3b45a6bb63
* Changes in 0.40.0
** New functionality
- New subcommand `sq download`, which downloads a file and a
signature file, and then authenticates the file.
** Notable changes
- `sq toolbox keyring merge` now supports merging bare revocation
certificates.
- `sq verify` now deletes the output file on failure.
- `sq decrypt` now deletes the output file on failure.
- Add a global option, `--policy-as-of`, that selects the
cryptographic policy as of the specified time.
- `sq key subkey export` takes an additional argument, `--cert`,
which is required. The specified keys must be attached to that
certificate. This ensures that if a key is attached to multiple
certificates, the correct certificate is exported.
- Add a new argument, `--cli-version`, which requests a particular
semver-compatible version of the CLI. This enables breaking
changes to the CLI in the future.
- The `help` subcommand has been removed everywhere except at the
top-level (`--help` still works).
- If designated signers are specified for `sq verify`, `sq
decrypt`, and `sq download`, they are now the only certificates
that are considered when verifying signatures. If no signers are
specified, the certificate store is consulted.
- The argument `sq cert lint --list-keys` has been removed.
- `sq key list` now has a DWIM search parameter.
- The flag `sq sign --detached` is now called `sq sign
--signature-file`.
- The flag `sq sign --clearsign` is now called `sq sign
--cleartext`.
- Both `sq sign` and `sq verify` now require an explicit mode,
one of `--signature-file`, `--message`, or `--cleartext`.
- The flag `sq --no-cert-store` has been replaced with `sq
--cert-store=none`.
- The flag `sq --no-key-store` has been replaced with `sq
--key-store=none`.
- Similarly, `sq --home=none` disables all state, unless explicitly
re-enabled using `--cert-store` or `--key-store`.
- `sq pki link add`, `sq pki link authorize`, `sq pki vouch
certify`, and `sq pki vouch authorize` have a `--userid-or-add`
flag. Replace it with an `--userid-or-add` argument, and an
`--email-or-add` argument.
- The `--email` and `--email-or-add` arguments to `sq pki link add`,
etc. cannot be used to designate a self-signed user ID, if
multiple self-signed user IDs include the specified email
address. Previously, the arguments would designate all
self-signed user IDs with the specified email address.
- The new argument `sq sign --mode` can be used to create text
signatures in addition to binary signatures.
- The argument `sq network wkd publish --create` has been split
into two arguments, `--create` and `--method`, avoiding an
ambiguity when parsing the arguments.
- `sq key userid revoke` no longer accepts the `--userid-or-add` flag
to indicate that a user ID specified using `--userid`, an email
specified using `--email`, or a name specified using `--name`
should be used even if there is no corresponding self-signed user
ID. This functionality is replaced by the `--userid-or-add`,
`--email-or-add` and `--name-or-add` arguments.
- `sq pki path` previously interpreted the last positional argument
as the user ID to authenticate. Make it a named argument
instead, `--userid`.
- Add `sq pki path --email` and `sq pki path --name` as additional
ways to specify the user ID to authenticate.
- The argument `sq encrypt --set-metadata-time` has been removed.
- The argument `sq encrypt --set-metadata-filename` now takes a
string that specifies the file name to be set.
- `sq pki authenticate`'s positional argument for specifying the
certificate to authenticate must now be specified using a named
argument, `--cert`.
- `sq pki identify`'s positional argument for specifying the
certificate to identify must now be specified using a named
argument, `--cert`.
- Drop `sq cert list --email`'s flag, and replace it with the
`--userid` and `--email` positional arguments, which match on
user IDs.
- Drop `sq pki authenticate --email`'s flag, and replace it with
the `--userid` and `--email` positional arguments, which match on
user IDs.
- Drop `sq pki lookup --email`'s flag, and replace it with the
`--userid` and `--email` positional arguments, which match on
user IDs.
- `sq toolbox keyring` is now just `sq keyring`.
- `sq toolbox packet` is now just `sq packet`.
- `sq toolbox armor` is now `sq packet armor`.
- `sq toolbox dearmor` is now `sq packet dearmor`.
- `sq key userid revoke`, `sq pki link add`, `sq pki link
authorize`, `sq pki vouch certify`, and `sq pki vouch authorize`
now check that user IDs that are not self-signed are in canonical
form. Add a flag, `--allow-non-canonical-userids`, to disable
this check.
- `sq key approvals update` now requires an action, like
`--add-authenticated`.
- `sq key approvals --add-authenticated` is now a simple flag, and
we always require full authentication.
- `sq toolbox strip-userid` has been removed.
- All cert designators now use the `--cert-` prefix, e.g. `sq key
export --email` has been changed to `sq key export --cert-email`
for consistency reasons, and to free `--name`, `--email`, and
`--userid` for user ID designators.
- The `--binary` argument has been removed from all commands but
those that emit signed and or encrypted messages.
- The command `sq toolbox extract-cert` has been removed in favor
of `sq key delete` and `sq key subkey delete`.
- The command `sq packet split` now writes to stdout by default.
- The argument `sq packets split --prefix` is now called
`--output-prefix`.
- `sq pki vouch certify` is now called `sq pki vouch add`.
- We now certify newly generated keys with a per-host shadow CA.
- The argument `sq encrypt --signature-notation` has been added.
- All arguments to add signature notations have been renamed from
`--notation` to `--signature-notation`.
- When generating keys, either `--own-key` or `--shared-key` has to
be given. The former marks the key's user IDs as authenticated
and makes it a trusted introducer. The latter marks the key's
user IDs as authenticated, and marks the key as a group key.
- The argument `sq cert lint --export-secret-keys` has been
removed: if a secret key is provided as file input, it will be
emitted.
- The argument `sq key subkey export --cert-file` has been removed.
- `sq` now reads a configuration file that can be used to tweak a
number of defaults, like the cipher suite to generate new keys,
the set of key servers to query, and the cryptographic policy.
- The command `sq keyring filter` is now considered experimental
and may change in the future. To acknowledge this, it has to be
invoked with the `--experimental` flag.
|
||
|---|---|---|
| src | ||
| subplot | ||
| tests | ||
| .dockerignore | ||
| .gitattributes | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| build.rs | ||
| Cargo.lock | ||
| Cargo.toml | ||
| Containerfile | ||
| LICENSE.txt | ||
| NEWS | ||
| openpgp-policy.toml | ||
| README.md | ||
| sq-subplot.md | ||
| sq.subplot | ||
sq, the Sequoia-PGP command line tool
Sequoia-PGP is an implementation of OpenPGP in Rust. It includes a
suite of library crates, which are meant to be used from applications.
This crate provides the sq command line application. sq is aimed
at command line users as a way to use OpenPGP conveniently from the
command line.
See the sq user documentation for instructions. The program also has built-in
help, using the --help option and help subcommand:
$ sq help
...
You can also browse the manual pages, look at our acceptance criteria, and browse the rustdoc output if you want to learn about the implementation.
Installing
The sq tool can be installed using cargo:
cargo install sequoia-sq
Please see sequoia-openpgp's README for how to install build dependencies on your system.
Building from source
This crate can be built from a source checkout using the standard
cargo toolchain:
cargo build
The above creates the sq executable, the manual pages, and its shell
completions. By default, the manual pages and shell completions are
put into the cargo target directory, but the exact location is
unpredictable. To write the assets to a predictable location, set the
environment variable ASSET_OUT_DIR to a suitable location.
Using a Container (Docker, Podman, etc.)
The command line tool sq can also be built using an OCI compatible image
builder, eg. podman or docker:
$ podman build -f Containerfile -t sq .
$ podman run --rm -i sq --help
You can then use sq in the container.
For example searching for a certificate:
$ podman run --rm -i sq network search 653909A2F0E37C106F5FAF546C8857E0D8E8F074
All sq state is stored under /sequoia inside of the container, thus if you
would like to persist the state between container runs you may bind mount the
directory on the host.
$ mkdir sq-container # create a directory on the host where you will mount the working dir from the container
$ podman run --rm -i -v $PWD/sq-container:/sequoia sq network search 653909A2F0E37C106F5FAF546C8857E0D8E8F074
$ podman run --rm -i -v $PWD/sq-container:/sequoia sq inspect --cert 653909A2F0E37C106F5FAF546C8857E0D8E8F074
The container environment has sq manpages and bash completion configured. By default the container will run sq as its "entrypoint", so if you would like to be dropped into a shell then override the entrypoint as follows.
# Note the "-t"; Necessary for the allocation of a pseudo-TTY.
$ podman run --rm -t -i --entrypoint bash sq
A current build of the container image is available from the gitlab registry.
Rename it to sq locally so that it matches the above commands and for convenience.
$ podman pull registry.gitlab.com/sequoia-pgp/sequoia-sq:latest
$ podman tag registry.gitlab.com/sequoia-pgp/sequoia-sq:latest sq
$ podman run --rm -i sq --help