Tags

Release 1.3.1.

Release 1.3.0.

Release 1.2.0.

* Changes in 1.2.0
** New functionality
   - `sq pki vouch list` lists certifications made by a particular
     certificate or made on a particular certificate.
   - `sq pki vouch replay` replays the certifications made by one
     certificate using another certificate.
   - `sq key rotate` generates a new certificate based on an existing
     one.  It also copies links, recreates certifications, and retires
     the old certificate.
** Notable fixes
   - `sq packet dump` no longer duplicates the PKESK or SKESK packet
     immediately preceding the SEIPD packet.
   - `sq key export` and `sq key subkey export` no longer export
     non-exportable signatures and cert components.
   - `sq --cli-version` was broken.  The check was reversed.  That is,
     instead of `sq` 1.1.0 saying that `sq --cli-version 1.0.0` is
     compatible, it said it is incompatible, and instead of saying
     that `sq --cli-version 1.2.0` is incompatible, it said that it is
     compatible.  In terms of the API, this should be considered a new
     feature.
   - `sq cert lint`, `sq inspect`, `sq packet dump`, and `sq pki link
     list` didn't check that certificates designated by user ID using
     e.g., `--cert-email`, are actually authenticated.  They are now
     correctly checked.

Release 1.1.0.

* Changes in 1.1.0
** New functionality
   - New argument `--unusable` for `sq cert list`, `sq pki identify`,
     `sq pki lookup`, and `sq pki authenticate`.  This option causes
     these commands to also show unusable bindings and certificates
     (i.e., those that are not valid according to the current policy,
     are revoked, or are expired).  Requires `--gossip`.
** Notable changes
   - Fix `--gossip`.  The `--gossip` option for `sq cert list`, `sq
     pki identify`, `sq pki lookup`, and `sq pki authenticate` was
     broken.  It is now fixed, and works as documented.  In terms of
     the API, this should be considered a new feature, as although the
     option was present, it did not work.
   - `sq cert list --cert FPR` incorrectly failed if all of a
     certificate's bindings are invalid (i.e., the bindings are
     invalid according to the cryptographic policy, or the user ID is
     revoked).  `sq cert list --cert FPR` now only considers the
     validity of the certificate.  Note: this command correctly
     succeeded when the certificate had no bindings.
  - `sq cert list` showed certificates with no user IDs, but it should
    only show authenticated bindings.  Certificates with no user IDs
    are no only shown when `--gossip` is provided.

Release 1.0.0.

Release 0.40.0.

* Changes in 0.40.0
** New functionality
   - New subcommand `sq download`, which downloads a file and a
     signature file, and then authenticates the file.
** Notable changes
   - `sq toolbox keyring merge` now supports merging bare revocation
     certificates.
   - `sq verify` now deletes the output file on failure.
   - `sq decrypt` now deletes the output file on failure.
   - Add a global option, `--policy-as-of`, that selects the
     cryptographic policy as of the specified time.
   - `sq key subkey export` takes an additional argument, `--cert`,
     which is required.  The specified keys must be attached to that
     certificate.  This ensures that if a key is attached to multiple
     certificates, the correct certificate is exported.
   - Add a new argument, `--cli-version`, which requests a particular
     semver-compatible version of the CLI.  This enables breaking
     changes to the CLI in the future.
   - The `help` subcommand has been removed everywhere except at the
     top-level (`--help` still works).
   - If designated signers are specified for `sq verify`, `sq
     decrypt`, and `sq download`, they are now the only certificates
     that are considered when verifying signatures.  If no signers are
     specified, the certificate store is consulted.
   - The argument `sq cert lint --list-keys` has been removed.
   - `sq key list` now has a DWIM search parameter.
   - The flag `sq sign --detached` is now called `sq sign
     --signature-file`.
   - The flag `sq sign --clearsign` is now called `sq sign
     --cleartext`.
   - Both `sq sign` and `sq verify` now require an explicit mode,
     one of `--signature-file`, `--message`, or `--cleartext`.
   - The flag `sq --no-cert-store` has been replaced with `sq
     --cert-store=none`.
   - The flag `sq --no-key-store` has been replaced with `sq
     --key-store=none`.
   - Similarly, `sq --home=none` disables all state, unless explicitly
     re-enabled using `--cert-store` or `--key-store`.
   - `sq pki link add`, `sq pki link authorize`, `sq pki vouch
     certify`, and `sq pki vouch authorize` have a `--userid-or-add`
     flag.  Replace it with an `--userid-or-add` argument, and an
     `--email-or-add` argument.
   - The `--email` and `--email-or-add` arguments to `sq pki link add`,
     etc. cannot be used to designate a self-signed user ID, if
     multiple self-signed user IDs include the specified email
     address.  Previously, the arguments would designate all
     self-signed user IDs with the specified email address.
   - The new argument `sq sign --mode` can be used to create text
     signatures in addition to binary signatures.
   - The argument `sq network wkd publish --create` has been split
     into two arguments, `--create` and `--method`, avoiding an
     ambiguity when parsing the arguments.
   - `sq key userid revoke` no longer accepts the `--userid-or-add` flag
     to indicate that a user ID specified using `--userid`, an email
     specified using `--email`, or a name specified using `--name`
     should be used even if there is no corresponding self-signed user
     ID.  This functionality is replaced by the `--userid-or-add`,
     `--email-or-add` and `--name-or-add` arguments.
   - `sq pki path` previously interpreted the last positional argument
     as the user ID to authenticate.  Make it a named argument
     instead, `--userid`.
   - Add `sq pki path --email` and `sq pki path --name` as additional
     ways to specify the user ID to authenticate.
   - The argument `sq encrypt --set-metadata-time` has been removed.
   - The argument `sq encrypt --set-metadata-filename` now takes a
     string that specifies the file name to be set.
   - `sq pki authenticate`'s positional argument for specifying the
     certificate to authenticate must now be specified using a named
     argument, `--cert`.
   - `sq pki identify`'s positional argument for specifying the
     certificate to identify must now be specified using a named
     argument, `--cert`.
   - Drop `sq cert list --email`'s flag, and replace it with the
     `--userid` and `--email` positional arguments, which match on
     user IDs.
   - Drop `sq pki authenticate --email`'s flag, and replace it with
     the `--userid` and `--email` positional arguments, which match on
     user IDs.
   - Drop `sq pki lookup --email`'s flag, and replace it with the
     `--userid` and `--email` positional arguments, which match on
     user IDs.
   - `sq toolbox keyring` is now just `sq keyring`.
   - `sq toolbox packet` is now just `sq packet`.
   - `sq toolbox armor` is now `sq packet armor`.
   - `sq toolbox dearmor` is now `sq packet dearmor`.
   - `sq key userid revoke`, `sq pki link add`, `sq pki link
     authorize`, `sq pki vouch certify`, and `sq pki vouch authorize`
     now check that user IDs that are not self-signed are in canonical
     form.  Add a flag, `--allow-non-canonical-userids`, to disable
     this check.
   - `sq key approvals update` now requires an action, like
     `--add-authenticated`.
   - `sq key approvals --add-authenticated` is now a simple flag, and
     we always require full authentication.
   - `sq toolbox strip-userid` has been removed.
   - All cert designators now use the `--cert-` prefix, e.g.  `sq key
     export --email` has been changed to `sq key export --cert-email`
     for consistency reasons, and to free `--name`, `--email`, and
     `--userid` for user ID designators.
   - The `--binary` argument has been removed from all commands but
     those that emit signed and or encrypted messages.
   - The command `sq toolbox extract-cert` has been removed in favor
     of `sq key delete` and `sq key subkey delete`.
   - The command `sq packet split` now writes to stdout by default.
   - The argument `sq packets split --prefix` is now called
     `--output-prefix`.
   - `sq pki vouch certify` is now called `sq pki vouch add`.
   - We now certify newly generated keys with a per-host shadow CA.
   - The argument `sq encrypt --signature-notation` has been added.
   - All arguments to add signature notations have been renamed from
     `--notation` to `--signature-notation`.
   - When generating keys, either `--own-key` or `--shared-key` has to
     be given.  The former marks the key's user IDs as authenticated
     and makes it a trusted introducer.  The latter marks the key's
     user IDs as authenticated, and marks the key as a group key.
   - The argument `sq cert lint --export-secret-keys` has been
     removed: if a secret key is provided as file input, it will be
     emitted.
   - The argument `sq key subkey export --cert-file` has been removed.
   - `sq` now reads a configuration file that can be used to tweak a
     number of defaults, like the cipher suite to generate new keys,
     the set of key servers to query, and the cryptographic policy.
   - The command `sq keyring filter` is now considered experimental
     and may change in the future.  To acknowledge this, it has to be
     invoked with the `--experimental` flag.

Release 0.39.0.

Release 0.38.0.

Release v0.37.0.

Release v0.36.0.

Release 0.35.0.

Release 0.34.0.

Release 0.33.0.

Release 0.32.0.

Release 0.31.0.

 * New functionality
  - `sq key subkey add` allows to create and add a new subkey to an
    existing certificate.
  - The functionality of `sq-keyring-linter` is now available as
    `sq keyring lint`.
  - The new subcommands `sq key revoke`, `sq key subkey revoke` and
    `sq key userid revoke`, allow writing to a file using the
    `--output` option.
 * Notable changes
  - The `--keyring` option is now global and can be specified anywhere
    when calling `sq`.
 * Deprecated functionality
  - The `--expires` and `--expires-in` options used in various
    subcommands are deprecated in favor of the unifying `--expiry`.
  - `sq key generate --export FILE` is deprecated in favor of the more
    generic `sq key generate --output FILE`.
  - The `sq revoke certificate` command has been renamed to `sq key
    revoke`.
  - The `sq revoke subkey` command has been renamed to `sq key subkey
    revoke`.
  - The `sq revoke userid` command has been renamed to `sq key userid
    revoke`.

Release v0.30.1

* Changes in 0.30.1
 * Notable changes
   - The `crypto-botan` feature now selects Botan's v3 interface.  Use
     the new `crypto-botan2` feature to continue using Botan's v2
     interface.
 * Notable fixes
   - Several parser bugs were fixed in sequoia-openpgp 1.16.0 and
     buffered-reader 1.2.0.  These are all low-severity as Rust
     correctly detects the out of bounds access and panics.  Update
     Cargo.lock to make sure we use these versions.

Release 0.30.0

Release 0.29.0