasks can
not be canceled.
- Do release all thread pool resources after doing the fetch.
- Also, switch to the hickory crate for doing name lookups. This
implements a non-blocking interface, and releases resources in a
timely fashion.
- Fixes#335.
- When adopting a bare key, the creation time is the Unix epoch.
If the user doesn't manually override this using
`--creation-time`, use the current time (while respecting
`--time`).
- Add `--can-sign`, `--cannot-sign`, `--can-authenticate`,
`--cannot-authenticate`, `--can-encrypt`, `--cannot-encrypt` to `sq
key adopt`, which modify the key flags of the adopted key.
- Change `sq key adopt` to not require the key that is being adopted
to have a binding signature.
- This allows adopting "bare keys," i.e., a certificate consisting
of just a primary key. Bare keys are useful when working with raw
keys, e.g., keys generated on an OpenPGP card, a TPM device, etc.
To add them to a certificate, they just need to be wrapped in a
minimal amount of OpenPGP framing; no signatures are required.
- Fixes#25.
- When designating a certificate multiple times, the certificate
should only be used once. Assert that this is the case in the `sq
encrypt` tests by checking that the PKESKs are not redundant.
- Note: this was fixed by 437ae24.
- A `sq cert export` test vector specified `--email
carol@example.org`, which doesn't match any certificates. The error
was hidden, because we were not strict about ensuring that all
certificate designators actually match at least one certificate.
- Fix the test vector.
- Add a new type, `CertDesignators`, which can be flattened into a
clap subcommand, and exposes one or more certificate designator
arguments (`--file`, `--cert`, `--userid`, `--userid`, `--domain`,
and `--grep`) with an optional prefix (e.g., it transforms `--file`
into `--cert-file`).
- See #207.
- Add a test for `sq encrypt` that checks that the different ways of
designating a certificate work including making sure that only
authenticated names can be used to designate a certificate.
- When updating a component's expiration, we collect the new self
signatures in a vector, append them to the certificate using
`Cert::insert_packets`, and rely on canonicalize to reorder them.
- To make reordering simpler and more robust (see issue #1125 in
sequoia-openpgp), precede the new self signature by a copy of the
component.
https://gitlab.com/sequoia-pgp/sequoia/-/issues/1125
- Add `Sq::preserve` to prevent the files created by an `Sq`
instance from being deleted when the `Sq` instance is dropped.
- Preserving the state makes it easier to debug a test that is
failing.
