Release v0.2.0.
- New functionality
- New command `sq-git policy export` exports the certificates
associated with an entity.
- New command `sq-git policy diff` compares two policies.
- New argument `sq-git policy describe --commit` describes the
policy from an arbitrary commit.
- Align the certificate store location handling with `sq`:
- New argument `--home` specifies the Sequoia home directory.
Alternatively, the `SEQUOIA_HOME` environment variable can be
used.
- Replace the `--no-cert-store` argument with `--cert-store none`.
- Use `SEQUOIA_CERT_STORE` instead of the `SQ_CERT_STORE`
environment variable to specify the certificate store's
location.
- Notable fixes
- When authenticating a commit, `sq-git log` uses the parent
commit's policy to authenticate the new commit. If a certificate
has expired, an entity has rotated their certificate's signing
subkey, etc., then the certificate in the parent commit may no
longer be able to verify new signatures. To prevent this
situation, `sq-git` now updates certificates present in the
parent commit's policy with non-revocation updates from the child
commit. Note: only the certificates already present in the
parent commit's policy are updated; certificates added to the
child commit's policy are ignored.
- Check that keyring updates are allowed according to the policy.
- When using a policy from a file (e.g., with `--policy-file`) and
the file did not exist, we would default to an empty policy
instead of emitting an error.
- The git key for the trust root has been renamed from
`sequoia.trust-root` to `sequoia.trustRoot` to match `git`'s
naming convention.
- Notable changes
- Updated the list of keyservers that `sq-git policy sync` uses by
default.