sequoia-sq-0.25.0/.cargo_vcs_info.json0000644000000001121402044042100132260ustar { "git": { "sha1": "4b368a4e8d1ea1ec1af9abb095c5d7a55572c38d" } } sequoia-sq-0.25.0/Cargo.lock0000644000001474461402044042100112270ustar # This file is automatically @generated by Cargo. # It is not intended for manual editing. [[package]] name = "addr2line" version = "0.14.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a55f82cfe485775d02112886f4169bde0c5894d75e79ead7eafe7e40a25e45f7" dependencies = [ "gimli", ] [[package]] name = "adler" version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" [[package]] name = "aead" version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7fc95d1bdb8e6666b2b217308eeeb09f2d6728d104be3e31916cc74d15420331" dependencies = [ "generic-array", ] [[package]] name = "aho-corasick" version = "0.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7404febffaa47dac81aa44dba71523c9d069b1bdc50a77db41195149e17f68e5" dependencies = [ "memchr", ] [[package]] name = "ansi_term" version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b" dependencies = [ "winapi 0.3.9", ] [[package]] name = "anyhow" version = "1.0.38" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "afddf7f520a80dbf76e6f50a35bca42a2331ef227a28b3b6dc5c2e2338d114b1" [[package]] name = "arrayref" version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544" [[package]] name = "arrayvec" version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "23b62fc65de8e4e7f52534fb52b0f3ed04746ae267519eef2a83941e8085068b" [[package]] name = "ascii-canvas" version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff8eb72df928aafb99fe5d37b383f2fe25bd2a765e3e5f7c365916b6f2463a29" dependencies = [ "term", ] [[package]] name = "assert_cli" version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a29ab7c0ed62970beb0534d637a8688842506d0ff9157de83286dacd065c8149" dependencies = [ "colored", "difference", "environment", "failure", "failure_derive", "serde_json", ] [[package]] name = "atty" version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" dependencies = [ "hermit-abi", "libc", "winapi 0.3.9", ] [[package]] name = "autocfg" version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2" [[package]] name = "autocfg" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" [[package]] name = "backtrace" version = "0.3.56" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d117600f438b1707d4e4ae15d3595657288f8235a0eb593e80ecc98ab34e1bc" dependencies = [ "addr2line", "cfg-if 1.0.0", "libc", "miniz_oxide", "object", "rustc-demangle", ] [[package]] name = "base64" version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" [[package]] name = "bindgen" version = "0.55.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "75b13ce559e6433d360c26305643803cb52cfbabbc2b9c47ce04a58493dfb443" dependencies = [ "bitflags", "cexpr", "cfg-if 0.1.10", "clang-sys", "lazy_static", "lazycell", "peeking_take_while", "proc-macro2", "quote", "regex", "rustc-hash", "shlex", ] [[package]] name = "bit-set" version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e11e16035ea35e4e5997b393eacbf6f63983188f7a2ad25bfb13465f5ad59de" dependencies = [ "bit-vec", ] [[package]] name = "bit-vec" version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" [[package]] name = "bitflags" version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" [[package]] name = "blake2b_simd" version = "0.5.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "afa748e348ad3be8263be728124b24a24f268266f6f5d58af9d75f6a40b5c587" dependencies = [ "arrayref", "arrayvec", "constant_time_eq", ] [[package]] name = "block-buffer" version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" dependencies = [ "generic-array", ] [[package]] name = "buffered-reader" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5f76f15096822ca97dcc626a98ce3eb93c8afc795f33994a63e8d4ed767007e4" dependencies = [ "bzip2", "flate2", "libc", ] [[package]] name = "byteorder" version = "1.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae44d1a3d5a19df61dd0c8beb138458ac2a53a7ac09eba97d55592540004306b" [[package]] name = "bytes" version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0e4cec68f03f32e44924783795810fa50a7035d8c8ebe78580ad7e6c703fba38" [[package]] name = "bytes" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" [[package]] name = "bzip2" version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "abf8012c8a15d5df745fcf258d93e6149dcf102882c8d8702d9cff778eab43a8" dependencies = [ "bzip2-sys", "libc", ] [[package]] name = "bzip2-sys" version = "0.1.10+1.0.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "17fa3d1ac1ca21c5c4e36a97f3c3eb25084576f6fc47bf0139c1123434216c6c" dependencies = [ "cc", "libc", "pkg-config", ] [[package]] name = "cc" version = "1.0.67" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e3c69b077ad434294d3ce9f1f6143a2a4b89a8a2d54ef813d85003a4fd1137fd" [[package]] name = "cexpr" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27" dependencies = [ "nom", ] [[package]] name = "cfg-if" version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" [[package]] name = "cfg-if" version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chrono" version = "0.4.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "670ad68c9088c2a963aaa298cb369688cf3f9465ce5e2d4ca10e6e0098a1ce73" dependencies = [ "libc", "num-integer", "num-traits", "time", "winapi 0.3.9", ] [[package]] name = "cipher" version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "12f8e7987cbd042a63249497f41aed09f8e65add917ea6566effbc56578d6801" dependencies = [ "generic-array", ] [[package]] name = "clang-sys" version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f54d78e30b388d4815220c8dd03fea5656b6c6d32adb59e89061552a102f8da1" dependencies = [ "glob", "libc", ] [[package]] name = "clap" version = "2.33.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002" dependencies = [ "ansi_term", "atty", "bitflags", "strsim", "term_size", "textwrap", "unicode-width", "vec_map", ] [[package]] name = "cmac" version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73d4de4f7724e5fe70addfb2bd37c2abd2f95084a429d7773b0b9645499b4272" dependencies = [ "crypto-mac", "dbl", ] [[package]] name = "colored" version = "1.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f4ffc801dacf156c5854b9df4f425a626539c3a6ef7893cc0c5084a23f0b6c59" dependencies = [ "atty", "lazy_static", "winapi 0.3.9", ] [[package]] name = "constant_time_eq" version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "245097e9a4535ee1e3e3931fcfcd55a796a44c643e8596ff6566d68f09b87bbc" [[package]] name = "core-foundation" version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0a89e2ae426ea83155dccf10c0fa6b1463ef6d5fcb44cee0b224a408fa640a62" dependencies = [ "core-foundation-sys", "libc", ] [[package]] name = "core-foundation-sys" version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ea221b5284a47e40033bf9b66f35f984ec0ea2931eb03505246cd27a963f981b" [[package]] name = "cpuid-bool" version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8aebca1129a03dc6dc2b127edd729435bbc4a37e1d5f4d7513165089ceb02634" [[package]] name = "crc32fast" version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "81156fece84ab6a9f2afdb109ce3ae577e42b1228441eded99bd77f627953b1a" dependencies = [ "cfg-if 1.0.0", ] [[package]] name = "crossbeam-utils" version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e7e9d99fa91428effe99c5c6d4634cdeba32b8cf784fc428a2a687f61a952c49" dependencies = [ "autocfg 1.0.1", "cfg-if 1.0.0", "lazy_static", ] [[package]] name = "crunchy" version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto-mac" version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4857fd85a0c34b3c3297875b747c1e02e06b6a0ea32dd892d8192b9ce0813ea6" dependencies = [ "cipher", "generic-array", "subtle", ] [[package]] name = "ctr" version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fb4a30d54f7443bf3d6191dcd486aca19e67cb3c49fa7a06a319966346707e7f" dependencies = [ "cipher", ] [[package]] name = "curve25519-dalek" version = "3.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f627126b946c25a4638eec0ea634fc52506dea98db118aae985118ce7c3d723f" dependencies = [ "byteorder", "digest", "rand_core 0.5.1", "subtle", "zeroize", ] [[package]] name = "dbl" version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37e797687b5f09528a48fcb63b6914d0255b8a6c760699a919af37042f09d9b3" dependencies = [ "generic-array", ] [[package]] name = "diff" version = "0.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0e25ea47919b1560c4e3b7fe0aaab9becf5b84a10325ddf7db0f0ba5e1026499" [[package]] name = "difference" version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "524cbf6897b527295dff137cec09ecf3a05f4fddffd7dfcd1585403449e74198" [[package]] name = "digest" version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" dependencies = [ "generic-array", ] [[package]] name = "dirs" version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3fd78930633bd1c6e35c4b42b1df7b0cbc6bc191146e512bb3bedf243fcc3901" dependencies = [ "libc", "redox_users", "winapi 0.3.9", ] [[package]] name = "doc-comment" version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10" [[package]] name = "dyn-clone" version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ee2626afccd7561a06cf1367e2950c4718ea04565e20fb5029b6c7d8ad09abcf" [[package]] name = "eax" version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1f76e7a5e594b299a0fa9a99de627530725e341df41376aa342aecb2c5eb76e" dependencies = [ "aead", "cipher", "cmac", "ctr", "subtle", ] [[package]] name = "ed25519" version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37c66a534cbb46ab4ea03477eae19d5c22c01da8258030280b7bd9d8433fb6ef" dependencies = [ "signature", ] [[package]] name = "ed25519-dalek" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c762bae6dcaf24c4c84667b8579785430908723d5c889f469d76a41d59cc7a9d" dependencies = [ "curve25519-dalek", "ed25519", "rand 0.7.3", "sha2", "zeroize", ] [[package]] name = "either" version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457" [[package]] name = "ena" version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d7402b94a93c24e742487327a7cd839dc9d36fec9de9fb25b09f2dae459f36c3" dependencies = [ "log", ] [[package]] name = "environment" version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f4b14e20978669064c33b4c1e0fb4083412e40fe56cbea2eae80fd7591503ee" [[package]] name = "failure" version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86" dependencies = [ "backtrace", "failure_derive", ] [[package]] name = "failure_derive" version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4" dependencies = [ "proc-macro2", "quote", "syn", "synstructure", ] [[package]] name = "fixedbitset" version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37ab347416e802de484e4d03c7316c48f1ecb56574dfd4a46a80f173ce1de04d" [[package]] name = "flate2" version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cd3aec53de10fe96d7d8c565eb17f2c687bb5518a2ec453b5b1252964526abe0" dependencies = [ "cfg-if 1.0.0", "crc32fast", "libc", "miniz_oxide", ] [[package]] name = "fnv" version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" [[package]] name = "foreign-types" version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" dependencies = [ "foreign-types-shared", ] [[package]] name = "foreign-types-shared" version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" [[package]] name = "form_urlencoded" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" dependencies = [ "matches", "percent-encoding", ] [[package]] name = "fuchsia-zircon" version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2e9763c69ebaae630ba35f74888db465e49e259ba1bc0eda7d06f4a067615d82" dependencies = [ "bitflags", "fuchsia-zircon-sys", ] [[package]] name = "fuchsia-zircon-sys" version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3dcaa9ae7725d12cdb85b3ad99a434db70b468c09ded17e012d86b5c1010f7a7" [[package]] name = "futures-channel" version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8c2dd2df839b57db9ab69c2c9d8f3e8c81984781937fe2807dc6dcf3b2ad2939" dependencies = [ "futures-core", ] [[package]] name = "futures-core" version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "15496a72fabf0e62bdc3df11a59a3787429221dd0710ba8ef163d6f7a9112c94" [[package]] name = "futures-macro" version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ea405816a5139fb39af82c2beb921d52143f556038378d6db21183a5c37fbfb7" dependencies = [ "proc-macro-hack", "proc-macro2", "quote", "syn", ] [[package]] name = "futures-sink" version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "85754d98985841b7d4f5e8e6fbfa4a4ac847916893ec511a2917ccd8525b8bb3" [[package]] name = "futures-task" version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fa189ef211c15ee602667a6fcfe1c1fd9e07d42250d2156382820fba33c9df80" [[package]] name = "futures-util" version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1812c7ab8aedf8d6f2701a43e1243acdbcc2b36ab26e2ad421eb99ac963d96d1" dependencies = [ "futures-core", "futures-macro", "futures-task", "pin-project-lite 0.2.6", "pin-utils", "proc-macro-hack", "proc-macro-nested", "slab", ] [[package]] name = "generic-array" version = "0.14.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "501466ecc8a30d1d3b7fc9229b122b2ce8ed6e9d9223f1138d4babb253e51817" dependencies = [ "typenum", "version_check", ] [[package]] name = "getrandom" version = "0.1.16" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce" dependencies = [ "cfg-if 1.0.0", "libc", "wasi 0.9.0+wasi-snapshot-preview1", ] [[package]] name = "getrandom" version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c9495705279e7140bf035dde1f6e750c162df8b625267cd52cc44e0b156732c8" dependencies = [ "cfg-if 1.0.0", "libc", "wasi 0.10.2+wasi-snapshot-preview1", ] [[package]] name = "gimli" version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f6503fe142514ca4799d4c26297c4248239fe8838d827db6bd6065c6ed29a6ce" [[package]] name = "glob" version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" [[package]] name = "h2" version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5e4728fd124914ad25e99e3d15a9361a879f6620f63cb56bbb08f95abb97a535" dependencies = [ "bytes 0.5.6", "fnv", "futures-core", "futures-sink", "futures-util", "http", "indexmap", "slab", "tokio", "tokio-util", "tracing", "tracing-futures", ] [[package]] name = "hashbrown" version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d7afe4a420e3fe79967a00898cc1f4db7c8a49a9333a29f8a4bd76a253d5cd04" [[package]] name = "hermit-abi" version = "0.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "322f4de77956e22ed0e5032c359a0f1273f1f7f0d79bfa3b8ffbc730d7fbcc5c" dependencies = [ "libc", ] [[package]] name = "http" version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7245cd7449cc792608c3c8a9eaf69bd4eabbabf802713748fd739c98b82f0747" dependencies = [ "bytes 1.0.1", "fnv", "itoa", ] [[package]] name = "http-body" version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "13d5ff830006f7646652e057693569bfe0d51760c0085a071769d142a205111b" dependencies = [ "bytes 0.5.6", "http", ] [[package]] name = "httparse" version = "1.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "615caabe2c3160b313d52ccc905335f4ed5f10881dd63dc5699d47e90be85691" [[package]] name = "httpdate" version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "494b4d60369511e7dea41cf646832512a94e542f68bb9c49e54518e0f468eb47" [[package]] name = "hyper" version = "0.13.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8a6f157065790a3ed2f88679250419b5cdd96e714a0d65f7797fd337186e96bb" dependencies = [ "bytes 0.5.6", "futures-channel", "futures-core", "futures-util", "h2", "http", "http-body", "httparse", "httpdate", "itoa", "pin-project", "socket2", "tokio", "tower-service", "tracing", "want", ] [[package]] name = "hyper-tls" version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d979acc56dcb5b8dddba3917601745e877576475aa046df3226eabdecef78eed" dependencies = [ "bytes 0.5.6", "hyper", "native-tls", "tokio", "tokio-tls", ] [[package]] name = "idna" version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "89829a5d69c23d348314a7ac337fe39173b61149a9864deabd260983aed48c21" dependencies = [ "matches", "unicode-bidi", "unicode-normalization", ] [[package]] name = "indexmap" version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4fb1fa934250de4de8aef298d81c729a7d33d8c239daa3a7575e6b92bfc7313b" dependencies = [ "autocfg 1.0.1", "hashbrown", ] [[package]] name = "iovec" version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b2b3ea6ff95e175473f8ffe6a7eb7c00d054240321b84c57051175fe3c1e075e" dependencies = [ "libc", ] [[package]] name = "itertools" version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "284f18f85651fe11e8a991b2adb42cb078325c996ed026d994719efcfca1d54b" dependencies = [ "either", ] [[package]] name = "itertools" version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37d572918e350e82412fe766d24b15e6682fb2ed2bbe018280caa810397cb319" dependencies = [ "either", ] [[package]] name = "itoa" version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736" [[package]] name = "kernel32-sys" version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d" dependencies = [ "winapi 0.2.8", "winapi-build", ] [[package]] name = "lalrpop" version = "0.19.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "46962a8c71b91c3524b117dfdd70844d4265a173c4c9109f98171aebdcf1195f" dependencies = [ "ascii-canvas", "atty", "bit-set", "diff", "ena", "itertools 0.10.0", "lalrpop-util", "petgraph", "pico-args", "regex", "regex-syntax", "string_cache", "term", "tiny-keccak", "unicode-xid", ] [[package]] name = "lalrpop-util" version = "0.19.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a708007b751af124d09e9c5d97515257902bc6b486a56b40bcafd939e8ff467" dependencies = [ "regex", ] [[package]] name = "lazy_static" version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" dependencies = [ "spin", ] [[package]] name = "lazycell" version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" version = "0.2.87" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "265d751d31d6780a3f956bb5b8022feba2d94eeee5a84ba64f4212eedca42213" [[package]] name = "libm" version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7d73b3f436185384286bd8098d17ec07c9a7d2388a6599f824d8502b529702a" [[package]] name = "log" version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710" dependencies = [ "cfg-if 1.0.0", ] [[package]] name = "matches" version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08" [[package]] name = "memchr" version = "2.3.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0ee1c47aaa256ecabcaea351eae4a9b01ef39ed810004e298d2511ed284b1525" [[package]] name = "memsec" version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2af4f95d8737f4ffafbd1fb3c703cdc898868a244a59786793cba0520ebdcbdd" [[package]] name = "miniz_oxide" version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b" dependencies = [ "adler", "autocfg 1.0.1", ] [[package]] name = "mio" version = "0.6.23" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4afd66f5b91bf2a3bc13fad0e21caedac168ca4c707504e75585648ae80e4cc4" dependencies = [ "cfg-if 0.1.10", "fuchsia-zircon", "fuchsia-zircon-sys", "iovec", "kernel32-sys", "libc", "log", "miow", "net2", "slab", "winapi 0.2.8", ] [[package]] name = "miow" version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ebd808424166322d4a38da87083bfddd3ac4c131334ed55856112eb06d46944d" dependencies = [ "kernel32-sys", "net2", "winapi 0.2.8", "ws2_32-sys", ] [[package]] name = "native-tls" version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b8d96b2e1c8da3957d58100b09f102c6d9cfdfced01b7ec5a8974044bb09dbd4" dependencies = [ "lazy_static", "libc", "log", "openssl", "openssl-probe", "openssl-sys", "schannel", "security-framework", "security-framework-sys", "tempfile", ] [[package]] name = "net2" version = "0.2.37" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "391630d12b68002ae1e25e8f974306474966550ad82dac6886fb8910c19568ae" dependencies = [ "cfg-if 0.1.10", "libc", "winapi 0.3.9", ] [[package]] name = "nettle" version = "7.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ebb1286c10caea570bfd2ae584d7c2c36b961f8ed3a87c215193b45575314138" dependencies = [ "getrandom 0.1.16", "libc", "nettle-sys", "thiserror", ] [[package]] name = "nettle-sys" version = "2.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "290ac908ab44b40ccf5fe7fbc1ecefbf97f2ba41c4879b9fdf8573c26d165cce" dependencies = [ "bindgen", "pkg-config", "vcpkg", ] [[package]] name = "new_debug_unreachable" version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54" [[package]] name = "nom" version = "5.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af" dependencies = [ "memchr", "version_check", ] [[package]] name = "num-bigint-dig" version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5d51546d704f52ef14b3c962b5776e53d5b862e5790e40a350d366c209bd7f7a" dependencies = [ "autocfg 0.1.7", "byteorder", "lazy_static", "libm", "num-integer", "num-iter", "num-traits", "smallvec", ] [[package]] name = "num-integer" version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db" dependencies = [ "autocfg 1.0.1", "num-traits", ] [[package]] name = "num-iter" version = "0.1.42" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b2021c8337a54d21aca0d59a92577a029af9431cb59b909b03252b9c164fad59" dependencies = [ "autocfg 1.0.1", "num-integer", "num-traits", ] [[package]] name = "num-traits" version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290" dependencies = [ "autocfg 1.0.1", ] [[package]] name = "object" version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a9a7ab5d64814df0fe4a4b5ead45ed6c5f181ee3ff04ba344313a6c80446c5d4" [[package]] name = "once_cell" version = "1.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "af8b08b04175473088b46763e51ee54da5f9a164bc162f615b91bc179dbf15a3" [[package]] name = "opaque-debug" version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openssl" version = "0.10.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "038d43985d1ddca7a9900630d8cd031b56e4794eecc2e9ea39dd17aa04399a70" dependencies = [ "bitflags", "cfg-if 1.0.0", "foreign-types", "lazy_static", "libc", "openssl-sys", ] [[package]] name = "openssl-probe" version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de" [[package]] name = "openssl-sys" version = "0.9.60" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "921fc71883267538946025deffb622905ecad223c28efbfdef9bb59a0175f3e6" dependencies = [ "autocfg 1.0.1", "cc", "libc", "pkg-config", "vcpkg", ] [[package]] name = "peeking_take_while" version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099" [[package]] name = "percent-encoding" version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e" [[package]] name = "petgraph" version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "467d164a6de56270bd7c4d070df81d07beace25012d5103ced4e9ff08d6afdb7" dependencies = [ "fixedbitset", "indexmap", ] [[package]] name = "phf_shared" version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c00cf8b9eafe68dde5e9eaa2cef8ee84a9336a47d566ec55ca16589633b65af7" dependencies = [ "siphasher", ] [[package]] name = "pico-args" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d70072c20945e1ab871c472a285fc772aefd4f5407723c206242f2c6f94595d6" [[package]] name = "pin-project" version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "96fa8ebb90271c4477f144354485b8068bd8f6b78b428b01ba892ca26caf0b63" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "758669ae3558c6f74bd2a18b41f7ac0b5a195aea6639d6a9b5e5d1ad5ba24c0b" dependencies = [ "proc-macro2", "quote", "syn", ] [[package]] name = "pin-project-lite" version = "0.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "257b64915a082f7811703966789728173279bdebb956b143dbcd23f6f970a777" [[package]] name = "pin-project-lite" version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc0e1f259c92177c30a4c9d177246edd0a3568b25756a977d0632cf8fa37e905" [[package]] name = "pin-utils" version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" [[package]] name = "pkg-config" version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c" [[package]] name = "ppv-lite86" version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" [[package]] name = "precomputed-hash" version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c" [[package]] name = "proc-macro-hack" version = "0.5.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dbf0c48bc1d91375ae5c3cd81e3722dff1abcf81a30960240640d223f59fe0e5" [[package]] name = "proc-macro-nested" version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bc881b2c22681370c6a780e47af9840ef841837bc98118431d4e1868bd0c1086" [[package]] name = "proc-macro2" version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1e0704ee1a7e00d7bb417d0770ea303c1bccbabf0ef1667dae92b5967f5f8a71" dependencies = [ "unicode-xid", ] [[package]] name = "quote" version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c3d0b9745dc2debf507c8422de05d7226cc1f0644216dfdfead988f9b1ab32a7" dependencies = [ "proc-macro2", ] [[package]] name = "rand" version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03" dependencies = [ "rand_chacha 0.2.2", "rand_core 0.5.1", "rand_hc 0.2.0", ] [[package]] name = "rand" version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0ef9e7e66b4468674bfcb0c81af8b7fa0bb154fa9f28eb840da5c447baeb8d7e" dependencies = [ "libc", "rand_chacha 0.3.0", "rand_core 0.6.2", "rand_hc 0.3.0", ] [[package]] name = "rand_chacha" version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402" dependencies = [ "ppv-lite86", "rand_core 0.5.1", ] [[package]] name = "rand_chacha" version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e12735cf05c9e10bf21534da50a147b924d555dc7a547c42e6bb2d5b6017ae0d" dependencies = [ "ppv-lite86", "rand_core 0.6.2", ] [[package]] name = "rand_core" version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19" [[package]] name = "rand_core" version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34cf66eb183df1c5876e2dcf6b13d57340741e8dc255b48e40a26de954d06ae7" dependencies = [ "getrandom 0.2.2", ] [[package]] name = "rand_hc" version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c" dependencies = [ "rand_core 0.5.1", ] [[package]] name = "rand_hc" version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3190ef7066a446f2e7f42e239d161e905420ccab01eb967c9eb27d21b2322a73" dependencies = [ "rand_core 0.6.2", ] [[package]] name = "redox_syscall" version = "0.1.57" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" [[package]] name = "redox_syscall" version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94341e4e44e24f6b591b59e47a8a027df12e008d73fd5672dbea9cc22f4507d9" dependencies = [ "bitflags", ] [[package]] name = "redox_users" version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "de0737333e7a9502c789a36d7c7fa6092a49895d4faa31ca5df163857ded2e9d" dependencies = [ "getrandom 0.1.16", "redox_syscall 0.1.57", "rust-argon2", ] [[package]] name = "regex" version = "1.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d9251239e129e16308e70d853559389de218ac275b515068abc96829d05b948a" dependencies = [ "aho-corasick", "memchr", "regex-syntax", "thread_local", ] [[package]] name = "regex-syntax" version = "0.6.22" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b5eb417147ba9860a96cfe72a0b93bf88fee1744b5636ec99ab20c1aa9376581" [[package]] name = "remove_dir_all" version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" dependencies = [ "winapi 0.3.9", ] [[package]] name = "rpassword" version = "5.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ffc936cf8a7ea60c58f030fd36a612a48f440610214dc54bc36431f9ea0c3efb" dependencies = [ "libc", "winapi 0.3.9", ] [[package]] name = "rust-argon2" version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4b18820d944b33caa75a71378964ac46f58517c92b6ae5f762636247c09e78fb" dependencies = [ "base64", "blake2b_simd", "constant_time_eq", "crossbeam-utils", ] [[package]] name = "rustc-demangle" version = "0.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e3bad0ee36814ca07d7968269dd4b7ec89ec2da10c4bb613928d3077083c232" [[package]] name = "rustc-hash" version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" [[package]] name = "ryu" version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e" [[package]] name = "schannel" version = "0.1.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f05ba609c234e60bee0d547fe94a4c7e9da733d1c962cf6e59efa4cd9c8bc75" dependencies = [ "lazy_static", "winapi 0.3.9", ] [[package]] name = "security-framework" version = "2.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2dfd318104249865096c8da1dfabf09ddbb6d0330ea176812a62ec75e40c4166" dependencies = [ "bitflags", "core-foundation", "core-foundation-sys", "libc", "security-framework-sys", ] [[package]] name = "security-framework-sys" version = "2.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dee48cdde5ed250b0d3252818f646e174ab414036edb884dde62d80a3ac6082d" dependencies = [ "core-foundation-sys", "libc", ] [[package]] name = "sequoia-autocrypt" version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "341d2e14bf591228e427f560f99507f84de92fa998ebb6e35f633bb4d66c7b9f" dependencies = [ "base64", "sequoia-openpgp", ] [[package]] name = "sequoia-net" version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "743151162e9c25b1c80b9f40bbceb1308144e2501b96a872056059fc4701fb15" dependencies = [ "anyhow", "futures-util", "http", "hyper", "hyper-tls", "libc", "native-tls", "percent-encoding", "sequoia-openpgp", "tempfile", "thiserror", "url", "zbase32", ] [[package]] name = "sequoia-openpgp" version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d58ef113ced3dfdcf683bde4f30af2310a232a2e826338a5485f97823e583079" dependencies = [ "anyhow", "backtrace", "base64", "buffered-reader", "bzip2", "chrono", "dyn-clone", "eax", "ed25519-dalek", "flate2", "idna", "lalrpop", "lalrpop-util", "lazy_static", "libc", "memsec", "nettle", "num-bigint-dig", "regex", "regex-syntax", "sha1collisiondetection", "thiserror", "unicode-normalization", "win-crypto-ng", "winapi 0.3.9", ] [[package]] name = "sequoia-sq" version = "0.25.0" dependencies = [ "anyhow", "assert_cli", "buffered-reader", "chrono", "clap", "itertools 0.9.0", "rpassword", "sequoia-autocrypt", "sequoia-net", "sequoia-openpgp", "tempfile", "term_size", "tokio", ] [[package]] name = "serde" version = "1.0.123" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "92d5161132722baa40d802cc70b15262b98258453e85e5d1d365c757c73869ae" [[package]] name = "serde_json" version = "1.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "799e97dc9fdae36a5c8b8f2cae9ce2ee9fdce2058c57a93e6099d919fd982f79" dependencies = [ "itoa", "ryu", "serde", ] [[package]] name = "sha1collisiondetection" version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d7a6cf187c4059b3e63de2358b7e2f9a2261b6f3fd8ef4e7342308d0863ed082" dependencies = [ "digest", "generic-array", "libc", ] [[package]] name = "sha2" version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fa827a14b29ab7f44778d14a88d3cb76e949c45083f7dbfa507d0cb699dc12de" dependencies = [ "block-buffer", "cfg-if 1.0.0", "cpuid-bool", "digest", "opaque-debug", ] [[package]] name = "shlex" version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2" [[package]] name = "signature" version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0f0242b8e50dd9accdd56170e94ca1ebd223b098eb9c83539a6e367d0f36ae68" [[package]] name = "siphasher" version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fa8f3741c7372e75519bd9346068370c9cdaabcc1f9599cbcf2a2719352286b7" [[package]] name = "slab" version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c111b5bd5695e56cffe5129854aa230b39c93a305372fdbb2668ca2394eea9f8" [[package]] name = "smallvec" version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fe0f37c9e8f3c5a4a66ad655a93c74daac4ad00c441533bf5c6e7990bb42604e" [[package]] name = "socket2" version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "122e570113d28d773067fab24266b66753f6ea915758651696b6e35e49f88d6e" dependencies = [ "cfg-if 1.0.0", "libc", "winapi 0.3.9", ] [[package]] name = "spin" version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" [[package]] name = "string_cache" version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ddb1139b5353f96e429e1a5e19fbaf663bddedaa06d1dbd49f82e352601209a" dependencies = [ "lazy_static", "new_debug_unreachable", "phf_shared", "precomputed-hash", ] [[package]] name = "strsim" version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" [[package]] name = "subtle" version = "2.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1e81da0851ada1f3e9d4312c704aa4f8806f0f9d69faaf8df2f3464b4a9437c2" [[package]] name = "syn" version = "1.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed22b90a0e734a23a7610f4283ac9e5acfb96cbb30dfefa540d66f866f1c09c5" dependencies = [ "proc-macro2", "quote", "unicode-xid", ] [[package]] name = "synstructure" version = "0.12.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701" dependencies = [ "proc-macro2", "quote", "syn", "unicode-xid", ] [[package]] name = "tempfile" version = "3.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22" dependencies = [ "cfg-if 1.0.0", "libc", "rand 0.8.3", "redox_syscall 0.2.5", "remove_dir_all", "winapi 0.3.9", ] [[package]] name = "term" version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "edd106a334b7657c10b7c540a0106114feadeb4dc314513e97df481d5d966f42" dependencies = [ "byteorder", "dirs", "winapi 0.3.9", ] [[package]] name = "term_size" version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1e4129646ca0ed8f45d09b929036bafad5377103edd06e50bf574b353d2b08d9" dependencies = [ "libc", "winapi 0.3.9", ] [[package]] name = "textwrap" version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060" dependencies = [ "term_size", "unicode-width", ] [[package]] name = "thiserror" version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e0f4a65597094d4483ddaed134f409b2cb7c1beccf25201a9f73c719254fa98e" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7765189610d8241a44529806d6fd1f2e0a08734313a35d5b3a556f92b381f3c0" dependencies = [ "proc-macro2", "quote", "syn", ] [[package]] name = "thread_local" version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8018d24e04c95ac8790716a5987d0fec4f8b27249ffa0f7d33f1369bdfb88cbd" dependencies = [ "once_cell", ] [[package]] name = "time" version = "0.1.43" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438" dependencies = [ "libc", "winapi 0.3.9", ] [[package]] name = "tiny-keccak" version = "2.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237" dependencies = [ "crunchy", ] [[package]] name = "tinyvec" version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "317cca572a0e89c3ce0ca1f1bdc9369547fe318a683418e42ac8f59d14701023" dependencies = [ "tinyvec_macros", ] [[package]] name = "tinyvec_macros" version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" [[package]] name = "tokio" version = "0.2.25" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6703a273949a90131b290be1fe7b039d0fc884aa1935860dfcbe056f28cd8092" dependencies = [ "bytes 0.5.6", "fnv", "futures-core", "iovec", "lazy_static", "memchr", "mio", "pin-project-lite 0.1.12", "slab", ] [[package]] name = "tokio-tls" version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9a70f4fcd7b3b24fb194f837560168208f669ca8cb70d0c4b862944452396343" dependencies = [ "native-tls", "tokio", ] [[package]] name = "tokio-util" version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "be8242891f2b6cbef26a2d7e8605133c2c554cd35b3e4948ea892d6d68436499" dependencies = [ "bytes 0.5.6", "futures-core", "futures-sink", "log", "pin-project-lite 0.1.12", "tokio", ] [[package]] name = "tower-service" version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6" [[package]] name = "tracing" version = "0.1.25" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "01ebdc2bb4498ab1ab5f5b73c5803825e60199229ccba0698170e3be0e7f959f" dependencies = [ "cfg-if 1.0.0", "log", "pin-project-lite 0.2.6", "tracing-core", ] [[package]] name = "tracing-core" version = "0.1.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f50de3927f93d202783f4513cda820ab47ef17f624b03c096e86ef00c67e6b5f" dependencies = [ "lazy_static", ] [[package]] name = "tracing-futures" version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "97d095ae15e245a057c8e8451bab9b3ee1e1f68e9ba2b4fbc18d0ac5237835f2" dependencies = [ "pin-project", "tracing", ] [[package]] name = "try-lock" version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" [[package]] name = "typenum" version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "373c8a200f9e67a0c95e62a4f52fbf80c23b4381c05a17845531982fa99e6b33" [[package]] name = "unicode-bidi" version = "0.3.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49f2bd0c6468a8230e1db229cff8029217cf623c767ea5d60bfbd42729ea54d5" dependencies = [ "matches", ] [[package]] name = "unicode-normalization" version = "0.1.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07fbfce1c8a97d547e8b5334978438d9d6ec8c20e38f56d4a4374d181493eaef" dependencies = [ "tinyvec", ] [[package]] name = "unicode-width" version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3" [[package]] name = "unicode-xid" version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564" [[package]] name = "url" version = "2.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ccd964113622c8e9322cfac19eb1004a07e636c545f325da085d5cdde6f1f8b" dependencies = [ "form_urlencoded", "idna", "matches", "percent-encoding", ] [[package]] name = "vcpkg" version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b00bca6106a5e23f3eee943593759b7fcddb00554332e856d990c893966879fb" [[package]] name = "vec_map" version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191" [[package]] name = "version_check" version = "0.9.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed" [[package]] name = "want" version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0" dependencies = [ "log", "try-lock", ] [[package]] name = "wasi" version = "0.9.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519" [[package]] name = "wasi" version = "0.10.2+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" [[package]] name = "win-crypto-ng" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "24cf92e98e8f4ade45b5140795415a0f256fd9b69a1919248dcda11ba5d6466c" dependencies = [ "cipher", "doc-comment", "rand_core 0.5.1", "winapi 0.3.9", "zeroize", ] [[package]] name = "winapi" version = "0.2.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a" [[package]] name = "winapi" version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" dependencies = [ "winapi-i686-pc-windows-gnu", "winapi-x86_64-pc-windows-gnu", ] [[package]] name = "winapi-build" version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc" [[package]] name = "winapi-i686-pc-windows-gnu" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" [[package]] name = "winapi-x86_64-pc-windows-gnu" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] name = "ws2_32-sys" version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d59cefebd0c892fa2dd6de581e937301d8552cb44489cdff035c6187cb63fa5e" dependencies = [ "winapi 0.2.8", "winapi-build", ] [[package]] name = "zbase32" version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0f9079049688da5871a7558ddacb7f04958862c703e68258594cb7a862b5e33f" [[package]] name = "zeroize" version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "81a974bcdd357f0dca4d41677db03436324d45a4c9ed2d0b873a5a360ce41c36" dependencies = [ "zeroize_derive", ] [[package]] name = "zeroize_derive" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c3f369ddb18862aba61aa49bf31e74d29f0f162dec753063200e1dc084345d16" dependencies = [ "proc-macro2", "quote", "syn", "synstructure", ] sequoia-sq-0.25.0/Cargo.toml0000644000000055101402044042100112330ustar # THIS FILE IS AUTOMATICALLY GENERATED BY CARGO # # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies # to registry (e.g., crates.io) dependencies # # If you believe there's an error in this file please file an # issue against the rust-lang/cargo repository. If you're # editing this file be aware that the upstream Cargo.toml # will likely look very different (and much more reasonable) [package] edition = "2018" name = "sequoia-sq" version = "0.25.0" authors = ["Azul ", "Igor Matuszewski ", "Justus Winter ", "Kai Michaelis ", "Neal H. Walfield ", "Nora Widdecke ", "Wiktor Kwapisiewicz "] build = "build.rs" description = "Command-line frontends for Sequoia" homepage = "https://sequoia-pgp.org/" documentation = "https://docs.rs/sequoia-sq" readme = "../README.md" keywords = ["cryptography", "openpgp", "pgp", "encryption", "signing"] categories = ["cryptography", "authentication", "command-line-utilities"] license = "GPL-2.0-or-later" repository = "https://gitlab.com/sequoia-pgp/sequoia" [[bin]] name = "sq" path = "src/sq-usage.rs" [dependencies.anyhow] version = "1.0.18" [dependencies.buffered-reader] version = "1.0.0" default-features = false [dependencies.chrono] version = "0.4.10" [dependencies.clap] version = "2.33" features = ["wrap_help"] [dependencies.itertools] version = "0.9" [dependencies.rpassword] version = "5.0" [dependencies.sequoia-autocrypt] version = "0.23" optional = true default-features = false [dependencies.sequoia-net] version = "0.23" optional = true default-features = false [dependencies.sequoia-openpgp] version = "1.1" default-features = false [dependencies.tempfile] version = "3.1" [dependencies.term_size] version = "0.3" [dependencies.tokio] version = "0.2.19" features = ["rt-core", "io-util", "io-driver"] optional = true [dev-dependencies.assert_cli] version = "0.6" [build-dependencies.clap] version = "2.33" [build-dependencies.sequoia-openpgp] version = "1.0.0" default-features = false [features] autocrypt = ["sequoia-autocrypt"] compression = ["buffered-reader/compression", "sequoia-openpgp/compression"] compression-bzip2 = ["buffered-reader/compression-bzip2", "sequoia-openpgp/compression-bzip2"] compression-deflate = ["buffered-reader/compression-deflate", "sequoia-openpgp/compression-deflate"] crypto-cng = ["sequoia-openpgp/crypto-cng"] crypto-nettle = ["sequoia-openpgp/crypto-nettle"] default = ["buffered-reader/compression", "sequoia-openpgp/default", "net", "autocrypt"] net = ["sequoia-net", "tokio"] [badges.gitlab] repository = "sequoia-pgp/sequoia" [badges.maintenance] status = "actively-developed" sequoia-sq-0.25.0/Cargo.toml.orig010064400017500001750000000044201402044017700147340ustar 00000000000000[package] name = "sequoia-sq" description = "Command-line frontends for Sequoia" version = "0.25.0" authors = [ "Azul ", "Igor Matuszewski ", "Justus Winter ", "Kai Michaelis ", "Neal H. Walfield ", "Nora Widdecke ", "Wiktor Kwapisiewicz ", ] build = "build.rs" documentation = "https://docs.rs/sequoia-sq" homepage = "https://sequoia-pgp.org/" repository = "https://gitlab.com/sequoia-pgp/sequoia" readme = "../README.md" keywords = ["cryptography", "openpgp", "pgp", "encryption", "signing"] categories = ["cryptography", "authentication", "command-line-utilities"] license = "GPL-2.0-or-later" edition = "2018" [badges] gitlab = { repository = "sequoia-pgp/sequoia" } maintenance = { status = "actively-developed" } [dependencies] buffered-reader = { path = "../buffered-reader", version = "1.0.0", default-features = false } sequoia-openpgp = { path = "../openpgp", version = "1.1", default-features = false } sequoia-autocrypt = { path = "../autocrypt", version = "0.23", default-features = false, optional = true } sequoia-net = { path = "../net", version = "0.23", default-features = false, optional = true } anyhow = "1.0.18" chrono = "0.4.10" clap = { version = "2.33", features = ["wrap_help"] } itertools = "0.9" tempfile = "3.1" term_size = "0.3" tokio = { version = "0.2.19", features = ["rt-core", "io-util", "io-driver"], optional = true } rpassword = "5.0" [build-dependencies] clap = "2.33" sequoia-openpgp = { path = "../openpgp", version = "1.0.0", default-features = false } [dev-dependencies] assert_cli = "0.6" [[bin]] name = "sq" path = "src/sq-usage.rs" [features] default = [ "buffered-reader/compression", "sequoia-openpgp/default", "net", "autocrypt", ] crypto-nettle = ["sequoia-openpgp/crypto-nettle"] crypto-cng = ["sequoia-openpgp/crypto-cng"] compression = ["buffered-reader/compression", "sequoia-openpgp/compression"] compression-deflate = ["buffered-reader/compression-deflate", "sequoia-openpgp/compression-deflate"] compression-bzip2 = ["buffered-reader/compression-bzip2", "sequoia-openpgp/compression-bzip2"] net = ["sequoia-net", "tokio"] autocrypt = ["sequoia-autocrypt"] sequoia-sq-0.25.0/Makefile010064400017500001750000000022151402044017700135050ustar 00000000000000# Configuration. CARGO_TARGET_DIR ?= $(shell pwd)/../target # We currently only support absolute paths. CARGO_TARGET_DIR := $(abspath $(CARGO_TARGET_DIR)) SQ ?= $(CARGO_TARGET_DIR)/debug/sq # Tools. CARGO ?= cargo ifneq ($(filter Darwin %BSD,$(shell uname -s)),) INSTALL ?= ginstall else INSTALL ?= install endif # Installation. .PHONY: build-release build-release: CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) \ $(CARGO) build $(CARGO_FLAGS) --release --package sequoia-sq $(MAKE) -C../store build-release .PHONY: install install: build-release $(INSTALL) -d $(DESTDIR)$(PREFIX)/bin $(INSTALL) -t $(DESTDIR)$(PREFIX)/bin $(CARGO_TARGET_DIR)/release/sq $(INSTALL) -d $(DESTDIR)$(PREFIX)/share/zsh/site-functions $(INSTALL) -t $(DESTDIR)$(PREFIX)/share/zsh/site-functions \ $(CARGO_TARGET_DIR)/_sq $(INSTALL) -d $(DESTDIR)$(PREFIX)/share/bash-completion/completions $(INSTALL) $(CARGO_TARGET_DIR)/sq.bash \ $(DESTDIR)$(PREFIX)/share/bash-completion/completions/sq $(INSTALL) -d $(DESTDIR)$(PREFIX)/share/fish/completions $(INSTALL) -t $(DESTDIR)$(PREFIX)/share/fish/completions \ $(CARGO_TARGET_DIR)/sq.fish $(MAKE) -C../store install sequoia-sq-0.25.0/build.rs010064400017500001750000000056111402044017700135150ustar 00000000000000use std::env; use std::fs; use std::io::{self, Write}; use clap::Shell; mod sq_cli { include!("src/sq_cli.rs"); } fn main() { println!("cargo:rerun-if-changed=build.rs"); // XXX: Revisit once // https://github.com/rust-lang/rust/issues/44732 is stabilized. let mut sq = sq_cli::configure( clap::App::new("sq").set_term_width(80), cfg!(feature = "net"), cfg!(feature = "autocrypt"), ); let mut main = fs::File::create("src/sq-usage.rs").unwrap(); dump_help(&mut main, &mut sq, vec![], "#").unwrap(); writeln!(main, "\n#![doc(html_favicon_url = \"https://docs.sequoia-pgp.org/favicon.png\")]") .unwrap(); writeln!(main, "#![doc(html_logo_url = \"https://docs.sequoia-pgp.org/logo.svg\")]") .unwrap(); writeln!(main, "\ninclude!(\"sq.rs\");").unwrap(); let outdir = match env::var_os("CARGO_TARGET_DIR") { None => return, Some(outdir) => outdir, }; fs::create_dir_all(&outdir).unwrap(); let mut sq = sq_cli::build(); for shell in &[Shell::Bash, Shell::Fish, Shell::Zsh, Shell::PowerShell, Shell::Elvish] { sq.gen_completions("sq", *shell, &outdir); } } fn dump_help(sink: &mut dyn io::Write, sq: &mut clap::App, cmd: Vec, heading: &str) -> io::Result<()> { if cmd.is_empty() { writeln!(sink, "//! A command-line frontend for Sequoia.")?; writeln!(sink, "//!")?; writeln!(sink, "//! # Usage")?; } else { writeln!(sink, "//!")?; writeln!(sink, "//! {} Subcommand {}", heading, cmd.join(" "))?; } writeln!(sink, "//!")?; let args = std::iter::once("sq") .chain(cmd.iter().map(|s| s.as_str())) .chain(std::iter::once("--help")) .collect::>(); let help = sq.get_matches_from_safe_borrow(&args) .unwrap_err().to_string(); writeln!(sink, "//! ```text")?; for line in help.trim_end().split("\n").skip(1) { if line == "" { writeln!(sink, "//!")?; } else { writeln!(sink, "//! {}", line.trim_end())?; } } writeln!(sink, "//! ```")?; // Recurse. let mut found_subcommands = false; for subcmd in help.split("\n").filter_map(move |line| { if line == "SUBCOMMANDS:" { found_subcommands = true; None } else if found_subcommands { if line.chars().nth(4).map(|c| ! c.is_ascii_whitespace()) .unwrap_or(false) { line.trim_start().split(" ").nth(0) } else { None } } else { None } }).filter(|subcmd| *subcmd != "help") { let mut c = cmd.clone(); c.push(subcmd.into()); dump_help(sink, sq, c, &format!("{}#", heading))?; } Ok(()) } sequoia-sq-0.25.0/man-sq/sq-armor.1010064400017500001750000000030441402044017700150650ustar 00000000000000.TH SQ-ARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-armor \- Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .SH SYNOPSIS \fBsq armor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a binary certificate to ASCII \fB$ sq armor binary\-juliet.pgp\fR .TP # Convert a binary message to ASCII \fB$ sq armor binary\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-certify.1010064400017500001750000000071631402044017700154200ustar 00000000000000.TH SQ-CERTIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-certify \- Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .SH SYNOPSIS \fBsq certify\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-l\fR, \fB\-\-local\fR Makes the certification a local certification. Normally, local certifications are not exported. .TP \fB\-\-non\-revocable\fR Marks the certification as being non\-revocable. That is, you cannot later revoke this certification. This should normally only be used with an expiration. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-d\fR, \fB\-\-depth\fR TRUST_DEPTH Sets the trust depth (sometimes referred to as the trust level). 0 means a normal certification of . 1 means CERTIFICATE is also a trusted introducer, 2 means CERTIFICATE is a meta\-trusted introducer, etc. The default is 0. .TP \fB\-a\fR, \fB\-\-amount\fR TRUST_AMOUNT Sets the amount of trust. Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted. The default is 120. .TP \fB\-r\fR, \fB\-\-regex\fR REGEX Adds a regular expression to constrain what a trusted introducer can certify. The regular expression must match the certified User ID in all intermediate introducers, and the certified certificate. Multiple regular expressions may be specified. In that case, at least one must match. .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .TP \fB\-\-expires\fR TIME Makes the certification expire at TIME (as ISO 8601). Use "never" to create certifications that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the certification expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". [default: 5y] .SH ARGS .TP CERTIFIER\-KEY Creates the certificate using CERTIFIER\-KEY. .TP CERTIFICATE Certifies CERTIFICATE. .TP USERID Certifies USERID for CERTIFICATE. .SH EXAMPLES .TP # Juliet certifies that Romeo controls romeo.pgp and romeo@example.org \fB$ sq certify juliet.pgp romeo.pgp ""\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-dearmor.1010064400017500001750000000026741402044017700154060ustar 00000000000000.TH SQ-DEARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-dearmor \- Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .SH SYNOPSIS \fBsq dearmor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a ASCII certificate to binary \fB$ sq dearmor ascii\-juliet.pgp\fR .TP # Convert a ASCII message to binary \fB$ sq dearmor ascii\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-decrypt.1010064400017500001750000000051321402044017700154170ustar 00000000000000.TH SQ-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-decrypt \- Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .SH SYNOPSIS \fBsq decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .TP \fB\-\-dump\fR Prints a packet dump to stderr .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump (implies \-\-dump) .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. The message will only be considered verified if this threshold is reached. [default: 1 if at least one signer cert file is given, 0 otherwise] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .TP \fB\-\-recipient\-key\fR KEY Decrypts with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Decrypt a file using a secret key \fB$ sq decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .TP # Decrypt a file verifying signatures \fB$ sq decrypt \-\-recipient\-key juliet.pgp \-\-signer\-cert romeo.pgp ciphertext.pgp\fR .TP # Decrypt a file using a password \fB$ sq decrypt ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-encrypt.1010064400017500001750000000047251402044017700154400ustar 00000000000000.TH SQ-ENCRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-encrypt \- Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .SH SYNOPSIS \fBsq encrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-s\fR, \fB\-\-symmetric\fR Adds a password to encrypt with. The message can be decrypted with either one of the recipient's keys, or any password. .TP \fB\-\-use\-expired\-subkey\fR If a certificate has only expired encryption\-capable subkeys, falls back to using the one that expired last .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-cert\fR CERT\-RING Encrypts for all recipients in CERT\-RING .TP \fB\-\-signer\-key\fR KEY Signs the message with KEY .TP \fB\-\-mode\fR MODE Selects what kind of keys are considered for encryption. Transport select subkeys marked as suitable for transport encryption, rest selects those for encrypting data at rest, and all selects all encryption\-capable subkeys. [default: all] [possible values: transport, rest, all] .TP \fB\-\-compression\fR KIND Selects compression scheme to use [default: pad] [possible values: none, pad, zip, zlib, bzip2] .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Encrypt a file using a certificate \fB$ sq encrypt \-\-recipient\-cert romeo.pgp message.txt\fR .TP # Encrypt a file creating a signature in the process \fB$ sq encrypt \-\-recipient\-cert romeo.pgp \-\-signer\-key juliet.pgp message.txt\fR .TP # Encrypt a file using a password \fB$ sq encrypt \-\-symmetric message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-inspect.1010064400017500001750000000025771402044017700154240ustar 00000000000000.TH SQ-INSPECT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-inspect \- Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .SH SYNOPSIS \fBsq inspect\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-certifications\fR Prints third\-party certifications .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Inspects a certificate \fB$ sq inspect juliet.pgp\fR .TP # Inspects a certificate ring \fB$ sq inspect certs.pgp\fR .TP # Inspects a message \fB$ sq inspect message.pgp\fR .TP # Inspects a detached signature \fB$ sq inspect message.sig\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-key-adopt.1010064400017500001750000000037171402044017700156510ustar 00000000000000.TH SQ-KEY-ADOPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-adopt \- Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .SH SYNOPSIS \fBsq key adopt\fR [FLAGS] [OPTIONS] [TARGET\-KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-allow\-broken\-crypto\fR Allows adopting keys from certificates using broken cryptography .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-r\fR, \fB\-\-keyring\fR KEY\-RING Supplies keys for use in \-\-key. .TP \fB\-k\fR, \fB\-\-key\fR KEY Adds the key or subkey KEY to the TARGET\-KEY .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP TARGET\-KEY Adds keys to TARGET\-KEY .SH EXAMPLES .TP # Adopt an subkey into the new cert \fB$ sq key adopt \-\-keyring juliet\-old.pgp \-\-key 0123456789ABCDEF \-\- juliet\-new.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-key-attest-certifications.1010064400017500001750000000040611402044017700210430ustar 00000000000000.TH SQ-KEY-ATTEST-CERTIFICATIONS "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-attest\-certifications \- Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key attest\-certifications\fR [FLAGS] [OPTIONS] [KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-none\fR Removes all prior attestations .TP \fB\-\-all\fR Attests to all certifications [default] .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP KEY Changes attestations on KEY .SH EXAMPLES .TP # Attest to all certifications present on the key \fB$ sq key attest\-certifications juliet.pgp\fR .TP # Retract prior attestations on the key \fB$ sq key attest\-certifications \-\-none juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-key-extract-cert.1010064400017500001750000000033151402044017700171410ustar 00000000000000.TH SQ-KEY-EXTRACT-CERT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-extract\-cert \- Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key extract\-cert\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-key-generate.1010064400017500001750000000064641402044017700163360ustar 00000000000000.TH SQ-KEY-GENERATE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-generate \- Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key generate\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-with\-password\fR Protects the key with a password .TP \fB\-\-can\-sign\fR Adds a signing\-capable subkey (default) .TP \fB\-\-cannot\-sign\fR Adds no signing\-capable subkey .TP \fB\-\-cannot\-encrypt\fR Adds no encryption\-capable subkey .SH OPTIONS .TP \fB\-u\fR, \fB\-\-userid\fR EMAIL Adds a userid to the key .TP \fB\-c\fR, \fB\-\-cipher\-suite\fR CIPHER\-SUITE Selects the cryptographic algorithms for the key [default: cv25519] [possible values: rsa3k, rsa4k, cv25519] .TP \fB\-\-expires\fR TIME Makes the key expire at TIME (as ISO 8601). Use "never" to create keys that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the key expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". .TP \fB\-\-can\-encrypt\fR PURPOSE Adds an encryption\-capable subkey. Encryption\-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both. [default: universal] [possible values: transport, storage, universal] .TP \fB\-e\fR, \fB\-\-export\fR OUTFILE Writes the key to OUTFILE .TP \fB\-\-rev\-cert\fR FILE or \- Writes the revocation certificate to FILE. mandatory if OUTFILE is "\-". [default: .rev] .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .TP # Generates a key protecting it with a password \fB$ sq key generate \-\-userid "" \-\-with\-password\fR .TP # Generates a key with multiple userids \fB$ sq key generate \-\-userid "" \-\-userid "Juliet Capulet"\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-key.1010064400017500001750000000063401402044017700145370ustar 00000000000000.TH SQ-KEY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key \- Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .SH SYNOPSIS \fBsq key\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBgenerate\fR Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBextract\-cert\fR Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBadopt\fR Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .TP \fBattest\-certifications\fR Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-keyring-filter.1010064400017500001750000000057031402044017700167040ustar 00000000000000.TH SQ-KEYRING-FILTER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-filter \- Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .SH SYNOPSIS \fBsq keyring filter\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-P\fR, \fB\-\-prune\-certs\fR Removes certificate components not matching the filter .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-to\-cert\fR Converts any keys in the input to certificates. Converting a key to a certificate removes secret key material from the key thereby turning it into a certificate. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-name\fR NAME Matches on NAME .TP \fB\-\-email\fR ADDRESS Matches on email ADDRESS .TP \fB\-\-domain\fR FQDN Matches on email domain FQDN .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Converts a key to a cert (i.e., remove any secret key material) \fB$ sq keyring filter \-\-to\-cert cat juliet.pgp\fR .TP # Gets the keys with a user id on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp\fR .TP # Gets the keys with a user id on example.org or example.net \fB$ sq keyring filter \-\-domain example.org \-\-domain example.net keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet \fB$ sq keyring filter \-\-name Juliet keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp | \ keyring filter \-\-name Juliet\fR .TP # Gets the keys with a user id on example.org, pruning other userids \fB$ sq keyring filter \-\-domain example.org \-\-prune\-certs certs.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-keyring-join.1010064400017500001750000000027471402044017700163630ustar 00000000000000.TH SQ-KEYRING-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-join \- Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .SH SYNOPSIS \fBsq keyring join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Don't ASCII\-armor the keyring .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Sets the output file to use .SH ARGS .TP FILE Sets the input files to use .SH EXAMPLES .TP # Collect certs for an email conversation \fB$ sq keyring join juliet.pgp romeo.pgp alice.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-keyring-list.1010064400017500001750000000025531402044017700163720ustar 00000000000000.TH SQ-KEYRING-LIST "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-list \- Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .SH SYNOPSIS \fBsq keyring list\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # List all certs \fB$ sq keyring list certs.pgp\fR .TP # List all certs with a userid on example.org \fB$ sq keyring filter \-\-domain example.org certs.pgp | sq keyring list\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-keyring-merge.1010064400017500001750000000030441402044017700165120ustar 00000000000000.TH SQ-KEYRING-MERGE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-merge \- Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .SH SYNOPSIS \fBsq keyring merge\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE .SH EXAMPLES .TP # Merge certificate updates \fB$ sq keyring merge certs.pgp romeo\-updates.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-keyring-split.1010064400017500001750000000031671402044017700165540ustar 00000000000000.TH SQ-KEYRING-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-split \- Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SYNOPSIS \fBsq keyring split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR FILE Writes to files with prefix FILE [defaults to the input filename with a dash, or "output" if keyring is read from stdin] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split all certs \fB$ sq keyring split certs.pgp\fR .TP # Split all certs, merging them first to avoid duplicates \fB$ sq keyring merge certs.pgp | sq keyring split\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-keyring.1010064400017500001750000000054421402044017700154210ustar 00000000000000.TH SQ-KEYRING "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring \- Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .SH SYNOPSIS \fBsq keyring\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBfilter\fR Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .TP \fBjoin\fR Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .TP \fBmerge\fR Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .TP \fBlist\fR Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .TP \fBsplit\fR Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-packet-decrypt.1010064400017500001750000000031061402044017700166630ustar 00000000000000.TH SQ-PACKET-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-decrypt \- Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .SH SYNOPSIS \fBsq packet decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-key\fR KEY Decrypts the message with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Unwraps the encryption revealing the signed message \fB$ sq packet decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-packet-dump.1010064400017500001750000000036751402044017700161710ustar 00000000000000.TH SQ-PACKET-DUMP "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-dump \- Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .SH SYNOPSIS \fBsq packet dump\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-mpis\fR Prints cryptographic artifacts .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-session\-key\fR SESSION\-KEY Decrypts an encrypted message using SESSION\-KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Prints the packets of a certificate \fB$ sq packet dump juliet.pgp\fR .TP # Prints cryptographic artifacts of a certificate \fB$ sq packet dump \-\-mpis juliet.pgp\fR .TP # Prints a hexdump of a certificate \fB$ sq packet dump \-\-hex juliet.pgp\fR .TP # Prints the packets of an encrypted message \fB$ sq packet dump \-\-session\-key AAAABBBBCCCC... ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-packet-join.1010064400017500001750000000031521402044017700161510ustar 00000000000000.TH SQ-PACKET-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-join \- Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SYNOPSIS \fBsq packet join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .TP # Then join only a subset of these packets \fB$ sq packet join juliet.pgp\-[0\-3]*\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-packet-split.1010064400017500001750000000026111402044017700163440ustar 00000000000000.TH SQ-PACKET-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-split \- Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .SH SYNOPSIS \fBsq packet split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR PREFIX Writes to files with PREFIX [defaults: FILE a dash, or "output" if read from stdin) .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-packet.1010064400017500001750000000045651402044017700152250ustar 00000000000000.TH SQ-PACKET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet \- Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .SH SYNOPSIS \fBsq packet\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdump\fR Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .TP \fBdecrypt\fR Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .TP \fBsplit\fR Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .TP \fBjoin\fR Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-sign.1010064400017500001750000000043471402044017700147140ustar 00000000000000.TH SQ-SIGN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-sign \- Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .SH SYNOPSIS \fBsq sign\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-detached\fR Creates a detached signature .TP \fB\-\-cleartext\-signature\fR Creates a cleartext signature .TP \fB\-a\fR, \fB\-\-append\fR Appends a signature to existing signature .TP \fB\-n\fR, \fB\-\-notarize\fR Signs a message and all existing signatures .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-merge\fR SIGNED\-MESSAGE Merges signatures from the input and SIGNED\-MESSAGE .TP \fB\-\-signer\-key\fR KEY Signs using KEY .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Create a signed message \fB$ sq sign \-\-signer\-key juliet.pgp message.txt\fR .TP # Create a detached signature \fB$ sq sign \-\-detached \-\-signer\-key juliet.pgp message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq-verify.1010064400017500001750000000044351402044017700152560ustar 00000000000000.TH SQ-VERIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-verify \- Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .SH SYNOPSIS \fBsq verify\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-detached\fR SIG Verifies a detached signature .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. If this threshold is not reached, the message will not be considered verified. [default: 1] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Verify a signed message \fB$ sq verify \-\-signer\-cert juliet.pgp signed\-message.pgp\fR .TP # Verify a detached message \fB$ sq verify \-\-signer\-cert juliet.pgp \-\-detached message.sig message.txt\fR .SH SEE ALSO If you are looking for a standalone program to verify detached signatures, consider using sequoia\-sqv. For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq/sq.1010064400017500001750000000146711402044017700137570ustar 00000000000000.TH SQ "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq \- A command\-line frontend for Sequoia, an implementation of OpenPGP Functionality is grouped and available using subcommands. Currently, this interface is completely stateless. Therefore, you need to supply all configuration and certificates explicitly on each invocation. OpenPGP data can be provided in binary or ASCII armored form. This will be handled automatically. Emitted OpenPGP data is ASCII armored by default. We use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. Conversely, we use the term "key" to refer to OpenPGP keys that do contain secrets. .SH SYNOPSIS \fBsq\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-V\fR, \fB\-\-version\fR Prints version information .TP \fB\-f\fR, \fB\-\-force\fR Overwrites existing files .SH OPTIONS .TP \fB\-\-known\-notation\fR NOTATION Adds NOTATION to the list of known notations. This is used when validating signatures. Signatures that have unknown notations with the critical bit set are considered invalid. .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdecrypt\fR Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .TP \fBencrypt\fR Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .TP \fBsign\fR Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .TP \fBverify\fR Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .TP \fBarmor\fR Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .TP \fBdearmor\fR Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .TP \fBinspect\fR Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .TP \fBkey\fR Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .TP \fBkeyring\fR Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .TP \fBcertify\fR Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .TP \fBpacket\fR Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-armor.1010064400017500001750000000030661402044017700171210ustar 00000000000000.TH SQ-ARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-armor \- Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .SH SYNOPSIS \fBsq armor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a binary certificate to ASCII \fB$ sq armor binary\-juliet.pgp\fR .TP # Convert a binary message to ASCII \fB$ sq armor binary\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-autocrypt-decode.1010064400017500001750000000025671402044017700212610ustar 00000000000000.TH SQ-AUTOCRYPT-DECODE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-autocrypt\-decode \- Reads Autocrypt\-encoded certificates Given an autocrypt header (or an key\-gossip header), this command extracts the certificate encoded within it. The converse operation is "sq autocrypt encode\-sender". .SH SYNOPSIS \fBsq autocrypt decode\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Extract all certificates from a mail \fB$ sq autocrypt decode autocrypt.eml\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-autocrypt\-decode(1), sq\-autocrypt\-encode\-sender(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-autocrypt-encode-sender.1010064400017500001750000000037671402044017700225540ustar 00000000000000.TH SQ-AUTOCRYPT-ENCODE-SENDER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-autocrypt\-encode\-sender \- Encodes a certificate into an Autocrypt header A certificate can be encoded and included in a header of an email message. This command encodes the certificate, adds the senders email address (which must match the one used in the "From" header), and the senders "prefer\-encrypt" state (see the Autocrypt spec for more information). The converse operation is "sq autocrypt decode". .SH SYNOPSIS \fBsq autocrypt encode\-sender\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-email\fR ADDRESS Sets the address [default: primary userid] .TP \fB\-\-prefer\-encrypt\fR prefer\-encrypt Sets the prefer\-encrypt attribute [default: nopreference] [possible values: nopreference, mutual] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Encodes a certificate \fB$ sq autocrypt encode\-sender juliet.pgp\fR .TP # Encodes a certificate with an explicit sender address \fB$ sq autocrypt encode\-sender \-\-email juliet@example.org juliet.pgp\fR .TP # Encodes a certificate while indicating the willingness to encrypt \fB$ sq autocrypt encode\-sender \-\-prefer\-encrypt mutual juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-autocrypt\-decode(1), sq\-autocrypt\-encode\-sender(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-autocrypt.1010064400017500001750000000035671402044017700200410ustar 00000000000000.TH SQ-AUTOCRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-autocrypt \- Communicates certificates using Autocrypt Autocrypt is a standard for mail user agents to provide convenient end\-to\-end encryption of emails. This subcommand provides a limited way to produce and consume headers that are used by Autocrypt to communicate certificates between clients. See https://autocrypt.org/ .SH SYNOPSIS \fBsq autocrypt\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdecode\fR Reads Autocrypt\-encoded certificates Given an autocrypt header (or an key\-gossip header), this command extracts the certificate encoded within it. The converse operation is "sq autocrypt encode\-sender". .TP \fBencode\-sender\fR Encodes a certificate into an Autocrypt header A certificate can be encoded and included in a header of an email message. This command encodes the certificate, adds the senders email address (which must match the one used in the "From" header), and the senders "prefer\-encrypt" state (see the Autocrypt spec for more information). The converse operation is "sq autocrypt decode". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-autocrypt\-decode(1), sq\-autocrypt\-encode\-sender(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-certify.1010064400017500001750000000072051402044017700174450ustar 00000000000000.TH SQ-CERTIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-certify \- Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .SH SYNOPSIS \fBsq certify\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-l\fR, \fB\-\-local\fR Makes the certification a local certification. Normally, local certifications are not exported. .TP \fB\-\-non\-revocable\fR Marks the certification as being non\-revocable. That is, you cannot later revoke this certification. This should normally only be used with an expiration. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-d\fR, \fB\-\-depth\fR TRUST_DEPTH Sets the trust depth (sometimes referred to as the trust level). 0 means a normal certification of . 1 means CERTIFICATE is also a trusted introducer, 2 means CERTIFICATE is a meta\-trusted introducer, etc. The default is 0. .TP \fB\-a\fR, \fB\-\-amount\fR TRUST_AMOUNT Sets the amount of trust. Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted. The default is 120. .TP \fB\-r\fR, \fB\-\-regex\fR REGEX Adds a regular expression to constrain what a trusted introducer can certify. The regular expression must match the certified User ID in all intermediate introducers, and the certified certificate. Multiple regular expressions may be specified. In that case, at least one must match. .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .TP \fB\-\-expires\fR TIME Makes the certification expire at TIME (as ISO 8601). Use "never" to create certifications that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the certification expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". [default: 5y] .SH ARGS .TP CERTIFIER\-KEY Creates the certificate using CERTIFIER\-KEY. .TP CERTIFICATE Certifies CERTIFICATE. .TP USERID Certifies USERID for CERTIFICATE. .SH EXAMPLES .TP # Juliet certifies that Romeo controls romeo.pgp and romeo@example.org \fB$ sq certify juliet.pgp romeo.pgp ""\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-dearmor.1010064400017500001750000000027161402044017700174330ustar 00000000000000.TH SQ-DEARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-dearmor \- Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .SH SYNOPSIS \fBsq dearmor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a ASCII certificate to binary \fB$ sq dearmor ascii\-juliet.pgp\fR .TP # Convert a ASCII message to binary \fB$ sq dearmor ascii\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-decrypt.1010064400017500001750000000051541402044017700174530ustar 00000000000000.TH SQ-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-decrypt \- Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .SH SYNOPSIS \fBsq decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .TP \fB\-\-dump\fR Prints a packet dump to stderr .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump (implies \-\-dump) .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. The message will only be considered verified if this threshold is reached. [default: 1 if at least one signer cert file is given, 0 otherwise] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .TP \fB\-\-recipient\-key\fR KEY Decrypts with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Decrypt a file using a secret key \fB$ sq decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .TP # Decrypt a file verifying signatures \fB$ sq decrypt \-\-recipient\-key juliet.pgp \-\-signer\-cert romeo.pgp ciphertext.pgp\fR .TP # Decrypt a file using a password \fB$ sq decrypt ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-encrypt.1010064400017500001750000000047471402044017700174740ustar 00000000000000.TH SQ-ENCRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-encrypt \- Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .SH SYNOPSIS \fBsq encrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-s\fR, \fB\-\-symmetric\fR Adds a password to encrypt with. The message can be decrypted with either one of the recipient's keys, or any password. .TP \fB\-\-use\-expired\-subkey\fR If a certificate has only expired encryption\-capable subkeys, falls back to using the one that expired last .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-cert\fR CERT\-RING Encrypts for all recipients in CERT\-RING .TP \fB\-\-signer\-key\fR KEY Signs the message with KEY .TP \fB\-\-mode\fR MODE Selects what kind of keys are considered for encryption. Transport select subkeys marked as suitable for transport encryption, rest selects those for encrypting data at rest, and all selects all encryption\-capable subkeys. [default: all] [possible values: transport, rest, all] .TP \fB\-\-compression\fR KIND Selects compression scheme to use [default: pad] [possible values: none, pad, zip, zlib, bzip2] .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Encrypt a file using a certificate \fB$ sq encrypt \-\-recipient\-cert romeo.pgp message.txt\fR .TP # Encrypt a file creating a signature in the process \fB$ sq encrypt \-\-recipient\-cert romeo.pgp \-\-signer\-key juliet.pgp message.txt\fR .TP # Encrypt a file using a password \fB$ sq encrypt \-\-symmetric message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-inspect.1010064400017500001750000000026211402044017700174420ustar 00000000000000.TH SQ-INSPECT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-inspect \- Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .SH SYNOPSIS \fBsq inspect\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-certifications\fR Prints third\-party certifications .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Inspects a certificate \fB$ sq inspect juliet.pgp\fR .TP # Inspects a certificate ring \fB$ sq inspect certs.pgp\fR .TP # Inspects a message \fB$ sq inspect message.pgp\fR .TP # Inspects a detached signature \fB$ sq inspect message.sig\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-key-adopt.1010064400017500001750000000037411402044017700176760ustar 00000000000000.TH SQ-KEY-ADOPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-adopt \- Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .SH SYNOPSIS \fBsq key adopt\fR [FLAGS] [OPTIONS] [TARGET\-KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-allow\-broken\-crypto\fR Allows adopting keys from certificates using broken cryptography .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-r\fR, \fB\-\-keyring\fR KEY\-RING Supplies keys for use in \-\-key. .TP \fB\-k\fR, \fB\-\-key\fR KEY Adds the key or subkey KEY to the TARGET\-KEY .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP TARGET\-KEY Adds keys to TARGET\-KEY .SH EXAMPLES .TP # Adopt an subkey into the new cert \fB$ sq key adopt \-\-keyring juliet\-old.pgp \-\-key 0123456789ABCDEF \-\- juliet\-new.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-key-attest-certifications.1010064400017500001750000000041031402044017700230700ustar 00000000000000.TH SQ-KEY-ATTEST-CERTIFICATIONS "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-attest\-certifications \- Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key attest\-certifications\fR [FLAGS] [OPTIONS] [KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-none\fR Removes all prior attestations .TP \fB\-\-all\fR Attests to all certifications [default] .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP KEY Changes attestations on KEY .SH EXAMPLES .TP # Attest to all certifications present on the key \fB$ sq key attest\-certifications juliet.pgp\fR .TP # Retract prior attestations on the key \fB$ sq key attest\-certifications \-\-none juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-key-extract-cert.1010064400017500001750000000033371402044017700211750ustar 00000000000000.TH SQ-KEY-EXTRACT-CERT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-extract\-cert \- Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key extract\-cert\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-key-generate.1010064400017500001750000000065061402044017700203630ustar 00000000000000.TH SQ-KEY-GENERATE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-generate \- Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key generate\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-with\-password\fR Protects the key with a password .TP \fB\-\-can\-sign\fR Adds a signing\-capable subkey (default) .TP \fB\-\-cannot\-sign\fR Adds no signing\-capable subkey .TP \fB\-\-cannot\-encrypt\fR Adds no encryption\-capable subkey .SH OPTIONS .TP \fB\-u\fR, \fB\-\-userid\fR EMAIL Adds a userid to the key .TP \fB\-c\fR, \fB\-\-cipher\-suite\fR CIPHER\-SUITE Selects the cryptographic algorithms for the key [default: cv25519] [possible values: rsa3k, rsa4k, cv25519] .TP \fB\-\-expires\fR TIME Makes the key expire at TIME (as ISO 8601). Use "never" to create keys that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the key expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". .TP \fB\-\-can\-encrypt\fR PURPOSE Adds an encryption\-capable subkey. Encryption\-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both. [default: universal] [possible values: transport, storage, universal] .TP \fB\-e\fR, \fB\-\-export\fR OUTFILE Writes the key to OUTFILE .TP \fB\-\-rev\-cert\fR FILE or \- Writes the revocation certificate to FILE. mandatory if OUTFILE is "\-". [default: .rev] .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .TP # Generates a key protecting it with a password \fB$ sq key generate \-\-userid "" \-\-with\-password\fR .TP # Generates a key with multiple userids \fB$ sq key generate \-\-userid "" \-\-userid "Juliet Capulet"\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-key.1010064400017500001750000000063621402044017700165730ustar 00000000000000.TH SQ-KEY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key \- Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .SH SYNOPSIS \fBsq key\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBgenerate\fR Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBextract\-cert\fR Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBadopt\fR Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .TP \fBattest\-certifications\fR Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-keyring-filter.1010064400017500001750000000057251402044017700207400ustar 00000000000000.TH SQ-KEYRING-FILTER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-filter \- Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .SH SYNOPSIS \fBsq keyring filter\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-P\fR, \fB\-\-prune\-certs\fR Removes certificate components not matching the filter .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-to\-cert\fR Converts any keys in the input to certificates. Converting a key to a certificate removes secret key material from the key thereby turning it into a certificate. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-name\fR NAME Matches on NAME .TP \fB\-\-email\fR ADDRESS Matches on email ADDRESS .TP \fB\-\-domain\fR FQDN Matches on email domain FQDN .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Converts a key to a cert (i.e., remove any secret key material) \fB$ sq keyring filter \-\-to\-cert cat juliet.pgp\fR .TP # Gets the keys with a user id on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp\fR .TP # Gets the keys with a user id on example.org or example.net \fB$ sq keyring filter \-\-domain example.org \-\-domain example.net keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet \fB$ sq keyring filter \-\-name Juliet keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp | \ keyring filter \-\-name Juliet\fR .TP # Gets the keys with a user id on example.org, pruning other userids \fB$ sq keyring filter \-\-domain example.org \-\-prune\-certs certs.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-keyring-join.1010064400017500001750000000027711402044017700204100ustar 00000000000000.TH SQ-KEYRING-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-join \- Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .SH SYNOPSIS \fBsq keyring join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Don't ASCII\-armor the keyring .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Sets the output file to use .SH ARGS .TP FILE Sets the input files to use .SH EXAMPLES .TP # Collect certs for an email conversation \fB$ sq keyring join juliet.pgp romeo.pgp alice.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-keyring-list.1010064400017500001750000000025751402044017700204260ustar 00000000000000.TH SQ-KEYRING-LIST "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-list \- Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .SH SYNOPSIS \fBsq keyring list\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # List all certs \fB$ sq keyring list certs.pgp\fR .TP # List all certs with a userid on example.org \fB$ sq keyring filter \-\-domain example.org certs.pgp | sq keyring list\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-keyring-merge.1010064400017500001750000000030661402044017700205460ustar 00000000000000.TH SQ-KEYRING-MERGE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-merge \- Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .SH SYNOPSIS \fBsq keyring merge\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE .SH EXAMPLES .TP # Merge certificate updates \fB$ sq keyring merge certs.pgp romeo\-updates.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-keyring-split.1010064400017500001750000000032111402044017700205720ustar 00000000000000.TH SQ-KEYRING-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-split \- Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SYNOPSIS \fBsq keyring split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR FILE Writes to files with prefix FILE [defaults to the input filename with a dash, or "output" if keyring is read from stdin] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split all certs \fB$ sq keyring split certs.pgp\fR .TP # Split all certs, merging them first to avoid duplicates \fB$ sq keyring merge certs.pgp | sq keyring split\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-keyring.1010064400017500001750000000054641402044017700174550ustar 00000000000000.TH SQ-KEYRING "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring \- Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .SH SYNOPSIS \fBsq keyring\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBfilter\fR Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .TP \fBjoin\fR Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .TP \fBmerge\fR Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .TP \fBlist\fR Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .TP \fBsplit\fR Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-packet-decrypt.1010064400017500001750000000031301402044017700207100ustar 00000000000000.TH SQ-PACKET-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-decrypt \- Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .SH SYNOPSIS \fBsq packet decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-key\fR KEY Decrypts the message with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Unwraps the encryption revealing the signed message \fB$ sq packet decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-packet-dump.1010064400017500001750000000037171402044017700202160ustar 00000000000000.TH SQ-PACKET-DUMP "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-dump \- Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .SH SYNOPSIS \fBsq packet dump\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-mpis\fR Prints cryptographic artifacts .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-session\-key\fR SESSION\-KEY Decrypts an encrypted message using SESSION\-KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Prints the packets of a certificate \fB$ sq packet dump juliet.pgp\fR .TP # Prints cryptographic artifacts of a certificate \fB$ sq packet dump \-\-mpis juliet.pgp\fR .TP # Prints a hexdump of a certificate \fB$ sq packet dump \-\-hex juliet.pgp\fR .TP # Prints the packets of an encrypted message \fB$ sq packet dump \-\-session\-key AAAABBBBCCCC... ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-packet-join.1010064400017500001750000000031741402044017700202050ustar 00000000000000.TH SQ-PACKET-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-join \- Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SYNOPSIS \fBsq packet join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .TP # Then join only a subset of these packets \fB$ sq packet join juliet.pgp\-[0\-3]*\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-packet-split.1010064400017500001750000000026331402044017700204000ustar 00000000000000.TH SQ-PACKET-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-split \- Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .SH SYNOPSIS \fBsq packet split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR PREFIX Writes to files with PREFIX [defaults: FILE a dash, or "output" if read from stdin) .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-packet.1010064400017500001750000000046071402044017700172520ustar 00000000000000.TH SQ-PACKET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet \- Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .SH SYNOPSIS \fBsq packet\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdump\fR Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .TP \fBdecrypt\fR Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .TP \fBsplit\fR Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .TP \fBjoin\fR Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-sign.1010064400017500001750000000043711402044017700167410ustar 00000000000000.TH SQ-SIGN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-sign \- Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .SH SYNOPSIS \fBsq sign\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-detached\fR Creates a detached signature .TP \fB\-\-cleartext\-signature\fR Creates a cleartext signature .TP \fB\-a\fR, \fB\-\-append\fR Appends a signature to existing signature .TP \fB\-n\fR, \fB\-\-notarize\fR Signs a message and all existing signatures .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-merge\fR SIGNED\-MESSAGE Merges signatures from the input and SIGNED\-MESSAGE .TP \fB\-\-signer\-key\fR KEY Signs using KEY .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Create a signed message \fB$ sq sign \-\-signer\-key juliet.pgp message.txt\fR .TP # Create a detached signature \fB$ sq sign \-\-detached \-\-signer\-key juliet.pgp message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq-verify.1010064400017500001750000000044571402044017700173120ustar 00000000000000.TH SQ-VERIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-verify \- Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .SH SYNOPSIS \fBsq verify\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-detached\fR SIG Verifies a detached signature .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. If this threshold is not reached, the message will not be considered verified. [default: 1] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Verify a signed message \fB$ sq verify \-\-signer\-cert juliet.pgp signed\-message.pgp\fR .TP # Verify a detached message \fB$ sq verify \-\-signer\-cert juliet.pgp \-\-detached message.sig message.txt\fR .SH SEE ALSO If you are looking for a standalone program to verify detached signatures, consider using sequoia\-sqv. For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-autocrypt/sq.1010064400017500001750000000154341402044017700160050ustar 00000000000000.TH SQ "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq \- A command\-line frontend for Sequoia, an implementation of OpenPGP Functionality is grouped and available using subcommands. Currently, this interface is completely stateless. Therefore, you need to supply all configuration and certificates explicitly on each invocation. OpenPGP data can be provided in binary or ASCII armored form. This will be handled automatically. Emitted OpenPGP data is ASCII armored by default. We use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. Conversely, we use the term "key" to refer to OpenPGP keys that do contain secrets. .SH SYNOPSIS \fBsq\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-V\fR, \fB\-\-version\fR Prints version information .TP \fB\-f\fR, \fB\-\-force\fR Overwrites existing files .SH OPTIONS .TP \fB\-\-known\-notation\fR NOTATION Adds NOTATION to the list of known notations. This is used when validating signatures. Signatures that have unknown notations with the critical bit set are considered invalid. .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdecrypt\fR Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .TP \fBencrypt\fR Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .TP \fBsign\fR Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .TP \fBverify\fR Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .TP \fBarmor\fR Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .TP \fBdearmor\fR Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .TP \fBinspect\fR Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .TP \fBkey\fR Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .TP \fBkeyring\fR Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .TP \fBcertify\fR Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .TP \fBpacket\fR Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .TP \fBautocrypt\fR Communicates certificates using Autocrypt Autocrypt is a standard for mail user agents to provide convenient end\-to\-end encryption of emails. This subcommand provides a limited way to produce and consume headers that are used by Autocrypt to communicate certificates between clients. See https://autocrypt.org/ .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-armor.1010064400017500001750000000031021402044017700156440ustar 00000000000000.TH SQ-ARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-armor \- Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .SH SYNOPSIS \fBsq armor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a binary certificate to ASCII \fB$ sq armor binary\-juliet.pgp\fR .TP # Convert a binary message to ASCII \fB$ sq armor binary\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-certify.1010064400017500001750000000072211402044017700161770ustar 00000000000000.TH SQ-CERTIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-certify \- Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .SH SYNOPSIS \fBsq certify\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-l\fR, \fB\-\-local\fR Makes the certification a local certification. Normally, local certifications are not exported. .TP \fB\-\-non\-revocable\fR Marks the certification as being non\-revocable. That is, you cannot later revoke this certification. This should normally only be used with an expiration. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-d\fR, \fB\-\-depth\fR TRUST_DEPTH Sets the trust depth (sometimes referred to as the trust level). 0 means a normal certification of . 1 means CERTIFICATE is also a trusted introducer, 2 means CERTIFICATE is a meta\-trusted introducer, etc. The default is 0. .TP \fB\-a\fR, \fB\-\-amount\fR TRUST_AMOUNT Sets the amount of trust. Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted. The default is 120. .TP \fB\-r\fR, \fB\-\-regex\fR REGEX Adds a regular expression to constrain what a trusted introducer can certify. The regular expression must match the certified User ID in all intermediate introducers, and the certified certificate. Multiple regular expressions may be specified. In that case, at least one must match. .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .TP \fB\-\-expires\fR TIME Makes the certification expire at TIME (as ISO 8601). Use "never" to create certifications that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the certification expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". [default: 5y] .SH ARGS .TP CERTIFIER\-KEY Creates the certificate using CERTIFIER\-KEY. .TP CERTIFICATE Certifies CERTIFICATE. .TP USERID Certifies USERID for CERTIFICATE. .SH EXAMPLES .TP # Juliet certifies that Romeo controls romeo.pgp and romeo@example.org \fB$ sq certify juliet.pgp romeo.pgp ""\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-dearmor.1010064400017500001750000000027321402044017700161650ustar 00000000000000.TH SQ-DEARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-dearmor \- Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .SH SYNOPSIS \fBsq dearmor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a ASCII certificate to binary \fB$ sq dearmor ascii\-juliet.pgp\fR .TP # Convert a ASCII message to binary \fB$ sq dearmor ascii\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-decrypt.1010064400017500001750000000051701402044017700162050ustar 00000000000000.TH SQ-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-decrypt \- Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .SH SYNOPSIS \fBsq decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .TP \fB\-\-dump\fR Prints a packet dump to stderr .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump (implies \-\-dump) .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. The message will only be considered verified if this threshold is reached. [default: 1 if at least one signer cert file is given, 0 otherwise] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .TP \fB\-\-recipient\-key\fR KEY Decrypts with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Decrypt a file using a secret key \fB$ sq decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .TP # Decrypt a file verifying signatures \fB$ sq decrypt \-\-recipient\-key juliet.pgp \-\-signer\-cert romeo.pgp ciphertext.pgp\fR .TP # Decrypt a file using a password \fB$ sq decrypt ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-encrypt.1010064400017500001750000000047631402044017700162260ustar 00000000000000.TH SQ-ENCRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-encrypt \- Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .SH SYNOPSIS \fBsq encrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-s\fR, \fB\-\-symmetric\fR Adds a password to encrypt with. The message can be decrypted with either one of the recipient's keys, or any password. .TP \fB\-\-use\-expired\-subkey\fR If a certificate has only expired encryption\-capable subkeys, falls back to using the one that expired last .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-cert\fR CERT\-RING Encrypts for all recipients in CERT\-RING .TP \fB\-\-signer\-key\fR KEY Signs the message with KEY .TP \fB\-\-mode\fR MODE Selects what kind of keys are considered for encryption. Transport select subkeys marked as suitable for transport encryption, rest selects those for encrypting data at rest, and all selects all encryption\-capable subkeys. [default: all] [possible values: transport, rest, all] .TP \fB\-\-compression\fR KIND Selects compression scheme to use [default: pad] [possible values: none, pad, zip, zlib, bzip2] .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Encrypt a file using a certificate \fB$ sq encrypt \-\-recipient\-cert romeo.pgp message.txt\fR .TP # Encrypt a file creating a signature in the process \fB$ sq encrypt \-\-recipient\-cert romeo.pgp \-\-signer\-key juliet.pgp message.txt\fR .TP # Encrypt a file using a password \fB$ sq encrypt \-\-symmetric message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-inspect.1010064400017500001750000000026351402044017700162030ustar 00000000000000.TH SQ-INSPECT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-inspect \- Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .SH SYNOPSIS \fBsq inspect\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-certifications\fR Prints third\-party certifications .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Inspects a certificate \fB$ sq inspect juliet.pgp\fR .TP # Inspects a certificate ring \fB$ sq inspect certs.pgp\fR .TP # Inspects a message \fB$ sq inspect message.pgp\fR .TP # Inspects a detached signature \fB$ sq inspect message.sig\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-key-adopt.1010064400017500001750000000040341402044017700164260ustar 00000000000000.TH SQ-KEY-ADOPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-adopt \- Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .SH SYNOPSIS \fBsq key adopt\fR [FLAGS] [OPTIONS] [TARGET\-KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-allow\-broken\-crypto\fR Allows adopting keys from certificates using broken cryptography .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-r\fR, \fB\-\-keyring\fR KEY\-RING Supplies keys for use in \-\-key. .TP \fB\-k\fR, \fB\-\-key\fR KEY Adds the key or subkey KEY to the TARGET\-KEY .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP TARGET\-KEY Adds keys to TARGET\-KEY .SH EXAMPLES .TP # Adopt an subkey into the new cert \fB$ sq key adopt \-\-keyring juliet\-old.pgp \-\-key 0123456789ABCDEF \-\- juliet\-new.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-key-attest-certifications.1010064400017500001750000000041761402044017700216360ustar 00000000000000.TH SQ-KEY-ATTEST-CERTIFICATIONS "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-attest\-certifications \- Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key attest\-certifications\fR [FLAGS] [OPTIONS] [KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-none\fR Removes all prior attestations .TP \fB\-\-all\fR Attests to all certifications [default] .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP KEY Changes attestations on KEY .SH EXAMPLES .TP # Attest to all certifications present on the key \fB$ sq key attest\-certifications juliet.pgp\fR .TP # Retract prior attestations on the key \fB$ sq key attest\-certifications \-\-none juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-key-extract-cert.1010064400017500001750000000034321402044017700177250ustar 00000000000000.TH SQ-KEY-EXTRACT-CERT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-extract\-cert \- Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key extract\-cert\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-key-generate.1010064400017500001750000000066011402044017700171130ustar 00000000000000.TH SQ-KEY-GENERATE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-generate \- Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key generate\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-with\-password\fR Protects the key with a password .TP \fB\-\-can\-sign\fR Adds a signing\-capable subkey (default) .TP \fB\-\-cannot\-sign\fR Adds no signing\-capable subkey .TP \fB\-\-cannot\-encrypt\fR Adds no encryption\-capable subkey .SH OPTIONS .TP \fB\-u\fR, \fB\-\-userid\fR EMAIL Adds a userid to the key .TP \fB\-c\fR, \fB\-\-cipher\-suite\fR CIPHER\-SUITE Selects the cryptographic algorithms for the key [default: cv25519] [possible values: rsa3k, rsa4k, cv25519] .TP \fB\-\-expires\fR TIME Makes the key expire at TIME (as ISO 8601). Use "never" to create keys that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the key expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". .TP \fB\-\-can\-encrypt\fR PURPOSE Adds an encryption\-capable subkey. Encryption\-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both. [default: universal] [possible values: transport, storage, universal] .TP \fB\-e\fR, \fB\-\-export\fR OUTFILE Writes the key to OUTFILE .TP \fB\-\-rev\-cert\fR FILE or \- Writes the revocation certificate to FILE. mandatory if OUTFILE is "\-". [default: .rev] .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .TP # Generates a key protecting it with a password \fB$ sq key generate \-\-userid "" \-\-with\-password\fR .TP # Generates a key with multiple userids \fB$ sq key generate \-\-userid "" \-\-userid "Juliet Capulet"\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-key.1010064400017500001750000000064551402044017700153320ustar 00000000000000.TH SQ-KEY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key \- Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .SH SYNOPSIS \fBsq key\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBgenerate\fR Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBextract\-cert\fR Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBadopt\fR Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .TP \fBattest\-certifications\fR Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyring-filter.1010064400017500001750000000060201402044017700174610ustar 00000000000000.TH SQ-KEYRING-FILTER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-filter \- Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .SH SYNOPSIS \fBsq keyring filter\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-P\fR, \fB\-\-prune\-certs\fR Removes certificate components not matching the filter .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-to\-cert\fR Converts any keys in the input to certificates. Converting a key to a certificate removes secret key material from the key thereby turning it into a certificate. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-name\fR NAME Matches on NAME .TP \fB\-\-email\fR ADDRESS Matches on email ADDRESS .TP \fB\-\-domain\fR FQDN Matches on email domain FQDN .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Converts a key to a cert (i.e., remove any secret key material) \fB$ sq keyring filter \-\-to\-cert cat juliet.pgp\fR .TP # Gets the keys with a user id on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp\fR .TP # Gets the keys with a user id on example.org or example.net \fB$ sq keyring filter \-\-domain example.org \-\-domain example.net keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet \fB$ sq keyring filter \-\-name Juliet keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp | \ keyring filter \-\-name Juliet\fR .TP # Gets the keys with a user id on example.org, pruning other userids \fB$ sq keyring filter \-\-domain example.org \-\-prune\-certs certs.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyring-join.1010064400017500001750000000030641402044017700171400ustar 00000000000000.TH SQ-KEYRING-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-join \- Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .SH SYNOPSIS \fBsq keyring join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Don't ASCII\-armor the keyring .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Sets the output file to use .SH ARGS .TP FILE Sets the input files to use .SH EXAMPLES .TP # Collect certs for an email conversation \fB$ sq keyring join juliet.pgp romeo.pgp alice.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyring-list.1010064400017500001750000000026701402044017700171560ustar 00000000000000.TH SQ-KEYRING-LIST "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-list \- Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .SH SYNOPSIS \fBsq keyring list\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # List all certs \fB$ sq keyring list certs.pgp\fR .TP # List all certs with a userid on example.org \fB$ sq keyring filter \-\-domain example.org certs.pgp | sq keyring list\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyring-merge.1010064400017500001750000000031611402044017700172760ustar 00000000000000.TH SQ-KEYRING-MERGE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-merge \- Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .SH SYNOPSIS \fBsq keyring merge\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE .SH EXAMPLES .TP # Merge certificate updates \fB$ sq keyring merge certs.pgp romeo\-updates.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyring-split.1010064400017500001750000000033041402044017700173310ustar 00000000000000.TH SQ-KEYRING-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-split \- Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SYNOPSIS \fBsq keyring split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR FILE Writes to files with prefix FILE [defaults to the input filename with a dash, or "output" if keyring is read from stdin] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split all certs \fB$ sq keyring split certs.pgp\fR .TP # Split all certs, merging them first to avoid duplicates \fB$ sq keyring merge certs.pgp | sq keyring split\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyring.1010064400017500001750000000055571402044017700162140ustar 00000000000000.TH SQ-KEYRING "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring \- Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .SH SYNOPSIS \fBsq keyring\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBfilter\fR Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .TP \fBjoin\fR Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .TP \fBmerge\fR Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .TP \fBlist\fR Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .TP \fBsplit\fR Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyserver-get.1010064400017500001750000000025301402044017700173240ustar 00000000000000.TH SQ-KEYSERVER-GET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyserver\-get \- Retrieves a key .SH SYNOPSIS \fBsq keyserver get\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP QUERY Retrieve certificate(s) using QUERY. This may be a fingerprint, a KeyID, or an email address. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyserver-send.1010064400017500001750000000022201402044017700174720ustar 00000000000000.TH SQ-KEYSERVER-SEND "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyserver\-send \- Sends a key .SH SYNOPSIS \fBsq keyserver send\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-keyserver.1010064400017500001750000000027431402044017700165550ustar 00000000000000.TH SQ-KEYSERVER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyserver \- Interacts with keyservers .SH SYNOPSIS \fBsq keyserver\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-policy\fR NETWORK\-POLICY Sets the network policy to use [default: encrypted] [possible values: offline, anonymized, encrypted, insecure] .TP \fB\-s\fR, \fB\-\-server\fR URI Sets the keyserver to use .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBget\fR Retrieves a key .TP \fBsend\fR Sends a key .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-packet-decrypt.1010064400017500001750000000031441402044017700174510ustar 00000000000000.TH SQ-PACKET-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-decrypt \- Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .SH SYNOPSIS \fBsq packet decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-key\fR KEY Decrypts the message with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Unwraps the encryption revealing the signed message \fB$ sq packet decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-packet-dump.1010064400017500001750000000037331402044017700167500ustar 00000000000000.TH SQ-PACKET-DUMP "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-dump \- Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .SH SYNOPSIS \fBsq packet dump\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-mpis\fR Prints cryptographic artifacts .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-session\-key\fR SESSION\-KEY Decrypts an encrypted message using SESSION\-KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Prints the packets of a certificate \fB$ sq packet dump juliet.pgp\fR .TP # Prints cryptographic artifacts of a certificate \fB$ sq packet dump \-\-mpis juliet.pgp\fR .TP # Prints a hexdump of a certificate \fB$ sq packet dump \-\-hex juliet.pgp\fR .TP # Prints the packets of an encrypted message \fB$ sq packet dump \-\-session\-key AAAABBBBCCCC... ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-packet-join.1010064400017500001750000000032101402044017700167300ustar 00000000000000.TH SQ-PACKET-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-join \- Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SYNOPSIS \fBsq packet join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .TP # Then join only a subset of these packets \fB$ sq packet join juliet.pgp\-[0\-3]*\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-packet-split.1010064400017500001750000000026471402044017700171410ustar 00000000000000.TH SQ-PACKET-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-split \- Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .SH SYNOPSIS \fBsq packet split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR PREFIX Writes to files with PREFIX [defaults: FILE a dash, or "output" if read from stdin) .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-packet.1010064400017500001750000000046231402044017700160040ustar 00000000000000.TH SQ-PACKET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet \- Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .SH SYNOPSIS \fBsq packet\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdump\fR Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .TP \fBdecrypt\fR Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .TP \fBsplit\fR Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .TP \fBjoin\fR Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-sign.1010064400017500001750000000044051402044017700154730ustar 00000000000000.TH SQ-SIGN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-sign \- Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .SH SYNOPSIS \fBsq sign\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-detached\fR Creates a detached signature .TP \fB\-\-cleartext\-signature\fR Creates a cleartext signature .TP \fB\-a\fR, \fB\-\-append\fR Appends a signature to existing signature .TP \fB\-n\fR, \fB\-\-notarize\fR Signs a message and all existing signatures .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-merge\fR SIGNED\-MESSAGE Merges signatures from the input and SIGNED\-MESSAGE .TP \fB\-\-signer\-key\fR KEY Signs using KEY .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Create a signed message \fB$ sq sign \-\-signer\-key juliet.pgp message.txt\fR .TP # Create a detached signature \fB$ sq sign \-\-detached \-\-signer\-key juliet.pgp message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-verify.1010064400017500001750000000044731402044017700160440ustar 00000000000000.TH SQ-VERIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-verify \- Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .SH SYNOPSIS \fBsq verify\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-detached\fR SIG Verifies a detached signature .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. If this threshold is not reached, the message will not be considered verified. [default: 1] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Verify a signed message \fB$ sq verify \-\-signer\-cert juliet.pgp signed\-message.pgp\fR .TP # Verify a detached message \fB$ sq verify \-\-signer\-cert juliet.pgp \-\-detached message.sig message.txt\fR .SH SEE ALSO If you are looking for a standalone program to verify detached signatures, consider using sequoia\-sqv. For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-wkd-generate.1010064400017500001750000000025061402044017700171100ustar 00000000000000.TH SQ-WKD-GENERATE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd\-generate \- Generates a Web Key Directory for the given domain and keys. If the WKD exists, the new keys will be inserted and it is updated and existing ones will be updated. .SH SYNOPSIS \fBsq wkd generate\fR [FLAGS] [CERT\-RING] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-d\fR, \fB\-\-direct\-method\fR Uses the direct method [default: advanced method] .SH ARGS .TP WEB\-ROOT Writes the WKD to WEB\-ROOT. Transfer this directory to the webserver. .TP FQDN Generates a WKD for FQDN .TP CERT\-RING Adds certificates from CERT\-RING to the WKD .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-wkd-get.1010064400017500001750000000017611402044017700160770ustar 00000000000000.TH SQ-WKD-GET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd\-get \- Queries for certs using Web Key Directory .SH SYNOPSIS \fBsq wkd get\fR [FLAGS]
.SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH ARGS .TP ADDRESS Queries a cert for ADDRESS .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-wkd-url.1010064400017500001750000000017031402044017700161160ustar 00000000000000.TH SQ-WKD-URL "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd\-url \- Prints the Web Key Directory URL of an email address. .SH SYNOPSIS \fBsq wkd url\fR [FLAGS]
.SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP ADDRESS Queries for ADDRESS .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq-wkd.1010064400017500001750000000027051402044017700153210ustar 00000000000000.TH SQ-WKD "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd \- Interacts with Web Key Directories .SH SYNOPSIS \fBsq wkd\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-policy\fR NETWORK\-POLICY Sets the network policy to use [default: encrypted] [possible values: offline, anonymized, encrypted, insecure] .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBurl\fR Prints the Web Key Directory URL of an email address. .TP \fBget\fR Queries for certs using Web Key Directory .TP \fBgenerate\fR Generates a Web Key Directory for the given domain and keys. If the WKD exists, the new keys will be inserted and it is updated and existing ones will be updated. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net/sq.1010064400017500001750000000150701402044017700145350ustar 00000000000000.TH SQ "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq \- A command\-line frontend for Sequoia, an implementation of OpenPGP Functionality is grouped and available using subcommands. Currently, this interface is completely stateless. Therefore, you need to supply all configuration and certificates explicitly on each invocation. OpenPGP data can be provided in binary or ASCII armored form. This will be handled automatically. Emitted OpenPGP data is ASCII armored by default. We use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. Conversely, we use the term "key" to refer to OpenPGP keys that do contain secrets. .SH SYNOPSIS \fBsq\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-V\fR, \fB\-\-version\fR Prints version information .TP \fB\-f\fR, \fB\-\-force\fR Overwrites existing files .SH OPTIONS .TP \fB\-\-known\-notation\fR NOTATION Adds NOTATION to the list of known notations. This is used when validating signatures. Signatures that have unknown notations with the critical bit set are considered invalid. .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdecrypt\fR Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .TP \fBencrypt\fR Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .TP \fBsign\fR Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .TP \fBverify\fR Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .TP \fBarmor\fR Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .TP \fBdearmor\fR Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .TP \fBinspect\fR Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .TP \fBkey\fR Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .TP \fBkeyring\fR Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .TP \fBcertify\fR Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .TP \fBpacket\fR Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .TP \fBkeyserver\fR Interacts with keyservers .TP \fBwkd\fR Interacts with Web Key Directories .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-armor.1010064400017500001750000000031241402044017700177000ustar 00000000000000.TH SQ-ARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-armor \- Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .SH SYNOPSIS \fBsq armor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a binary certificate to ASCII \fB$ sq armor binary\-juliet.pgp\fR .TP # Convert a binary message to ASCII \fB$ sq armor binary\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-autocrypt-decode.1010064400017500001750000000026251402044017700220400ustar 00000000000000.TH SQ-AUTOCRYPT-DECODE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-autocrypt\-decode \- Reads Autocrypt\-encoded certificates Given an autocrypt header (or an key\-gossip header), this command extracts the certificate encoded within it. The converse operation is "sq autocrypt encode\-sender". .SH SYNOPSIS \fBsq autocrypt decode\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Extract all certificates from a mail \fB$ sq autocrypt decode autocrypt.eml\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-autocrypt\-decode(1), sq\-autocrypt\-encode\-sender(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-autocrypt-encode-sender.1010064400017500001750000000040251402044017700233240ustar 00000000000000.TH SQ-AUTOCRYPT-ENCODE-SENDER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-autocrypt\-encode\-sender \- Encodes a certificate into an Autocrypt header A certificate can be encoded and included in a header of an email message. This command encodes the certificate, adds the senders email address (which must match the one used in the "From" header), and the senders "prefer\-encrypt" state (see the Autocrypt spec for more information). The converse operation is "sq autocrypt decode". .SH SYNOPSIS \fBsq autocrypt encode\-sender\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-email\fR ADDRESS Sets the address [default: primary userid] .TP \fB\-\-prefer\-encrypt\fR prefer\-encrypt Sets the prefer\-encrypt attribute [default: nopreference] [possible values: nopreference, mutual] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Encodes a certificate \fB$ sq autocrypt encode\-sender juliet.pgp\fR .TP # Encodes a certificate with an explicit sender address \fB$ sq autocrypt encode\-sender \-\-email juliet@example.org juliet.pgp\fR .TP # Encodes a certificate while indicating the willingness to encrypt \fB$ sq autocrypt encode\-sender \-\-prefer\-encrypt mutual juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-autocrypt\-decode(1), sq\-autocrypt\-encode\-sender(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-autocrypt.1010064400017500001750000000036251402044017700206200ustar 00000000000000.TH SQ-AUTOCRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-autocrypt \- Communicates certificates using Autocrypt Autocrypt is a standard for mail user agents to provide convenient end\-to\-end encryption of emails. This subcommand provides a limited way to produce and consume headers that are used by Autocrypt to communicate certificates between clients. See https://autocrypt.org/ .SH SYNOPSIS \fBsq autocrypt\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdecode\fR Reads Autocrypt\-encoded certificates Given an autocrypt header (or an key\-gossip header), this command extracts the certificate encoded within it. The converse operation is "sq autocrypt encode\-sender". .TP \fBencode\-sender\fR Encodes a certificate into an Autocrypt header A certificate can be encoded and included in a header of an email message. This command encodes the certificate, adds the senders email address (which must match the one used in the "From" header), and the senders "prefer\-encrypt" state (see the Autocrypt spec for more information). The converse operation is "sq autocrypt decode". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-autocrypt\-decode(1), sq\-autocrypt\-encode\-sender(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-certify.1010064400017500001750000000072431402044017700202330ustar 00000000000000.TH SQ-CERTIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-certify \- Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .SH SYNOPSIS \fBsq certify\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-l\fR, \fB\-\-local\fR Makes the certification a local certification. Normally, local certifications are not exported. .TP \fB\-\-non\-revocable\fR Marks the certification as being non\-revocable. That is, you cannot later revoke this certification. This should normally only be used with an expiration. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-d\fR, \fB\-\-depth\fR TRUST_DEPTH Sets the trust depth (sometimes referred to as the trust level). 0 means a normal certification of . 1 means CERTIFICATE is also a trusted introducer, 2 means CERTIFICATE is a meta\-trusted introducer, etc. The default is 0. .TP \fB\-a\fR, \fB\-\-amount\fR TRUST_AMOUNT Sets the amount of trust. Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted. The default is 120. .TP \fB\-r\fR, \fB\-\-regex\fR REGEX Adds a regular expression to constrain what a trusted introducer can certify. The regular expression must match the certified User ID in all intermediate introducers, and the certified certificate. Multiple regular expressions may be specified. In that case, at least one must match. .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .TP \fB\-\-expires\fR TIME Makes the certification expire at TIME (as ISO 8601). Use "never" to create certifications that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the certification expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". [default: 5y] .SH ARGS .TP CERTIFIER\-KEY Creates the certificate using CERTIFIER\-KEY. .TP CERTIFICATE Certifies CERTIFICATE. .TP USERID Certifies USERID for CERTIFICATE. .SH EXAMPLES .TP # Juliet certifies that Romeo controls romeo.pgp and romeo@example.org \fB$ sq certify juliet.pgp romeo.pgp ""\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-dearmor.1010064400017500001750000000027541402044017700202210ustar 00000000000000.TH SQ-DEARMOR "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-dearmor \- Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .SH SYNOPSIS \fBsq dearmor\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Convert a ASCII certificate to binary \fB$ sq dearmor ascii\-juliet.pgp\fR .TP # Convert a ASCII message to binary \fB$ sq dearmor ascii\-message.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-decrypt.1010064400017500001750000000052121402044017700202320ustar 00000000000000.TH SQ-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-decrypt \- Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .SH SYNOPSIS \fBsq decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .TP \fB\-\-dump\fR Prints a packet dump to stderr .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump (implies \-\-dump) .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. The message will only be considered verified if this threshold is reached. [default: 1 if at least one signer cert file is given, 0 otherwise] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .TP \fB\-\-recipient\-key\fR KEY Decrypts with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Decrypt a file using a secret key \fB$ sq decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .TP # Decrypt a file verifying signatures \fB$ sq decrypt \-\-recipient\-key juliet.pgp \-\-signer\-cert romeo.pgp ciphertext.pgp\fR .TP # Decrypt a file using a password \fB$ sq decrypt ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-encrypt.1010064400017500001750000000050051402044017700202440ustar 00000000000000.TH SQ-ENCRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-encrypt \- Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .SH SYNOPSIS \fBsq encrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-s\fR, \fB\-\-symmetric\fR Adds a password to encrypt with. The message can be decrypted with either one of the recipient's keys, or any password. .TP \fB\-\-use\-expired\-subkey\fR If a certificate has only expired encryption\-capable subkeys, falls back to using the one that expired last .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-cert\fR CERT\-RING Encrypts for all recipients in CERT\-RING .TP \fB\-\-signer\-key\fR KEY Signs the message with KEY .TP \fB\-\-mode\fR MODE Selects what kind of keys are considered for encryption. Transport select subkeys marked as suitable for transport encryption, rest selects those for encrypting data at rest, and all selects all encryption\-capable subkeys. [default: all] [possible values: transport, rest, all] .TP \fB\-\-compression\fR KIND Selects compression scheme to use [default: pad] [possible values: none, pad, zip, zlib, bzip2] .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Encrypt a file using a certificate \fB$ sq encrypt \-\-recipient\-cert romeo.pgp message.txt\fR .TP # Encrypt a file creating a signature in the process \fB$ sq encrypt \-\-recipient\-cert romeo.pgp \-\-signer\-key juliet.pgp message.txt\fR .TP # Encrypt a file using a password \fB$ sq encrypt \-\-symmetric message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-inspect.1010064400017500001750000000026571402044017700202370ustar 00000000000000.TH SQ-INSPECT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-inspect \- Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .SH SYNOPSIS \fBsq inspect\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-certifications\fR Prints third\-party certifications .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Inspects a certificate \fB$ sq inspect juliet.pgp\fR .TP # Inspects a certificate ring \fB$ sq inspect certs.pgp\fR .TP # Inspects a message \fB$ sq inspect message.pgp\fR .TP # Inspects a detached signature \fB$ sq inspect message.sig\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-key-adopt.1010064400017500001750000000040561402044017700204620ustar 00000000000000.TH SQ-KEY-ADOPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-adopt \- Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .SH SYNOPSIS \fBsq key adopt\fR [FLAGS] [OPTIONS] [TARGET\-KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-allow\-broken\-crypto\fR Allows adopting keys from certificates using broken cryptography .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-r\fR, \fB\-\-keyring\fR KEY\-RING Supplies keys for use in \-\-key. .TP \fB\-k\fR, \fB\-\-key\fR KEY Adds the key or subkey KEY to the TARGET\-KEY .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP TARGET\-KEY Adds keys to TARGET\-KEY .SH EXAMPLES .TP # Adopt an subkey into the new cert \fB$ sq key adopt \-\-keyring juliet\-old.pgp \-\-key 0123456789ABCDEF \-\- juliet\-new.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-key-attest-certifications.1010064400017500001750000000042201402044017700236540ustar 00000000000000.TH SQ-KEY-ATTEST-CERTIFICATIONS "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-attest\-certifications \- Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key attest\-certifications\fR [FLAGS] [OPTIONS] [KEY] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-none\fR Removes all prior attestations .TP \fB\-\-all\fR Attests to all certifications [default] .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP KEY Changes attestations on KEY .SH EXAMPLES .TP # Attest to all certifications present on the key \fB$ sq key attest\-certifications juliet.pgp\fR .TP # Retract prior attestations on the key \fB$ sq key attest\-certifications \-\-none juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-key-extract-cert.1010064400017500001750000000034541402044017700217610ustar 00000000000000.TH SQ-KEY-EXTRACT-CERT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-extract\-cert \- Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key extract\-cert\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-key-generate.1010064400017500001750000000066231402044017700211470ustar 00000000000000.TH SQ-KEY-GENERATE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key\-generate \- Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .SH SYNOPSIS \fBsq key generate\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-with\-password\fR Protects the key with a password .TP \fB\-\-can\-sign\fR Adds a signing\-capable subkey (default) .TP \fB\-\-cannot\-sign\fR Adds no signing\-capable subkey .TP \fB\-\-cannot\-encrypt\fR Adds no encryption\-capable subkey .SH OPTIONS .TP \fB\-u\fR, \fB\-\-userid\fR EMAIL Adds a userid to the key .TP \fB\-c\fR, \fB\-\-cipher\-suite\fR CIPHER\-SUITE Selects the cryptographic algorithms for the key [default: cv25519] [possible values: rsa3k, rsa4k, cv25519] .TP \fB\-\-expires\fR TIME Makes the key expire at TIME (as ISO 8601). Use "never" to create keys that do not expire. .TP \fB\-\-expires\-in\fR DURATION Makes the key expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". .TP \fB\-\-can\-encrypt\fR PURPOSE Adds an encryption\-capable subkey. Encryption\-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both. [default: universal] [possible values: transport, storage, universal] .TP \fB\-e\fR, \fB\-\-export\fR OUTFILE Writes the key to OUTFILE .TP \fB\-\-rev\-cert\fR FILE or \- Writes the revocation certificate to FILE. mandatory if OUTFILE is "\-". [default: .rev] .SH EXAMPLES .TP # First, this generates a key \fB$ sq key generate \-\-userid "" \-\-export juliet.key.pgp\fR .TP # Then, this extracts the certificate for distribution \fB$ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR .TP # Generates a key protecting it with a password \fB$ sq key generate \-\-userid "" \-\-with\-password\fR .TP # Generates a key with multiple userids \fB$ sq key generate \-\-userid "" \-\-userid "Juliet Capulet"\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-key.1010064400017500001750000000064771402044017700173660ustar 00000000000000.TH SQ-KEY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-key \- Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .SH SYNOPSIS \fBsq key\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBgenerate\fR Generates a new key Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place. After generating a key, use "sq key extract\-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBextract\-cert\fR Converts a key to a cert After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver. .TP \fBadopt\fR Binds keys from one certificate to another This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible. .TP \fBattest\-certifications\fR Attests to third\-party certifications allowing for their distribution To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third\-party certifications. After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyring-filter.1010064400017500001750000000060421402044017700215150ustar 00000000000000.TH SQ-KEYRING-FILTER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-filter \- Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .SH SYNOPSIS \fBsq keyring filter\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-P\fR, \fB\-\-prune\-certs\fR Removes certificate components not matching the filter .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-to\-cert\fR Converts any keys in the input to certificates. Converting a key to a certificate removes secret key material from the key thereby turning it into a certificate. .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-name\fR NAME Matches on NAME .TP \fB\-\-email\fR ADDRESS Matches on email ADDRESS .TP \fB\-\-domain\fR FQDN Matches on email domain FQDN .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Converts a key to a cert (i.e., remove any secret key material) \fB$ sq keyring filter \-\-to\-cert cat juliet.pgp\fR .TP # Gets the keys with a user id on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp\fR .TP # Gets the keys with a user id on example.org or example.net \fB$ sq keyring filter \-\-domain example.org \-\-domain example.net keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet \fB$ sq keyring filter \-\-name Juliet keys.pgp\fR .TP # Gets the keys with a user id with the name Juliet on example.org \fB$ sq keyring filter \-\-domain example.org keys.pgp | \ keyring filter \-\-name Juliet\fR .TP # Gets the keys with a user id on example.org, pruning other userids \fB$ sq keyring filter \-\-domain example.org \-\-prune\-certs certs.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyring-join.1010064400017500001750000000031061402044017700211650ustar 00000000000000.TH SQ-KEYRING-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-join \- Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .SH SYNOPSIS \fBsq keyring join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Don't ASCII\-armor the keyring .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Sets the output file to use .SH ARGS .TP FILE Sets the input files to use .SH EXAMPLES .TP # Collect certs for an email conversation \fB$ sq keyring join juliet.pgp romeo.pgp alice.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyring-list.1010064400017500001750000000027121402044017700212030ustar 00000000000000.TH SQ-KEYRING-LIST "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-list \- Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .SH SYNOPSIS \fBsq keyring list\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # List all certs \fB$ sq keyring list certs.pgp\fR .TP # List all certs with a userid on example.org \fB$ sq keyring filter \-\-domain example.org certs.pgp | sq keyring list\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyring-merge.1010064400017500001750000000032031402044017700213230ustar 00000000000000.TH SQ-KEYRING-MERGE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-merge \- Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .SH SYNOPSIS \fBsq keyring merge\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP FILE Reads from FILE .SH EXAMPLES .TP # Merge certificate updates \fB$ sq keyring merge certs.pgp romeo\-updates.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyring-split.1010064400017500001750000000033261402044017700213650ustar 00000000000000.TH SQ-KEYRING-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring\-split \- Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SYNOPSIS \fBsq keyring split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR FILE Writes to files with prefix FILE [defaults to the input filename with a dash, or "output" if keyring is read from stdin] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split all certs \fB$ sq keyring split certs.pgp\fR .TP # Split all certs, merging them first to avoid duplicates \fB$ sq keyring merge certs.pgp | sq keyring split\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyring.1010064400017500001750000000056011402044017700202320ustar 00000000000000.TH SQ-KEYRING "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyring \- Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .SH SYNOPSIS \fBsq keyring\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBfilter\fR Joins keys into a keyring applying a filter This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates. If no filters are supplied, everything matches. If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration. .TP \fBjoin\fR Joins keys or keyrings into a single keyring Unlike "sq keyring merge", multiple versions of the same key are not merged together. The converse operation is "sq keyring split". .TP \fBmerge\fR Merges keys or keyrings into a single keyring Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred. .TP \fBlist\fR Lists keys in a keyring Prints the fingerprint as well one userid for every certificate encountered in the keyring. .TP \fBsplit\fR Splits a keyring into individual keys Splitting up a keyring into individual keys helps with curating a keyring. The converse operation is "sq keyring join". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyserver-get.1010064400017500001750000000025521402044017700213600ustar 00000000000000.TH SQ-KEYSERVER-GET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyserver\-get \- Retrieves a key .SH SYNOPSIS \fBsq keyserver get\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .SH ARGS .TP QUERY Retrieve certificate(s) using QUERY. This may be a fingerprint, a KeyID, or an email address. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyserver-send.1010064400017500001750000000022421402044017700215260ustar 00000000000000.TH SQ-KEYSERVER-SEND "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyserver\-send \- Sends a key .SH SYNOPSIS \fBsq keyserver send\fR [FLAGS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-keyserver.1010064400017500001750000000027651402044017700206110ustar 00000000000000.TH SQ-KEYSERVER "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-keyserver \- Interacts with keyservers .SH SYNOPSIS \fBsq keyserver\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-policy\fR NETWORK\-POLICY Sets the network policy to use [default: encrypted] [possible values: offline, anonymized, encrypted, insecure] .TP \fB\-s\fR, \fB\-\-server\fR URI Sets the keyserver to use .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBget\fR Retrieves a key .TP \fBsend\fR Sends a key .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-keyserver(1), sq\-keyserver\-get(1), sq\-keyserver\-send(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-packet-decrypt.1010064400017500001750000000031661402044017700215050ustar 00000000000000.TH SQ-PACKET-DECRYPT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-decrypt \- Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .SH SYNOPSIS \fBsq packet decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-dump\-session\-key\fR Prints the session key to stderr .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-recipient\-key\fR KEY Decrypts the message with KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Unwraps the encryption revealing the signed message \fB$ sq packet decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-packet-dump.1010064400017500001750000000037551402044017700210040ustar 00000000000000.TH SQ-PACKET-DUMP "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-dump \- Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .SH SYNOPSIS \fBsq packet dump\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-\-mpis\fR Prints cryptographic artifacts .TP \fB\-x\fR, \fB\-\-hex\fR Prints a hexdump .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-session\-key\fR SESSION\-KEY Decrypts an encrypted message using SESSION\-KEY .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Prints the packets of a certificate \fB$ sq packet dump juliet.pgp\fR .TP # Prints cryptographic artifacts of a certificate \fB$ sq packet dump \-\-mpis juliet.pgp\fR .TP # Prints a hexdump of a certificate \fB$ sq packet dump \-\-hex juliet.pgp\fR .TP # Prints the packets of an encrypted message \fB$ sq packet dump \-\-session\-key AAAABBBBCCCC... ciphertext.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-packet-join.1010064400017500001750000000032321402044017700207640ustar 00000000000000.TH SQ-PACKET-JOIN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-join \- Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SYNOPSIS \fBsq packet join\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-label\fR LABEL Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file] .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .TP # Then join only a subset of these packets \fB$ sq packet join juliet.pgp\-[0\-3]*\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-packet-split.1010064400017500001750000000026711402044017700211660ustar 00000000000000.TH SQ-PACKET-SPLIT "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet\-split \- Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .SH SYNOPSIS \fBsq packet split\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-prefix\fR PREFIX Writes to files with PREFIX [defaults: FILE a dash, or "output" if read from stdin) .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Split a certificate into individual packets \fB$ sq packet split juliet.pgp\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-packet.1010064400017500001750000000046451402044017700200400ustar 00000000000000.TH SQ-PACKET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-packet \- Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .SH SYNOPSIS \fBsq packet\fR [FLAGS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdump\fR Lists packets Creates a human\-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values. To inspect encrypted messages, either supply the session key, or see "sq decrypt \-\-dump" or "sq packet decrypt". .TP \fBdecrypt\fR Unwraps an encryption container Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump". .TP \fBsplit\fR Splits a message into packets Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet join". .TP \fBjoin\fR Joins packets split across files Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data. The converse operation is "sq packet split". .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-packet\-decrypt(1), sq\-packet\-dump(1), sq\-packet\-join(1), sq\-packet\-split(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-sign.1010064400017500001750000000044271402044017700175270ustar 00000000000000.TH SQ-SIGN "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-sign \- Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .SH SYNOPSIS \fBsq sign\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .TP \fB\-\-detached\fR Creates a detached signature .TP \fB\-\-cleartext\-signature\fR Creates a cleartext signature .TP \fB\-a\fR, \fB\-\-append\fR Appends a signature to existing signature .TP \fB\-n\fR, \fB\-\-notarize\fR Signs a message and all existing signatures .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-merge\fR SIGNED\-MESSAGE Merges signatures from the input and SIGNED\-MESSAGE .TP \fB\-\-signer\-key\fR KEY Signs using KEY .TP \fB\-t\fR, \fB\-\-time\fR TIME Chooses keys valid at the specified time and sets the signature's creation time .TP \fB\-\-notation\fR NAME Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Create a signed message \fB$ sq sign \-\-signer\-key juliet.pgp message.txt\fR .TP # Create a detached signature \fB$ sq sign \-\-detached \-\-signer\-key juliet.pgp message.txt\fR .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-verify.1010064400017500001750000000045151402044017700200710ustar 00000000000000.TH SQ-VERIFY "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-verify \- Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .SH SYNOPSIS \fBsq verify\fR [FLAGS] [OPTIONS] [\-\-] [FILE] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-o\fR, \fB\-\-output\fR FILE Writes to FILE or stdout if omitted .TP \fB\-\-detached\fR SIG Verifies a detached signature .TP \fB\-n\fR, \fB\-\-signatures\fR N Sets the threshold of valid signatures to N. If this threshold is not reached, the message will not be considered verified. [default: 1] .TP \fB\-\-signer\-cert\fR CERT Verifies signatures with CERT .SH ARGS .TP FILE Reads from FILE or stdin if omitted .SH EXAMPLES .TP # Verify a signed message \fB$ sq verify \-\-signer\-cert juliet.pgp signed\-message.pgp\fR .TP # Verify a detached message \fB$ sq verify \-\-signer\-cert juliet.pgp \-\-detached message.sig message.txt\fR .SH SEE ALSO If you are looking for a standalone program to verify detached signatures, consider using sequoia\-sqv. For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-wkd-generate.1010064400017500001750000000025301402044017700211350ustar 00000000000000.TH SQ-WKD-GENERATE "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd\-generate \- Generates a Web Key Directory for the given domain and keys. If the WKD exists, the new keys will be inserted and it is updated and existing ones will be updated. .SH SYNOPSIS \fBsq wkd generate\fR [FLAGS] [CERT\-RING] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-d\fR, \fB\-\-direct\-method\fR Uses the direct method [default: advanced method] .SH ARGS .TP WEB\-ROOT Writes the WKD to WEB\-ROOT. Transfer this directory to the webserver. .TP FQDN Generates a WKD for FQDN .TP CERT\-RING Adds certificates from CERT\-RING to the WKD .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-wkd-get.1010064400017500001750000000020031402044017700201150ustar 00000000000000.TH SQ-WKD-GET "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd\-get \- Queries for certs using Web Key Directory .SH SYNOPSIS \fBsq wkd get\fR [FLAGS]
.SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-B\fR, \fB\-\-binary\fR Emits binary data .SH ARGS .TP ADDRESS Queries a cert for ADDRESS .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-wkd-url.1010064400017500001750000000017251402044017700201520ustar 00000000000000.TH SQ-WKD-URL "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd\-url \- Prints the Web Key Directory URL of an email address. .SH SYNOPSIS \fBsq wkd url\fR [FLAGS]
.SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH ARGS .TP ADDRESS Queries for ADDRESS .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq-wkd.1010064400017500001750000000027271402044017700173550ustar 00000000000000.TH SQ-WKD "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq\-wkd \- Interacts with Web Key Directories .SH SYNOPSIS \fBsq wkd\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .SH OPTIONS .TP \fB\-p\fR, \fB\-\-policy\fR NETWORK\-POLICY Sets the network policy to use [default: encrypted] [possible values: offline, anonymized, encrypted, insecure] .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBurl\fR Prints the Web Key Directory URL of an email address. .TP \fBget\fR Queries for certs using Web Key Directory .TP \fBgenerate\fR Generates a Web Key Directory for the given domain and keys. If the WKD exists, the new keys will be inserted and it is updated and existing ones will be updated. .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1), sq\-wkd\-generate(1), sq\-wkd\-get(1), sq\-wkd\-url(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/man-sq-net-autocrypt/sq.1010064400017500001750000000156331402044017700165720ustar 00000000000000.TH SQ "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5 .SH NAME sq \- A command\-line frontend for Sequoia, an implementation of OpenPGP Functionality is grouped and available using subcommands. Currently, this interface is completely stateless. Therefore, you need to supply all configuration and certificates explicitly on each invocation. OpenPGP data can be provided in binary or ASCII armored form. This will be handled automatically. Emitted OpenPGP data is ASCII armored by default. We use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. Conversely, we use the term "key" to refer to OpenPGP keys that do contain secrets. .SH SYNOPSIS \fBsq\fR [FLAGS] [OPTIONS] .SH FLAGS .TP \fB\-h\fR, \fB\-\-help\fR Prints help information .TP \fB\-V\fR, \fB\-\-version\fR Prints version information .TP \fB\-f\fR, \fB\-\-force\fR Overwrites existing files .SH OPTIONS .TP \fB\-\-known\-notation\fR NOTATION Adds NOTATION to the list of known notations. This is used when validating signatures. Signatures that have unknown notations with the critical bit set are considered invalid. .SH SUBCOMMANDS .TP \fBhelp\fR Prints this message or the help of the given subcommand(s) .TP \fBdecrypt\fR Decrypts a message Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details. If certificates are supplied using the "\-\-signer\-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq encrypt". .TP \fBencrypt\fR Encrypts a message Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process. The converse operation is "sq decrypt". .TP \fBsign\fR Signs messages or data files Creates signed messages or detached signatures. Detached signatures are often used to sign software packages. The converse operation is "sq verify". .TP \fBverify\fR Verifies signed messages or detached signatures When verifying signed messages, the message is written to stdout or the file given to \-\-output. When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "\-\-signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated. The converse operation is "sq sign". .TP \fBarmor\fR Converts binary to ASCII To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII\-encoded representation. The converse operation is "sq dearmor". .TP \fBdearmor\fR Converts ASCII to binary To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII\-encoded OpenPGP data to its binary representation. The converse operation is "sq armor". .TP \fBinspect\fR Inspects data, like file(1) It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human\-readable description of it. .TP \fBkey\fR Manages keys We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates. .TP \fBkeyring\fR Manages collections of keys or certs Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates. This subcommand provides tools to list, split, join, merge, and filter keyrings. Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably. .TP \fBcertify\fR Certifies a User ID for a Certificate Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest\-certification". .TP \fBpacket\fR Low\-level packet manipulation An OpenPGP data stream consists of packets. These tools allow working with packet streams. They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP\-related software, and as a learning tool. .TP \fBkeyserver\fR Interacts with keyservers .TP \fBwkd\fR Interacts with Web Key Directories .TP \fBautocrypt\fR Communicates certificates using Autocrypt Autocrypt is a standard for mail user agents to provide convenient end\-to\-end encryption of emails. This subcommand provides a limited way to produce and consume headers that are used by Autocrypt to communicate certificates between clients. See https://autocrypt.org/ .SH SEE ALSO For the full documentation see . .ad l .nh sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-keyserver(1), sq\-packet(1), sq\-sign(1), sq\-verify(1), sq\-wkd(1) .SH AUTHORS .P .RS 2 .nf Azul Igor Matuszewski Justus Winter Kai Michaelis Neal H. Walfield Nora Widdecke Wiktor Kwapisiewicz sequoia-sq-0.25.0/src/commands/autocrypt.rs010064400017500001750000000036601402044017700170420ustar 00000000000000use sequoia_openpgp as openpgp; use openpgp::{ Cert, Result, armor, parse::Parse, serialize::Serialize, }; use sequoia_autocrypt as autocrypt; use crate::{ Config, open_or_stdin, }; pub fn dispatch(config: Config, m: &clap::ArgMatches) -> Result<()> { match m.subcommand() { ("decode", Some(m)) => { let input = open_or_stdin(m.value_of("input"))?; let mut output = config.create_or_stdout_pgp(m.value_of("output"), m.is_present("binary"), armor::Kind::PublicKey)?; let ac = autocrypt::AutocryptHeaders::from_reader(input)?; for h in &ac.headers { if let Some(ref cert) = h.key { cert.serialize(&mut output)?; } } output.finalize()?; }, ("encode-sender", Some(m)) => { let input = open_or_stdin(m.value_of("input"))?; let mut output = config.create_or_stdout_safe(m.value_of("output"))?; let cert = Cert::from_reader(input)?; let addr = m.value_of("address").map(|a| a.to_string()) .or_else(|| { cert.with_policy(&config.policy, None) .and_then(|vcert| vcert.primary_userid()).ok() .map(|ca| ca.userid().to_string()) }); let ac = autocrypt::AutocryptHeader::new_sender( &config.policy, &cert, &addr.ok_or(anyhow::anyhow!( "No well-formed primary userid found, use \ --address to specify one"))?, m.value_of("prefer-encrypt").expect("has default"))?; write!(&mut output, "Autocrypt: ")?; ac.serialize(&mut output)?; }, _ => unreachable!(), } Ok(()) } sequoia-sq-0.25.0/src/commands/certify.rs010064400017500001750000000123641402044017700164560ustar 00000000000000use std::time::{SystemTime, Duration}; use sequoia_openpgp as openpgp; use openpgp::Result; use openpgp::cert::prelude::*; use openpgp::packet::prelude::*; use openpgp::packet::signature::subpacket::NotationDataFlags; use openpgp::parse::Parse; use openpgp::serialize::Serialize; use openpgp::types::SignatureType; use crate::Config; use crate::parse_duration; use crate::SECONDS_IN_YEAR; pub fn certify(config: Config, m: &clap::ArgMatches) -> Result<()> { let certifier = m.value_of("certifier").unwrap(); let cert = m.value_of("certificate").unwrap(); let userid = m.value_of("userid").unwrap(); let certifier = Cert::from_file(certifier)?; let cert = Cert::from_file(cert)?; let vc = cert.with_policy(&config.policy, None)?; let trust_depth: u8 = m.value_of("depth") .map(|s| s.parse()).unwrap_or(Ok(0))?; let trust_amount: u8 = m.value_of("amount") .map(|s| s.parse()).unwrap_or(Ok(120))?; let regex = m.values_of("regex").map(|v| v.collect::>()) .unwrap_or(vec![]); if trust_depth == 0 && regex.len() > 0 { return Err( anyhow::format_err!("A regex only makes sense \ if the trust depth is greater than 0")); } let local = m.is_present("local"); let non_revocable = m.is_present("non-revocable"); let expires = m.value_of("expires"); let expires_in = m.value_of("expires-in"); // Find the matching User ID. let mut u = None; for ua in vc.userids() { if let Ok(a_userid) = std::str::from_utf8(ua.userid().value()) { if a_userid == userid { u = Some(ua.userid()); break; } } } let userid = if let Some(userid) = u { userid } else { eprintln!("User ID: '{}' not found.\nValid User IDs:", userid); let mut have_valid = false; for ua in vc.userids() { if let Ok(u) = std::str::from_utf8(ua.userid().value()) { have_valid = true; eprintln!(" - {}", u); } } if ! have_valid { eprintln!(" - Certificate has no valid User IDs."); } return Err(anyhow::format_err!("No matching User ID found")); }; // Create the certification. let mut builder = SignatureBuilder::new(SignatureType::GenericCertification); if trust_depth != 0 || trust_amount != 120 { builder = builder.set_trust_signature(trust_depth, trust_amount)?; } for regex in regex { builder = builder.add_regular_expression(regex)?; } if local { builder = builder.set_exportable_certification(false)?; } if non_revocable { builder = builder.set_revocable(false)?; } match (expires, expires_in) { (None, None) => // Default expiration. builder = builder.set_signature_validity_period( Duration::new(5 * SECONDS_IN_YEAR, 0))?, (Some(t), None) if t == "never" => // The default is no expiration; there is nothing to do. (), (Some(t), None) => { let now = builder.signature_creation_time() .unwrap_or_else(std::time::SystemTime::now); let expiration = SystemTime::from( crate::parse_iso8601(t, chrono::NaiveTime::from_hms(0, 0, 0))?); let validity = expiration.duration_since(now)?; builder = builder.set_signature_creation_time(now)? .set_signature_validity_period(validity)?; }, (None, Some(d)) if d == "never" => // The default is no expiration; there is nothing to do. (), (None, Some(d)) => { let d = parse_duration(d)?; builder = builder.set_signature_validity_period(d)?; }, (Some(_), Some(_)) => unreachable!("conflicting args"), } // Each --notation takes two values. The iterator returns them // one at a time, however. if let Some(mut n) = m.values_of("notation") { while let Some(name) = n.next() { let value = n.next().unwrap(); let (critical, name) = if name.len() > 0 && Some('!') == name.chars().next() { (true, &name[1..]) } else { (false, name) }; builder = builder.add_notation( name, value, NotationDataFlags::empty().set_human_readable(), critical)?; } } // Sign it. let mut signer = certifier.primary_key().key().clone() .parts_into_secret()?.into_keypair()?; let certification = builder .sign_userid_binding( &mut signer, cert.primary_key().component(), userid)?; let cert = cert.insert_packets(certification.clone())?; assert!(cert.clone().into_packets().any(|p| { match p { Packet::Signature(sig) => sig == certification, _ => false, } })); // And export it. let mut message = config.create_or_stdout_pgp( m.value_of("output"), m.is_present("binary"), sequoia_openpgp::armor::Kind::PublicKey)?; cert.serialize(&mut message)?; message.finalize()?; Ok(()) } sequoia-sq-0.25.0/src/commands/decrypt.rs010064400017500001750000000305601402044017700164610ustar 00000000000000use anyhow::Context as _; use std::collections::HashMap; use std::io; use rpassword; use sequoia_openpgp as openpgp; use crate::openpgp::types::SymmetricAlgorithm; use crate::openpgp::fmt::hex; use crate::openpgp::crypto::{self, SessionKey}; use crate::openpgp::{Fingerprint, Cert, KeyID, Result}; use crate::openpgp::packet; use crate::openpgp::packet::prelude::*; use crate::openpgp::parse::{ Parse, PacketParser, PacketParserResult, }; use crate::openpgp::parse::stream::{ VerificationHelper, DecryptionHelper, DecryptorBuilder, MessageStructure, }; use crate::{ Config, commands::{ dump::PacketDumper, VHelper, }, }; struct Helper<'a> { vhelper: VHelper<'a>, secret_keys: HashMap>, key_identities: HashMap, key_hints: HashMap, dump_session_key: bool, dumper: Option, } impl<'a> Helper<'a> { fn new(config: &Config<'a>, signatures: usize, certs: Vec, secrets: Vec, dump_session_key: bool, dump: bool) -> Self { let mut keys = HashMap::new(); let mut identities: HashMap = HashMap::new(); let mut hints: HashMap = HashMap::new(); for tsk in secrets { let hint = match tsk.with_policy(&config.policy, None) .and_then(|valid_cert| valid_cert.primary_userid()).ok() { Some(uid) => format!("{} ({})", uid.userid(), KeyID::from(tsk.fingerprint())), None => format!("{}", KeyID::from(tsk.fingerprint())), }; for ka in tsk.keys() // XXX: Should use the message's creation time that we do not know. .with_policy(&config.policy, None) .for_transport_encryption().for_storage_encryption() .secret() { let id: KeyID = ka.key().fingerprint().into(); keys.insert(id.clone(), ka.key().clone().into()); identities.insert(id.clone(), tsk.fingerprint()); hints.insert(id, hint.clone()); } } Helper { vhelper: VHelper::new(config, signatures, certs), secret_keys: keys, key_identities: identities, key_hints: hints, dump_session_key: dump_session_key, dumper: if dump { let width = term_size::dimensions_stdout().map(|(w, _)| w) .unwrap_or(80); Some(PacketDumper::new(width, false)) } else { None }, } } /// Tries to decrypt the given PKESK packet with `keypair` and try /// to decrypt the packet parser using `decrypt`. fn try_decrypt(&self, pkesk: &PKESK, sym_algo: Option, keypair: &mut dyn crypto::Decryptor, decrypt: &mut D) -> Option> where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { let keyid = keypair.public().fingerprint().into(); match pkesk.decrypt(keypair, sym_algo) .and_then(|(algo, sk)| { if decrypt(algo, &sk) { Some(sk) } else { None } }) { Some(sk) => { if self.dump_session_key { eprintln!("Session key: {}", hex::encode(&sk)); } Some(self.key_identities.get(&keyid).map(|fp| fp.clone())) }, None => None, } } } impl<'a> VerificationHelper for Helper<'a> { fn inspect(&mut self, pp: &PacketParser) -> Result<()> { if let Some(dumper) = self.dumper.as_mut() { dumper.packet(&mut io::stderr(), pp.recursion_depth() as usize, pp.header().clone(), pp.packet.clone(), pp.map().map(|m| m.clone()), None)?; } Ok(()) } fn get_certs(&mut self, ids: &[openpgp::KeyHandle]) -> Result> { self.vhelper.get_certs(ids) } fn check(&mut self, structure: MessageStructure) -> Result<()> { self.vhelper.check(structure) } } impl<'a> DecryptionHelper for Helper<'a> { fn decrypt(&mut self, pkesks: &[PKESK], skesks: &[SKESK], sym_algo: Option, mut decrypt: D) -> openpgp::Result> where D: FnMut(SymmetricAlgorithm, &SessionKey) -> bool { // First, we try those keys that we can use without prompting // for a password. for pkesk in pkesks { let keyid = pkesk.recipient(); if let Some(key) = self.secret_keys.get(&keyid) { if ! key.secret().is_encrypted() { if let Some(fp) = key.clone().into_keypair().ok() .and_then(|mut k| self.try_decrypt(pkesk, sym_algo, &mut k, &mut decrypt)) { return Ok(fp); } } } } // Second, we try those keys that are encrypted. for pkesk in pkesks { // Don't ask the user to decrypt a key if we don't support // the algorithm. if ! pkesk.pk_algo().is_supported() { continue; } let keyid = pkesk.recipient(); if let Some(key) = self.secret_keys.get_mut(&keyid) { let mut keypair = loop { if ! key.secret().is_encrypted() { break key.clone().into_keypair().unwrap(); } let p = rpassword::read_password_from_tty(Some( &format!( "Enter password to decrypt key {}: ", self.key_hints.get(&keyid).unwrap())))?.into(); let algo = key.pk_algo(); if let Some(()) = key.secret_mut().decrypt_in_place(algo, &p).ok() { break key.clone().into_keypair().unwrap() } else { eprintln!("Bad password."); } }; if let Some(fp) = self.try_decrypt(pkesk, sym_algo, &mut keypair, &mut decrypt) { return Ok(fp); } } } // Third, we try to decrypt PKESK packets with wildcard // recipients using those keys that we can use without // prompting for a password. for pkesk in pkesks.iter().filter(|p| p.recipient().is_wildcard()) { for key in self.secret_keys.values() { if ! key.secret().is_encrypted() { if let Some(fp) = key.clone().into_keypair().ok() .and_then(|mut k| self.try_decrypt(pkesk, sym_algo, &mut k, &mut decrypt)) { return Ok(fp); } } } } // Fourth, we try to decrypt PKESK packets with wildcard // recipients using those keys that are encrypted. for pkesk in pkesks.iter().filter(|p| p.recipient().is_wildcard()) { // Don't ask the user to decrypt a key if we don't support // the algorithm. if ! pkesk.pk_algo().is_supported() { continue; } // To appease the borrow checker, iterate over the // hashmap, awkwardly. for keyid in self.secret_keys.keys().cloned().collect::>() { let mut keypair = loop { let key = self.secret_keys.get_mut(&keyid).unwrap(); // Yuck if ! key.secret().is_encrypted() { break key.clone().into_keypair().unwrap(); } let p = rpassword::read_password_from_tty(Some( &format!( "Enter password to decrypt key {}: ", self.key_hints.get(&keyid).unwrap())))?.into(); let algo = key.pk_algo(); if let Some(()) = key.secret_mut().decrypt_in_place(algo, &p).ok() { break key.clone().into_keypair().unwrap() } else { eprintln!("Bad password."); } }; if let Some(fp) = self.try_decrypt(pkesk, sym_algo, &mut keypair, &mut decrypt) { return Ok(fp); } } } if skesks.is_empty() { return Err(anyhow::anyhow!("No key to decrypt message")); } // Finally, try to decrypt using the SKESKs. loop { let password = rpassword::read_password_from_tty(Some( "Enter password to decrypt message: "))?.into(); for skesk in skesks { if let Some(sk) = skesk.decrypt(&password).ok() .and_then(|(algo, sk)| { if decrypt(algo, &sk) { Some(sk) } else { None }}) { if self.dump_session_key { eprintln!("Session key: {}", hex::encode(&sk)); } return Ok(None); } } eprintln!("Bad password."); } } } pub fn decrypt(config: Config, input: &mut (dyn io::Read + Sync + Send), output: &mut dyn io::Write, signatures: usize, certs: Vec, secrets: Vec, dump_session_key: bool, dump: bool, hex: bool) -> Result<()> { let helper = Helper::new(&config, signatures, certs, secrets, dump_session_key, dump || hex); let mut decryptor = DecryptorBuilder::from_reader(input)? .mapping(hex) .with_policy(&config.policy, None, helper) .context("Decryption failed")?; io::copy(&mut decryptor, output).context("Decryption failed")?; let helper = decryptor.into_helper(); if let Some(dumper) = helper.dumper.as_ref() { dumper.flush(&mut io::stderr())?; } helper.vhelper.print_status(); return Ok(()); } pub fn decrypt_unwrap(config: Config, input: &mut (dyn io::Read + Sync + Send), output: &mut dyn io::Write, secrets: Vec, dump_session_key: bool) -> Result<()> { let mut helper = Helper::new(&config, 0, Vec::new(), secrets, dump_session_key, false); let mut ppr = PacketParser::from_reader(input)?; let mut pkesks: Vec = Vec::new(); let mut skesks: Vec = Vec::new(); while let PacketParserResult::Some(mut pp) = ppr { let sym_algo_hint = if let Packet::AED(ref aed) = pp.packet { Some(aed.symmetric_algo()) } else { None }; match pp.packet { Packet::SEIP(_) | Packet::AED(_) => { { let decrypt = |algo, secret: &SessionKey| { pp.decrypt(algo, secret).is_ok() }; helper.decrypt(&pkesks[..], &skesks[..], sym_algo_hint, decrypt)?; } if pp.encrypted() { return Err( openpgp::Error::MissingSessionKey( "No session key".into()).into()); } io::copy(&mut pp, output)?; return Ok(()); }, Packet::MDC(ref mdc) => if ! mdc.valid() { return Err(openpgp::Error::ManipulatedMessage.into()); }, _ => (), } let (p, ppr_tmp) = pp.recurse()?; match p { Packet::PKESK(pkesk) => pkesks.push(pkesk), Packet::SKESK(skesk) => skesks.push(skesk), _ => (), } ppr = ppr_tmp; } Ok(()) } sequoia-sq-0.25.0/src/commands/dump.rs010064400017500001750000001174151402044017700157610ustar 00000000000000use std::io::{self, Read}; use sequoia_openpgp as openpgp; use self::openpgp::types::{Duration, Timestamp, SymmetricAlgorithm}; use self::openpgp::fmt::hex; use self::openpgp::crypto::mpi; use self::openpgp::{Packet, Result}; use self::openpgp::packet::prelude::*; use self::openpgp::packet::header::CTB; use self::openpgp::packet::{Header, header::BodyLength, Signature}; use self::openpgp::packet::signature::subpacket::{Subpacket, SubpacketValue}; use self::openpgp::crypto::{SessionKey, S2K}; use self::openpgp::parse::{map::Map, Parse, PacketParserResult}; #[derive(Debug)] pub enum Kind { Message { encrypted: bool, }, Keyring, Cert, Unknown, } /// Converts sequoia_openpgp types for rendering. pub trait Convert { /// Performs the conversion. fn convert(self) -> T; } impl Convert for std::time::Duration { fn convert(self) -> chrono::Duration { chrono::Duration::seconds(self.as_secs() as i64) } } impl Convert for Duration { fn convert(self) -> chrono::Duration { chrono::Duration::seconds(self.as_secs() as i64) } } impl Convert> for std::time::SystemTime { fn convert(self) -> chrono::DateTime { chrono::DateTime::::from(self) } } impl Convert> for Timestamp { fn convert(self) -> chrono::DateTime { std::time::SystemTime::from(self).convert() } } pub fn dump(input: &mut (dyn io::Read + Sync + Send), output: &mut dyn io::Write, mpis: bool, hex: bool, sk: Option<&SessionKey>, width: W) -> Result where W: Into> { let mut ppr = self::openpgp::parse::PacketParserBuilder::from_reader(input)? .map(hex).build()?; let mut message_encrypted = false; let width = width.into().unwrap_or(80); let mut dumper = PacketDumper::new(width, mpis); while let PacketParserResult::Some(mut pp) = ppr { let additional_fields = match pp.packet { Packet::Literal(_) => { let mut prefix = vec![0; 40]; let n = pp.read(&mut prefix)?; Some(vec![ format!("Content: {:?}{}", String::from_utf8_lossy(&prefix[..n]), if n == prefix.len() { "..." } else { "" }), ]) }, Packet::SEIP(_) if sk.is_none() => { message_encrypted = true; Some(vec!["No session key supplied".into()]) } Packet::SEIP(_) if sk.is_some() => { message_encrypted = true; let sk = sk.as_ref().unwrap(); let mut decrypted_with = None; for algo in 1..20 { let algo = SymmetricAlgorithm::from(algo); if let Ok(size) = algo.key_size() { if size != sk.len() { continue; } } else { continue; } if let Ok(_) = pp.decrypt(algo, sk) { decrypted_with = Some(algo); break; } } let mut fields = Vec::new(); fields.push(format!("Session key: {}", hex::encode(sk))); if let Some(algo) = decrypted_with { fields.push(format!("Symmetric algo: {}", algo)); fields.push("Decryption successful".into()); } else { fields.push("Decryption failed".into()); } Some(fields) }, Packet::AED(_) if sk.is_none() => { message_encrypted = true; Some(vec!["No session key supplied".into()]) } Packet::AED(_) if sk.is_some() => { message_encrypted = true; let sk = sk.as_ref().unwrap(); let algo = if let Packet::AED(ref aed) = pp.packet { aed.symmetric_algo() } else { unreachable!() }; let _ = pp.decrypt(algo, sk); let mut fields = Vec::new(); fields.push(format!("Session key: {}", hex::encode(sk))); if pp.encrypted() { fields.push("Decryption failed".into()); } else { fields.push("Decryption successful".into()); } Some(fields) }, _ => None, }; let header = pp.header().clone(); let map = pp.take_map(); let recursion_depth = pp.recursion_depth(); let packet = pp.packet.clone(); dumper.packet(output, recursion_depth as usize, header, packet, map, additional_fields)?; let (_, ppr_) = match pp.recurse() { Ok(v) => Ok(v), Err(e) => { let _ = dumper.flush(output); Err(e) }, }?; ppr = ppr_; } dumper.flush(output)?; if let PacketParserResult::EOF(eof) = ppr { if eof.is_message().is_ok() { Ok(Kind::Message { encrypted: message_encrypted, }) } else if eof.is_cert().is_ok() { Ok(Kind::Cert) } else if eof.is_keyring().is_ok() { Ok(Kind::Keyring) } else { Ok(Kind::Unknown) } } else { unreachable!() } } struct Node { header: Header, packet: Packet, map: Option, additional_fields: Option>, children: Vec, } impl Node { fn new(header: Header, packet: Packet, map: Option, additional_fields: Option>) -> Self { Node { header: header, packet: packet, map: map, additional_fields: additional_fields, children: Vec::new(), } } fn append(&mut self, depth: usize, node: Node) { if depth == 0 { self.children.push(node); } else { self.children.iter_mut().last().unwrap().append(depth - 1, node); } } } pub struct PacketDumper { width: usize, mpis: bool, root: Option, } impl PacketDumper { pub fn new(width: usize, mpis: bool) -> Self { PacketDumper { width: width, mpis: mpis, root: None, } } pub fn packet(&mut self, output: &mut dyn io::Write, depth: usize, header: Header, p: Packet, map: Option, additional_fields: Option>) -> Result<()> { let node = Node::new(header, p, map, additional_fields); if self.root.is_none() { assert_eq!(depth, 0); self.root = Some(node); } else { if depth == 0 { let root = self.root.take().unwrap(); self.dump_tree(output, "", &root)?; self.root = Some(node); } else { self.root.as_mut().unwrap().append(depth - 1, node); } } Ok(()) } pub fn flush(&self, output: &mut dyn io::Write) -> Result<()> { if let Some(root) = self.root.as_ref() { self.dump_tree(output, "", &root)?; } Ok(()) } fn dump_tree(&self, output: &mut dyn io::Write, indent: &str, node: &Node) -> Result<()> { let indent_node = format!("{}{} ", indent, if node.children.is_empty() { " " } else { "│" }); self.dump_packet(output, &indent_node, Some(&node.header), &node.packet, node.map.as_ref(), node.additional_fields.as_ref())?; if node.children.is_empty() { return Ok(()); } let last = node.children.len() - 1; for (i, child) in node.children.iter().enumerate() { let is_last = i == last; write!(output, "{}{}── ", indent, if is_last { "└" } else { "├" })?; let indent_child = format!("{}{} ", indent, if is_last { " " } else { "│" }); self.dump_tree(output, &indent_child, child)?; } Ok(()) } fn dump_packet(&self, output: &mut dyn io::Write, i: &str, header: Option<&Header>, p: &Packet, map: Option<&Map>, additional_fields: Option<&Vec>) -> Result<()> { use self::openpgp::Packet::*; if let Some(tag) = p.kind() { write!(output, "{}", tag)?; } else { write!(output, "Unknown or Unsupported Packet")?; } if let Some(h) = header { write!(output, ", {} CTB, {}{}", if let CTB::Old(_) = h.ctb() { "old" } else { "new" }, if let Some(map) = map { format!("{} header bytes + ", map.iter().take(2).map(|f| f.as_bytes().len()) .sum::()) } else { // XXX: Mapping is disabled. No can do for // now. Once we save the header in // packet::Common, we can use this instead of // relying on the map. "".into() }, match h.length() { BodyLength::Full(n) => format!("{} bytes", n), BodyLength::Partial(n) => format!("partial length, {} bytes in first chunk", n), BodyLength::Indeterminate => "indeterminate length".into(), })?; } writeln!(output)?; fn dump_key(pd: &PacketDumper, output: &mut dyn io::Write, i: &str, k: &Key) -> Result<()> where P: key::KeyParts, R: key::KeyRole, { writeln!(output, "{} Version: {}", i, k.version())?; writeln!(output, "{} Creation time: {}", i, k.creation_time().convert())?; writeln!(output, "{} Pk algo: {}", i, k.pk_algo())?; if let Some(bits) = k.mpis().bits() { writeln!(output, "{} Pk size: {} bits", i, bits)?; } writeln!(output, "{} Fingerprint: {}", i, k.fingerprint())?; writeln!(output, "{} KeyID: {}", i, k.keyid())?; if pd.mpis { writeln!(output, "{}", i)?; writeln!(output, "{} Public Key:", i)?; let ii = format!("{} ", i); match k.mpis() { mpi::PublicKey::RSA { e, n } => pd.dump_mpis(output, &ii, &[e.value(), n.value()], &["e", "n"])?, mpi::PublicKey::DSA { p, q, g, y } => pd.dump_mpis(output, &ii, &[p.value(), q.value(), g.value(), y.value()], &["p", "q", "g", "y"])?, mpi::PublicKey::ElGamal { p, g, y } => pd.dump_mpis(output, &ii, &[p.value(), g.value(), y.value()], &["p", "g", "y"])?, mpi::PublicKey::EdDSA { curve, q } => { writeln!(output, "{} Curve: {}", ii, curve)?; pd.dump_mpis(output, &ii, &[q.value()], &["q"])?; }, mpi::PublicKey::ECDSA { curve, q } => { writeln!(output, "{} Curve: {}", ii, curve)?; pd.dump_mpis(output, &ii, &[q.value()], &["q"])?; }, mpi::PublicKey::ECDH { curve, q, hash, sym } => { writeln!(output, "{} Curve: {}", ii, curve)?; writeln!(output, "{} Hash algo: {}", ii, hash)?; writeln!(output, "{} Symmetric algo: {}", ii, sym)?; pd.dump_mpis(output, &ii, &[q.value()], &["q"])?; }, mpi::PublicKey::Unknown { mpis, rest } => { let keys: Vec = (0..mpis.len()).map( |i| format!("mpi{}", i)).collect(); pd.dump_mpis( output, &ii, &mpis.iter().map(|m| { m.value().iter().as_slice() }).collect::>()[..], &keys.iter().map(|k| k.as_str()) .collect::>()[..], )?; pd.dump_mpis(output, &ii, &[&rest[..]], &["rest"])?; }, // crypto::mpi:Publickey is non-exhaustive _ => writeln!(output, "{} Unknown variant", ii)?, } } if let Some(secrets) = k.optional_secret() { writeln!(output, "{}", i)?; writeln!(output, "{} Secret Key:", i)?; let ii = format!("{} ", i); match secrets { SecretKeyMaterial::Unencrypted(ref u) => { writeln!(output, "{}", i)?; writeln!(output, "{} Unencrypted", ii)?; if pd.mpis { u.map(|mpis| -> Result<()> { match mpis { mpi::SecretKeyMaterial::RSA { d, p, q, u } => pd.dump_mpis(output, &ii, &[d.value(), p.value(), q.value(), u.value()], &["d", "p", "q", "u"])?, mpi::SecretKeyMaterial::DSA { x } => pd.dump_mpis(output, &ii, &[x.value()], &["x"])?, mpi::SecretKeyMaterial::ElGamal { x } => pd.dump_mpis(output, &ii, &[x.value()], &["x"])?, mpi::SecretKeyMaterial::EdDSA { scalar } => pd.dump_mpis(output, &ii, &[scalar.value()], &["scalar"])?, mpi::SecretKeyMaterial::ECDSA { scalar } => pd.dump_mpis(output, &ii, &[scalar.value()], &["scalar"])?, mpi::SecretKeyMaterial::ECDH { scalar } => pd.dump_mpis(output, &ii, &[scalar.value()], &["scalar"])?, mpi::SecretKeyMaterial::Unknown { mpis, rest } => { let keys: Vec = (0..mpis.len()).map( |i| format!("mpi{}", i)).collect(); pd.dump_mpis( output, &ii, &mpis.iter().map(|m| { m.value().iter().as_slice() }).collect::>()[..], &keys.iter().map(|k| k.as_str()) .collect::>()[..], )?; pd.dump_mpis(output, &ii, &[rest], &["rest"])?; }, // crypto::mpi::SecretKeyMaterial is non-exhaustive. _ => writeln!(output, "{} Unknown variant", ii)?, } Ok(()) })?; } } SecretKeyMaterial::Encrypted(ref e) => { writeln!(output, "{}", i)?; writeln!(output, "{} Encrypted", ii)?; write!(output, "{} S2K: ", ii)?; pd.dump_s2k(output, &ii, e.s2k())?; writeln!(output, "{} Sym. algo: {}", ii, e.algo())?; if pd.mpis { if let Ok(ciphertext) = e.ciphertext() { pd.dump_mpis(output, &ii, &[ciphertext], &["ciphertext"])?; } } }, } } Ok(()) } match p { Unknown(ref u) => { writeln!(output, "{} Tag: {}", i, u.tag())?; writeln!(output, "{} Error: {}", i, u.error())?; }, PublicKey(ref k) => dump_key(self, output, i, k)?, PublicSubkey(ref k) => dump_key(self, output, i, k)?, SecretKey(ref k) => dump_key(self, output, i, k)?, SecretSubkey(ref k) => dump_key(self, output, i, k)?, Signature(ref s) => { writeln!(output, "{} Version: {}", i, s.version())?; writeln!(output, "{} Type: {}", i, s.typ())?; writeln!(output, "{} Pk algo: {}", i, s.pk_algo())?; writeln!(output, "{} Hash algo: {}", i, s.hash_algo())?; if s.hashed_area().iter().count() > 0 { writeln!(output, "{} Hashed area:", i)?; for pkt in s.hashed_area().iter() { self.dump_subpacket(output, i, pkt, s)?; } } if s.unhashed_area().iter().count() > 0 { writeln!(output, "{} Unhashed area:", i)?; for pkt in s.unhashed_area().iter() { self.dump_subpacket(output, i, pkt, s)?; } } writeln!(output, "{} Digest prefix: {}", i, hex::encode(s.digest_prefix()))?; write!(output, "{} Level: {} ", i, s.level())?; match s.level() { 0 => writeln!(output, "(signature over data)")?, 1 => writeln!(output, "(notarization over signatures \ level 0 and data)")?, n => writeln!(output, "(notarization over signatures \ level <= {} and data)", n - 1)?, } if self.mpis { writeln!(output, "{}", i)?; writeln!(output, "{} Signature:", i)?; let ii = format!("{} ", i); match s.mpis() { mpi::Signature::RSA { s } => self.dump_mpis(output, &ii, &[s.value()], &["s"])?, mpi::Signature::DSA { r, s } => self.dump_mpis(output, &ii, &[r.value(), s.value()], &["r", "s"])?, mpi::Signature::ElGamal { r, s } => self.dump_mpis(output, &ii, &[r.value(), s.value()], &["r", "s"])?, mpi::Signature::EdDSA { r, s } => self.dump_mpis(output, &ii, &[r.value(), s.value()], &["r", "s"])?, mpi::Signature::ECDSA { r, s } => self.dump_mpis(output, &ii, &[r.value(), s.value()], &["r", "s"])?, mpi::Signature::Unknown { mpis, rest } => { let keys: Vec = (0..mpis.len()).map( |i| format!("mpi{}", i)).collect(); self.dump_mpis( output, &ii, &mpis.iter().map(|m| { m.value().iter().as_slice() }).collect::>()[..], &keys.iter().map(|k| k.as_str()) .collect::>()[..], )?; self.dump_mpis(output, &ii, &[&rest[..]], &["rest"])?; }, // crypto::mpi::Signature is non-exhaustive. _ => writeln!(output, "{} Unknown variant", ii)?, } } }, OnePassSig(ref o) => { writeln!(output, "{} Version: {}", i, o.version())?; writeln!(output, "{} Type: {}", i, o.typ())?; writeln!(output, "{} Pk algo: {}", i, o.pk_algo())?; writeln!(output, "{} Hash algo: {}", i, o.hash_algo())?; writeln!(output, "{} Issuer: {}", i, o.issuer())?; writeln!(output, "{} Last: {}", i, o.last())?; }, Trust(ref p) => { writeln!(output, "{} Value: {}", i, hex::encode(p.value()))?; }, UserID(ref u) => { writeln!(output, "{} Value: {}", i, String::from_utf8_lossy(u.value()))?; }, UserAttribute(ref u) => { use self::openpgp::packet::user_attribute::{Subpacket, Image}; for subpacket in u.subpackets() { match subpacket { Ok(Subpacket::Image(image)) => match image { Image::JPEG(data) => writeln!(output, "{} JPEG: {} bytes", i, data.len())?, Image::Private(n, data) => writeln!(output, "{} Private image({}): {} bytes", i, n, data.len())?, Image::Unknown(n, data) => writeln!(output, "{} Unknown image({}): {} bytes", i, n, data.len())?, }, Ok(Subpacket::Unknown(n, data)) => writeln!(output, "{} Unknown subpacket({}): {} bytes", i, n, data.len())?, Err(e) => writeln!(output, "{} Invalid subpacket encoding: {}", i, e)?, } } }, Marker(_) => { }, Literal(ref l) => { writeln!(output, "{} Format: {}", i, l.format())?; if let Some(filename) = l.filename() { writeln!(output, "{} Filename: {}", i, String::from_utf8_lossy(filename))?; } if let Some(timestamp) = l.date() { writeln!(output, "{} Timestamp: {}", i, timestamp.convert())?; } }, CompressedData(ref c) => { writeln!(output, "{} Algorithm: {}", i, c.algo())?; }, PKESK(ref p) => { writeln!(output, "{} Version: {}", i, p.version())?; writeln!(output, "{} Recipient: {}", i, p.recipient())?; writeln!(output, "{} Pk algo: {}", i, p.pk_algo())?; if self.mpis { writeln!(output, "{}", i)?; writeln!(output, "{} Encrypted session key:", i)?; let ii = format!("{} ", i); match p.esk() { mpi::Ciphertext::RSA { c } => self.dump_mpis(output, &ii, &[c.value()], &["c"])?, mpi::Ciphertext::ElGamal { e, c } => self.dump_mpis(output, &ii, &[e.value(), c.value()], &["e", "c"])?, mpi::Ciphertext::ECDH { e, key } => self.dump_mpis(output, &ii, &[e.value(), key], &["e", "key"])?, mpi::Ciphertext::Unknown { mpis, rest } => { let keys: Vec = (0..mpis.len()).map( |i| format!("mpi{}", i)).collect(); self.dump_mpis( output, &ii, &mpis.iter().map(|m| { m.value().iter().as_slice() }).collect::>()[..], &keys.iter().map(|k| k.as_str()) .collect::>()[..], )?; self.dump_mpis(output, &ii, &[rest], &["rest"])?; }, // crypto::mpi::Ciphertext is non-exhaustive. _ => writeln!(output, "{} Unknown variant", ii)?, } } }, SKESK(ref s) => { writeln!(output, "{} Version: {}", i, s.version())?; match s { self::openpgp::packet::SKESK::V4(ref s) => { writeln!(output, "{} Symmetric algo: {}", i, s.symmetric_algo())?; write!(output, "{} S2K: ", i)?; self.dump_s2k(output, i, s.s2k())?; if let Ok(Some(esk)) = s.esk() { writeln!(output, "{} ESK: {}", i, hex::encode(esk))?; } }, self::openpgp::packet::SKESK::V5(ref s) => { writeln!(output, "{} Symmetric algo: {}", i, s.symmetric_algo())?; writeln!(output, "{} AEAD: {}", i, s.aead_algo())?; write!(output, "{} S2K: ", i)?; self.dump_s2k(output, i, s.s2k())?; if let Ok(iv) = s.aead_iv() { writeln!(output, "{} IV: {}", i, hex::encode(iv))?; } if let Ok(Some(esk)) = s.esk() { writeln!(output, "{} ESK: {}", i, hex::encode(esk))?; } writeln!(output, "{} Digest: {}", i, hex::encode(s.aead_digest()))?; }, // SKESK is non-exhaustive. _ => writeln!(output, "{} Unknown variant", i)?, } }, SEIP(ref s) => { writeln!(output, "{} Version: {}", i, s.version())?; }, MDC(ref m) => { writeln!(output, "{} Digest: {}", i, hex::encode(m.digest()))?; writeln!(output, "{} Computed digest: {}", i, hex::encode(m.computed_digest()))?; }, AED(ref a) => { writeln!(output, "{} Version: {}", i, a.version())?; writeln!(output, "{} Symmetric algo: {}", i, a.symmetric_algo())?; writeln!(output, "{} AEAD: {}", i, a.aead())?; writeln!(output, "{} Chunk size: {}", i, a.chunk_size())?; writeln!(output, "{} IV: {}", i, hex::encode(a.iv()))?; }, // openpgp::Packet is non-exhaustive. _ => writeln!(output, "{} Unknown variant", i)?, } if let Some(fields) = additional_fields { for field in fields { writeln!(output, "{} {}", i, field)?; } } if let Some(map) = map { writeln!(output, "{}", i)?; let mut hd = hex::Dumper::new(output, self.indentation_for_hexdump( i, map.iter() .map(|f| if f.name() == "body" { 16 } else { f.name().len() }) .max() .expect("we always have one entry"))); for field in map.iter() { if field.name() == "body" { hd.write_ascii(field.as_bytes())?; } else { hd.write(field.as_bytes(), field.name())?; } } let output = hd.into_inner(); writeln!(output, "{}", i)?; } else { writeln!(output, "{}", i)?; } Ok(()) } fn dump_subpacket(&self, output: &mut dyn io::Write, i: &str, s: &Subpacket, sig: &Signature) -> Result<()> { use self::SubpacketValue::*; let hexdump_unknown = |output: &mut dyn io::Write, buf| -> Result<()> { let mut hd = hex::Dumper::new(output, self.indentation_for_hexdump( &format!("{} ", i), 0)); hd.write_labeled(buf, |_, _| None)?; Ok(()) }; match s.value() { Unknown { body, .. } => { writeln!(output, "{} {:?}{}:", i, s.tag(), if s.critical() { " (critical)" } else { "" })?; hexdump_unknown(output, body.as_slice())?; }, SignatureCreationTime(t) => write!(output, "{} Signature creation time: {}", i, (*t).convert())?, SignatureExpirationTime(t) => write!(output, "{} Signature expiration time: {} ({})", i, t.convert(), if let Some(creation) = sig.signature_creation_time() { (creation + t.clone().into()).convert().to_string() } else { " (no Signature Creation Time subpacket)".into() })?, ExportableCertification(e) => write!(output, "{} Exportable certification: {}", i, e)?, TrustSignature{level, trust} => write!(output, "{} Trust signature: level {} trust {}", i, level, trust)?, RegularExpression(ref r) => write!(output, "{} Regular expression: {}", i, String::from_utf8_lossy(r))?, Revocable(r) => write!(output, "{} Revocable: {}", i, r)?, KeyExpirationTime(t) => write!(output, "{} Key expiration time: {}", i, t.convert())?, PreferredSymmetricAlgorithms(ref c) => write!(output, "{} Symmetric algo preferences: {}", i, c.iter().map(|c| format!("{:?}", c)) .collect::>().join(", "))?, RevocationKey(rk) => { let (pk_algo, fp) = rk.revoker(); write!(output, "{} Revocation key: {}/{}", i, fp, pk_algo)?; if rk.sensitive() { write!(output, ", sensitive")?; } }, Issuer(ref is) => write!(output, "{} Issuer: {}", i, is)?, NotationData(n) => if n.flags().human_readable() { write!(output, "{} Notation: {}", i, n)?; if s.critical() { write!(output, " (critical)")?; } writeln!(output)?; } else { write!(output, "{} Notation: {}", i, n.name())?; let flags = format!("{:?}", n.flags()); if ! flags.is_empty() { write!(output, "{}", flags)?; } if s.critical() { write!(output, " (critical)")?; } writeln!(output)?; hexdump_unknown(output, n.value())?; }, PreferredHashAlgorithms(ref h) => write!(output, "{} Hash preferences: {}", i, h.iter().map(|h| format!("{:?}", h)) .collect::>().join(", "))?, PreferredCompressionAlgorithms(ref c) => write!(output, "{} Compression preferences: {}", i, c.iter().map(|c| format!("{:?}", c)) .collect::>().join(", "))?, KeyServerPreferences(ref p) => write!(output, "{} Keyserver preferences: {:?}", i, p)?, PreferredKeyServer(ref k) => write!(output, "{} Preferred keyserver: {}", i, String::from_utf8_lossy(k))?, PrimaryUserID(p) => write!(output, "{} Primary User ID: {}", i, p)?, PolicyURI(ref p) => write!(output, "{} Policy URI: {}", i, String::from_utf8_lossy(p))?, KeyFlags(ref k) => write!(output, "{} Key flags: {:?}", i, k)?, SignersUserID(ref u) => write!(output, "{} Signer's User ID: {}", i, String::from_utf8_lossy(u))?, ReasonForRevocation{code, ref reason} => { let reason = String::from_utf8_lossy(reason); write!(output, "{} Reason for revocation: {}{}{}", i, code, if reason.len() > 0 { ", " } else { "" }, reason)? } Features(ref f) => write!(output, "{} Features: {:?}", i, f)?, SignatureTarget{pk_algo, hash_algo, ref digest} => write!(output, "{} Signature target: {}, {}, {}", i, pk_algo, hash_algo, hex::encode(digest))?, EmbeddedSignature(_) => // Embedded signature is dumped below. write!(output, "{} Embedded signature: ", i)?, IssuerFingerprint(ref fp) => write!(output, "{} Issuer Fingerprint: {}", i, fp)?, PreferredAEADAlgorithms(ref c) => write!(output, "{} AEAD preferences: {}", i, c.iter().map(|c| format!("{:?}", c)) .collect::>().join(", "))?, IntendedRecipient(ref fp) => write!(output, "{} Intended Recipient: {}", i, fp)?, // SubpacketValue is non-exhaustive. _ => writeln!(output, "{} Unknown variant", i)?, } match s.value() { Unknown { .. } => (), NotationData { .. } => (), EmbeddedSignature(ref sig) => { if s.critical() { write!(output, " (critical)")?; } writeln!(output)?; let indent = format!("{} ", i); write!(output, "{}", indent)?; self.dump_packet(output, &indent, None, &sig.clone().into(), None, None)?; }, _ => { if s.critical() { write!(output, " (critical)")?; } writeln!(output)?; } } Ok(()) } fn dump_s2k(&self, output: &mut dyn io::Write, i: &str, s2k: &S2K) -> Result<()> { use self::S2K::*; #[allow(deprecated)] match s2k { Simple { hash } => { writeln!(output, "Simple")?; writeln!(output, "{} Hash: {}", i, hash)?; }, Salted { hash, ref salt } => { writeln!(output, "Salted")?; writeln!(output, "{} Hash: {}", i, hash)?; writeln!(output, "{} Salt: {}", i, hex::encode(salt))?; }, Iterated { hash, ref salt, hash_bytes } => { writeln!(output, "Iterated")?; writeln!(output, "{} Hash: {}", i, hash)?; writeln!(output, "{} Salt: {}", i, hex::encode(salt))?; writeln!(output, "{} Hash bytes: {}", i, hash_bytes)?; }, Private { tag, parameters } => { writeln!(output, "Private")?; writeln!(output, "{} Tag: {}", i, tag)?; if let Some(p) = parameters.as_ref() { writeln!(output, "{} Parameters: {:?}", i, p)?; } }, Unknown { tag, parameters } => { writeln!(output, "Unknown")?; writeln!(output, "{} Tag: {}", i, tag)?; if let Some(p) = parameters.as_ref() { writeln!(output, "{} Parameters: {:?}", i, p)?; } }, // S2K is non-exhaustive _ => writeln!(output, "{} Unknown variant", i)?, } Ok(()) } fn dump_mpis(&self, output: &mut dyn io::Write, i: &str, chunks: &[&[u8]], keys: &[&str]) -> Result<()> { assert_eq!(chunks.len(), keys.len()); if chunks.len() == 0 { return Ok(()); } let max_key_len = keys.iter().map(|k| k.len()).max().unwrap(); for (chunk, key) in chunks.iter().zip(keys.iter()) { writeln!(output, "{}", i)?; let mut hd = hex::Dumper::new( Vec::new(), self.indentation_for_hexdump(i, max_key_len)); hd.write(*chunk, *key)?; output.write_all(&hd.into_inner())?; } Ok(()) } /// Returns indentation for hex dumps. /// /// Returns a prefix of `i` so that a hexdump with labels no /// longer than `max_label_len` will fit into the target width. fn indentation_for_hexdump(&self, i: &str, max_label_len: usize) -> String { let amount = ::std::cmp::max( 0, ::std::cmp::min( self.width as isize - 63 // Length of address, hex digits, and whitespace. - max_label_len as isize, i.len() as isize), ) as usize; format!("{} ", &i.chars().take(amount).collect::()) } } sequoia-sq-0.25.0/src/commands/inspect.rs010064400017500001750000000346501402044017700164600ustar 00000000000000use std::convert::TryFrom; use std::io::{self, Read}; use clap; use sequoia_openpgp as openpgp; use crate::openpgp::{KeyHandle, Packet, Result}; use crate::openpgp::cert::prelude::*; use openpgp::packet::{ Signature, key::PublicParts, }; use crate::openpgp::parse::{Parse, PacketParserResult}; use crate::openpgp::policy::Policy; use crate::openpgp::packet::key::SecretKeyMaterial; use super::dump::Convert; pub fn inspect(m: &clap::ArgMatches, policy: &dyn Policy, output: &mut dyn io::Write) -> Result<()> { let print_certifications = m.is_present("certifications"); let input = m.value_of("input"); let input_name = input.unwrap_or("-"); write!(output, "{}: ", input_name)?; let mut type_called = false; // Did we print the type yet? let mut encrypted = false; // Is it an encrypted message? let mut packets = Vec::new(); // Accumulator for packets. let mut pkesks = Vec::new(); // Accumulator for PKESKs. let mut n_skesks = 0; // Number of SKESKs. let mut sigs = Vec::new(); // Accumulator for signatures. let mut literal_prefix = Vec::new(); let mut ppr = openpgp::parse::PacketParser::from_reader(crate::open_or_stdin(input)?)?; while let PacketParserResult::Some(mut pp) = ppr { match pp.packet { Packet::PublicKey(_) | Packet::SecretKey(_) => { if pp.possible_cert().is_err() && pp.possible_keyring().is_ok() { if ! type_called { writeln!(output, "OpenPGP Keyring.")?; writeln!(output)?; type_called = true; } let pp = openpgp::PacketPile::from( ::std::mem::replace(&mut packets, Vec::new())); let cert = openpgp::Cert::try_from(pp)?; inspect_cert(policy, output, &cert, print_certifications)?; } }, Packet::Literal(_) => { pp.by_ref().take(40).read_to_end(&mut literal_prefix)?; }, Packet::SEIP(_) | Packet::AED(_) => { encrypted = true; }, _ => (), } let possible_keyring = pp.possible_keyring().is_ok(); let (packet, ppr_) = pp.recurse()?; ppr = ppr_; match packet { Packet::PKESK(p) => pkesks.push(p), Packet::SKESK(_) => n_skesks += 1, Packet::Signature(s) => if possible_keyring { packets.push(Packet::Signature(s)) } else { sigs.push(s) }, _ => packets.push(packet), } } if let PacketParserResult::EOF(eof) = ppr { let is_message = eof.is_message(); let is_cert = eof.is_cert(); let is_keyring = eof.is_keyring(); if is_message.is_ok() { writeln!(output, "{}OpenPGP Message.", match (encrypted, ! sigs.is_empty()) { (false, false) => "", (false, true) => "Signed ", (true, false) => "Encrypted ", (true, true) => "Encrypted and signed ", })?; writeln!(output)?; if n_skesks > 0 { writeln!(output, " Passwords: {}", n_skesks)?; } for pkesk in pkesks.iter() { writeln!(output, " Recipient: {}", pkesk.recipient())?; } inspect_signatures(output, &sigs)?; if ! literal_prefix.is_empty() { writeln!(output, " Data: {:?}{}", String::from_utf8_lossy(&literal_prefix), if literal_prefix.len() == 40 { "..." } else { "" })?; } } else if is_cert.is_ok() || is_keyring.is_ok() { let pp = openpgp::PacketPile::from(packets); let cert = openpgp::Cert::try_from(pp)?; inspect_cert(policy, output, &cert, print_certifications)?; } else if packets.is_empty() && ! sigs.is_empty() { writeln!(output, "Detached signature{}.", if sigs.len() > 1 { "s" } else { "" })?; writeln!(output)?; inspect_signatures(output, &sigs)?; } else if packets.is_empty() { writeln!(output, "No OpenPGP data.")?; } else { writeln!(output, "Unknown sequence of OpenPGP packets.")?; writeln!(output, " Message: {}", is_message.unwrap_err())?; writeln!(output, " Cert: {}", is_cert.unwrap_err())?; writeln!(output, " Keyring: {}", is_keyring.unwrap_err())?; writeln!(output)?; writeln!(output, "Hint: Try 'sq packet dump {}'", input_name)?; } } else { unreachable!() } Ok(()) } fn inspect_cert(policy: &dyn Policy, output: &mut dyn io::Write, cert: &openpgp::Cert, print_certifications: bool) -> Result<()> { if cert.is_tsk() { writeln!(output, "Transferable Secret Key.")?; } else { writeln!(output, "OpenPGP Certificate.")?; } writeln!(output)?; writeln!(output, " Fingerprint: {}", cert.fingerprint())?; inspect_revocation(output, "", cert.revocation_status(policy, None))?; inspect_key(policy, output, "", cert.keys().nth(0).unwrap(), print_certifications)?; writeln!(output)?; for vka in cert.keys().subkeys().with_policy(policy, None) { writeln!(output, " Subkey: {}", vka.key().fingerprint())?; inspect_revocation(output, "", vka.revocation_status())?; inspect_key(policy, output, "", vka.into_key_amalgamation().into(), print_certifications)?; writeln!(output)?; } fn print_error_chain(output: &mut dyn io::Write, err: &anyhow::Error) -> Result<()> { writeln!(output, " Invalid: {}", err)?; for cause in err.chain().skip(1) { writeln!(output, " because: {}", cause)?; } Ok(()) } for uidb in cert.userids() { writeln!(output, " UserID: {}", uidb.userid())?; inspect_revocation(output, "", uidb.revocation_status(policy, None))?; match uidb.binding_signature(policy, None) { Ok(sig) => if let Err(e) = sig.signature_alive(None, std::time::Duration::new(0, 0)) { print_error_chain(output, &e)?; } Err(e) => print_error_chain(output, &e)?, } inspect_certifications(output, uidb.certifications(), print_certifications)?; writeln!(output)?; } for uab in cert.user_attributes() { writeln!(output, " User attribute: {:?}", uab.user_attribute())?; inspect_revocation(output, "", uab.revocation_status(policy, None))?; match uab.binding_signature(policy, None) { Ok(sig) => if let Err(e) = sig.signature_alive(None, std::time::Duration::new(0, 0)) { print_error_chain(output, &e)?; } Err(e) => print_error_chain(output, &e)?, } inspect_certifications(output, uab.certifications(), print_certifications)?; writeln!(output)?; } for ub in cert.unknowns() { writeln!(output, " Unknown component: {:?}", ub.unknown())?; match ub.binding_signature(policy, None) { Ok(sig) => if let Err(e) = sig.signature_alive(None, std::time::Duration::new(0, 0)) { print_error_chain(output, &e)?; } Err(e) => print_error_chain(output, &e)?, } inspect_certifications(output, ub.certifications(), print_certifications)?; writeln!(output)?; } for bad in cert.bad_signatures() { writeln!(output, " Bad Signature: {:?}", bad)?; } Ok(()) } fn inspect_key(policy: &dyn Policy, output: &mut dyn io::Write, indent: &str, ka: ErasedKeyAmalgamation, print_certifications: bool) -> Result<()> { let key = ka.key(); let bundle = ka.bundle(); let vka = match ka.with_policy(policy, None) { Ok(vka) => { if let Err(e) = vka.alive() { writeln!(output, "{} Invalid: {}", indent, e)?; } Some(vka) }, Err(e) => { writeln!(output, "{} Invalid: {}", indent, e)?; None }, }; writeln!(output, "{}Public-key algo: {}", indent, key.pk_algo())?; if let Some(bits) = key.mpis().bits() { writeln!(output, "{}Public-key size: {} bits", indent, bits)?; } if let Some(secret) = key.optional_secret() { writeln!(output, "{} Secret key: {}", indent, if let SecretKeyMaterial::Unencrypted(_) = secret { "Unencrypted" } else { "Encrypted" })?; } writeln!(output, "{} Creation time: {}", indent, key.creation_time().convert())?; if let Some(vka) = vka { if let Some(expires) = vka.key_validity_period() { let expiration_time = key.creation_time() + expires; writeln!(output, "{}Expiration time: {} (creation time + {})", indent, expiration_time.convert(), expires.convert())?; } if let Some(flags) = vka.key_flags().and_then(inspect_key_flags) { writeln!(output, "{} Key flags: {}", indent, flags)?; } } inspect_certifications(output, bundle.certifications().iter(), print_certifications)?; Ok(()) } fn inspect_revocation(output: &mut dyn io::Write, indent: &str, revoked: openpgp::types::RevocationStatus) -> Result<()> { use crate::openpgp::types::RevocationStatus::*; fn print_reasons(output: &mut dyn io::Write, indent: &str, sigs: &[&Signature]) -> Result<()> { for sig in sigs { if let Some((r, _)) = sig.reason_for_revocation() { writeln!(output, "{} - {}", indent, r)?; } else { writeln!(output, "{} - No reason specified", indent)?; } } Ok(()) } match revoked { Revoked(sigs) => { writeln!(output, "{} Revoked:", indent)?; print_reasons(output, indent, &sigs)?; }, CouldBe(sigs) => { writeln!(output, "{} Possibly revoked:", indent)?; print_reasons(output, indent, &sigs)?; }, NotAsFarAsWeKnow => (), } Ok(()) } fn inspect_key_flags(flags: openpgp::types::KeyFlags) -> Option { let mut capabilities = Vec::new(); if flags.for_certification() { capabilities.push("certification") } if flags.for_signing() { capabilities.push("signing") } if flags.for_authentication() { capabilities.push("authentication") } if flags.for_transport_encryption() { capabilities.push("transport encryption") } if flags.for_storage_encryption() { capabilities.push("data-at-rest encryption") } if flags.is_group_key() { capabilities.push("group key") } if flags.is_split_key() { capabilities.push("split key") } if capabilities.len() > 0 { Some(capabilities.join(", ")) } else { None } } fn inspect_signatures(output: &mut dyn io::Write, sigs: &[openpgp::packet::Signature]) -> Result<()> { use crate::openpgp::types::SignatureType::*; for sig in sigs { match sig.typ() { Binary | Text => (), signature_type @ _ => writeln!(output, " Kind: {}", signature_type)?, } let mut fps: Vec<_> = sig.issuer_fingerprints().collect(); fps.sort(); fps.dedup(); let fps: Vec = fps.into_iter().map(|fp| fp.into()).collect(); for fp in fps.iter() { writeln!(output, " Alleged signer: {}", fp)?; } let mut keyids: Vec<_> = sig.issuers().collect(); keyids.sort(); keyids.dedup(); for keyid in keyids { if ! fps.iter().any(|fp| fp.aliases(&keyid.into())) { writeln!(output, " Alleged signer: {}", keyid)?; } } } if ! sigs.is_empty() { writeln!(output, " Note: \ Signatures have NOT been verified!")?; } Ok(()) } fn inspect_certifications<'a, A>(output: &mut dyn io::Write, certs: A, print_certifications: bool) -> Result<()> where A: std::iter::Iterator { if print_certifications { let mut emit_warning = false; for sig in certs { emit_warning = true; let mut fps: Vec<_> = sig.issuer_fingerprints().collect(); fps.sort(); fps.dedup(); let fps: Vec = fps.into_iter().map(|fp| fp.into()).collect(); for fp in fps.iter() { writeln!(output, "Alleged certifier: {}", fp)?; } let mut keyids: Vec<_> = sig.issuers().collect(); keyids.sort(); keyids.dedup(); for keyid in keyids { if ! fps.iter().any(|fp| fp.aliases(&keyid.into())) { writeln!(output, "Alleged certifier: {}", keyid)?; } } } if emit_warning { writeln!(output, " Note: \ Certifications have NOT been verified!")?; } } else { let count = certs.count(); if count > 0 { writeln!(output, " Certifications: {}, \ use --certifications to list", count)?; } } Ok(()) } sequoia-sq-0.25.0/src/commands/key.rs010064400017500001750000000477231402044017700156100ustar 00000000000000use anyhow::Context as _; use clap::ArgMatches; use itertools::Itertools; use std::time::{SystemTime, Duration}; use crate::openpgp::KeyHandle; use crate::openpgp::Packet; use crate::openpgp::Result; use crate::openpgp::armor::{Writer, Kind}; use crate::openpgp::cert::prelude::*; use crate::openpgp::packet::prelude::*; use crate::openpgp::packet::signature::subpacket::SubpacketTag; use crate::openpgp::parse::Parse; use crate::openpgp::policy::Policy; use crate::openpgp::serialize::Serialize; use crate::openpgp::types::KeyFlags; use crate::openpgp::types::SignatureType; use crate::{ open_or_stdin, }; use crate::Config; use crate::SECONDS_IN_YEAR; use crate::parse_duration; use crate::decrypt_key; pub fn dispatch(config: Config, m: &clap::ArgMatches) -> Result<()> { match m.subcommand() { ("generate", Some(m)) => generate(config, m)?, ("extract-cert", Some(m)) => extract_cert(config, m)?, ("adopt", Some(m)) => adopt(config, m)?, ("attest-certifications", Some(m)) => attest_certifications(config, m)?, _ => unreachable!(), } Ok(()) } fn generate(config: Config, m: &ArgMatches) -> Result<()> { let mut builder = CertBuilder::new(); // User ID match m.values_of("userid") { Some(uids) => for uid in uids { builder = builder.add_userid(uid); }, None => { eprintln!("No user ID given, using direct key signature"); } } // Expiration. match (m.value_of("expires"), m.value_of("expires-in")) { (None, None) => // Default expiration. builder = builder.set_validity_period( Some(Duration::new(3 * SECONDS_IN_YEAR, 0))), (Some(t), None) if t == "never" => builder = builder.set_validity_period(None), (Some(t), None) => { let now = builder.creation_time() .unwrap_or_else(std::time::SystemTime::now); let expiration = SystemTime::from( crate::parse_iso8601(t, chrono::NaiveTime::from_hms(0, 0, 0))?); let validity = expiration.duration_since(now)?; builder = builder.set_creation_time(now) .set_validity_period(validity); }, (None, Some(d)) if d == "never" => builder = builder.set_validity_period(None), (None, Some(d)) => { let d = parse_duration(d)?; builder = builder.set_validity_period(Some(d)); }, (Some(_), Some(_)) => unreachable!("conflicting args"), } // Cipher Suite match m.value_of("cipher-suite") { Some("rsa3k") => { builder = builder.set_cipher_suite(CipherSuite::RSA3k); } Some("rsa4k") => { builder = builder.set_cipher_suite(CipherSuite::RSA4k); } Some("cv25519") => { builder = builder.set_cipher_suite(CipherSuite::Cv25519); } Some(ref cs) => { return Err(anyhow::anyhow!("Unknown cipher suite '{}'", cs)); } None => panic!("argument has a default value"), } // Signing Capability match (m.is_present("can-sign"), m.is_present("cannot-sign")) { (false, false) | (true, false) => { builder = builder.add_signing_subkey(); } (false, true) => { /* no signing subkey */ } (true, true) => { return Err( anyhow::anyhow!("Conflicting arguments --can-sign and --cannot-sign")); } } // Encryption Capability match (m.value_of("can-encrypt"), m.is_present("cannot-encrypt")) { (Some("universal"), false) | (None, false) => { builder = builder.add_subkey(KeyFlags::empty() .set_transport_encryption() .set_storage_encryption(), None, None); } (Some("storage"), false) => { builder = builder.add_storage_encryption_subkey(); } (Some("transport"), false) => { builder = builder.add_transport_encryption_subkey(); } (None, true) => { /* no encryption subkey */ } (Some(_), true) => { return Err( anyhow::anyhow!("Conflicting arguments --can-encrypt and \ --cannot-encrypt")); } (Some(ref cap), false) => { return Err( anyhow::anyhow!("Unknown encryption capability '{}'", cap)); } } if m.is_present("with-password") { let p0 = rpassword::read_password_from_tty(Some( "Enter password to protect the key: "))?.into(); let p1 = rpassword::read_password_from_tty(Some( "Repeat the password once more: "))?.into(); if p0 == p1 { builder = builder.set_password(Some(p0)); } else { return Err(anyhow::anyhow!("Passwords do not match.")); } } // Generate the key let (cert, rev) = builder.generate()?; // Export if m.is_present("export") { let (key_path, rev_path) = match (m.value_of("export"), m.value_of("rev-cert")) { (Some("-"), Some("-")) => ("-".to_string(), "-".to_string()), (Some("-"), Some(ref rp)) => ("-".to_string(), rp.to_string()), (Some("-"), None) => return Err( anyhow::anyhow!("Missing arguments: --rev-cert is mandatory \ if --export is '-'.")), (Some(ref kp), None) => (kp.to_string(), format!("{}.rev", kp)), (Some(ref kp), Some("-")) => (kp.to_string(), "-".to_string()), (Some(ref kp), Some(ref rp)) => (kp.to_string(), rp.to_string()), _ => return Err( anyhow::anyhow!("Conflicting arguments --rev-cert and \ --export")), }; let headers = cert.armor_headers(); // write out key { let headers: Vec<_> = headers.iter() .map(|value| ("Comment", value.as_str())) .collect(); let w = config.create_or_stdout_safe(Some(&key_path))?; let mut w = Writer::with_headers(w, Kind::SecretKey, headers)?; cert.as_tsk().serialize(&mut w)?; w.finalize()?; } // write out rev cert { let mut headers: Vec<_> = headers.iter() .map(|value| ("Comment", value.as_str())) .collect(); headers.insert(0, ("Comment", "Revocation certificate for")); let w = config.create_or_stdout_safe(Some(&rev_path))?; let mut w = Writer::with_headers(w, Kind::Signature, headers)?; Packet::Signature(rev).serialize(&mut w)?; w.finalize()?; } } else { return Err( anyhow::anyhow!("Saving generated key to the store isn't implemented \ yet.")); } Ok(()) } fn extract_cert(config: Config, m: &ArgMatches) -> Result<()> { let input = open_or_stdin(m.value_of("input"))?; let mut output = config.create_or_stdout_safe(m.value_of("output"))?; let cert = Cert::from_reader(input)?; if m.is_present("binary") { cert.serialize(&mut output)?; } else { cert.armored().serialize(&mut output)?; } Ok(()) } fn adopt(config: Config, m: &ArgMatches) -> Result<()> { let input = open_or_stdin(m.value_of("certificate"))?; let cert = Cert::from_reader(input)?; let mut wanted: Vec<(KeyHandle, Option<(Key, SignatureBuilder)>)> = vec![]; // Gather the Key IDs / Fingerprints and make sure they are valid. for id in m.values_of("key").unwrap_or_default() { let h = id.parse::()?; if h.is_invalid() { return Err(anyhow::anyhow!( "Invalid Fingerprint or KeyID ('{:?}')", id)); } wanted.push((h, None)); } let null_policy = &crate::openpgp::policy::NullPolicy::new(); let adoptee_policy: &dyn Policy = if m.values_of("allow-broken-crypto").is_some() { null_policy } else { &config.policy }; // Find the corresponding keys. for keyring in m.values_of("keyring").unwrap_or_default() { for cert in CertParser::from_file(keyring) .context(format!("Parsing: {}", keyring))? { let cert = cert.context(format!("Parsing {}", keyring))?; let vc = match cert.with_policy(adoptee_policy, None) { Ok(vc) => vc, Err(err) => { eprintln!("Ignoring {} from '{}': {}", cert.keyid().to_hex(), keyring, err); continue; } }; for key in vc.keys() { for (id, ref mut keyo) in wanted.iter_mut() { if id.aliases(key.key_handle()) { match keyo { Some((_, _)) => // We already saw this key. (), None => { let sig = key.binding_signature(); let builder: SignatureBuilder = match sig.typ() { SignatureType::SubkeyBinding => sig.clone().into(), SignatureType::DirectKey | SignatureType::PositiveCertification | SignatureType::CasualCertification | SignatureType::PersonaCertification | SignatureType::GenericCertification => { // Convert to a binding // signature. let kf = sig.key_flags() .context("Missing required \ subpacket, KeyFlags")?; SignatureBuilder::new( SignatureType::SubkeyBinding) .set_key_flags(kf)? }, _ => panic!("Unsupported binding \ signature: {:?}", sig), }; *keyo = Some( (key.key().clone().role_into_subordinate(), builder)); } } } } } } } // If we are missing any keys, stop now. let missing: Vec<&KeyHandle> = wanted .iter() .filter_map(|(id, keyo)| { match keyo { Some(_) => None, None => Some(id), } }) .collect(); if missing.len() > 0 { return Err(anyhow::anyhow!( "Keys not found: {}", missing.iter().map(|&h| h.to_hex()).join(", "))); } let passwords = &mut Vec::new(); // Get a signer. let pk = cert.primary_key().key(); let mut pk_signer = decrypt_key( pk.clone().parts_into_secret()?, passwords)? .into_keypair()?; // Add the keys and signatues to cert. let mut packets: Vec = vec![]; for (_, ka) in wanted.into_iter() { let (key, builder) = ka.expect("Checked for missing keys above."); let mut builder = builder; // If there is a valid backsig, recreate it. let need_backsig = builder.key_flags() .map(|kf| kf.for_signing() || kf.for_certification()) .expect("Missing keyflags"); if need_backsig { // Derive a signer. let mut subkey_signer = decrypt_key( key.clone().parts_into_secret()?, passwords)? .into_keypair()?; let backsig = builder.embedded_signatures() .filter(|backsig| { (*backsig).clone().verify_primary_key_binding( &cert.primary_key(), &key).is_ok() }) .nth(0) .map(|sig| SignatureBuilder::from(sig.clone())) .unwrap_or_else(|| { SignatureBuilder::new(SignatureType::PrimaryKeyBinding) }) .sign_primary_key_binding(&mut subkey_signer, pk, &key)?; builder = builder.set_embedded_signature(backsig)?; } else { builder = builder.modify_hashed_area(|mut a| { a.remove_all(SubpacketTag::EmbeddedSignature); Ok(a) })?; } let mut sig = builder.sign_subkey_binding(&mut pk_signer, pk, &key)?; // Verify it. assert!(sig.verify_subkey_binding(pk_signer.public(), pk, &key) .is_ok()); packets.push(key.into()); packets.push(sig.into()); } let cert = cert.clone().insert_packets(packets.clone())?; let mut sink = config.create_or_stdout_safe(m.value_of("output"))?; if m.is_present("binary") { cert.as_tsk().serialize(&mut sink)?; } else { cert.as_tsk().armored().serialize(&mut sink)?; } let vc = cert.with_policy(&config.policy, None).expect("still valid"); for pair in packets[..].chunks(2) { let newkey: &Key = match pair[0] { Packet::PublicKey(ref k) => k.into(), Packet::PublicSubkey(ref k) => k.into(), Packet::SecretKey(ref k) => k.into(), Packet::SecretSubkey(ref k) => k.into(), ref p => panic!("Expected a key, got: {:?}", p), }; let newsig: &Signature = match pair[1] { Packet::Signature(ref s) => s, ref p => panic!("Expected a sig, got: {:?}", p), }; let mut found = false; for key in vc.keys() { if key.fingerprint() == newkey.fingerprint() { for sig in key.self_signatures() { if sig == newsig { found = true; break; } } } } assert!(found, "Subkey: {:?}\nSignature: {:?}", newkey, newsig); } Ok(()) } fn attest_certifications(config: Config, m: &ArgMatches) -> Result<()> { // XXX: This function has to do some steps manually, because // Sequoia does not expose this functionality because it has not // been standardized yet. use sequoia_openpgp::{ crypto::hash::{Hash, Digest}, packet::signature::subpacket::*, types::HashAlgorithm, }; #[allow(non_upper_case_globals)] const SignatureType__AttestedKey: SignatureType = SignatureType::Unknown(0x16); #[allow(non_upper_case_globals)] const SubpacketTag__AttestedCertifications: SubpacketTag = SubpacketTag::Unknown(37); // Attest to all certifications? let all = ! m.is_present("none"); // All is the default. // Some configuration. let hash_algo = HashAlgorithm::default(); let digest_size = hash_algo.context()?.digest_size(); let reserve_area_space = 256; // For the other subpackets. let digests_per_sig = ((1usize << 16) - reserve_area_space) / digest_size; let input = open_or_stdin(m.value_of("key"))?; let key = Cert::from_reader(input)?; // First, remove all attestations. let key = Cert::from_packets( key.into_packets().filter(|p| match p { Packet::Signature(s) if s.typ() == SignatureType__AttestedKey => false, _ => true, }))?; // Get a signer. let mut passwords = Vec::new(); let pk = key.primary_key().key(); let mut pk_signer = decrypt_key( pk.clone().parts_into_secret()?, &mut passwords)? .into_keypair()?; // Now, create new attestation signatures. let mut attestation_signatures = Vec::new(); for uid in key.userids() { let mut attestations = Vec::new(); if all { for certification in uid.certifications() { let mut h = hash_algo.context()?; certification.hash_for_confirmation(&mut h); attestations.push(h.into_digest()?); } } // Hashes SHOULD be sorted. attestations.sort(); // All attestation signatures we generate for this component // should have the same creation time. Fix it now. let t = std::time::SystemTime::now(); // Hash the components like in a binding signature. let mut hash = hash_algo.context()?; key.primary_key().hash(&mut hash); uid.hash(&mut hash); for digests in attestations.chunks(digests_per_sig) { let mut body = Vec::with_capacity(digest_size * digests.len()); digests.iter().for_each(|d| body.extend(d)); attestation_signatures.push( SignatureBuilder::new(SignatureType__AttestedKey) .set_signature_creation_time(t)? .modify_hashed_area(|mut a| { a.add(Subpacket::new( SubpacketValue::Unknown { tag: SubpacketTag__AttestedCertifications, body, }, true)?)?; Ok(a) })? .sign_hash(&mut pk_signer, hash.clone())?); } } for ua in key.user_attributes() { let mut attestations = Vec::new(); if all { for certification in ua.certifications() { let mut h = hash_algo.context()?; certification.hash_for_confirmation(&mut h); attestations.push(h.into_digest()?); } } // Hashes SHOULD be sorted. attestations.sort(); // All attestation signatures we generate for this component // should have the same creation time. Fix it now. let t = std::time::SystemTime::now(); // Hash the components like in a binding signature. let mut hash = hash_algo.context()?; key.primary_key().hash(&mut hash); ua.hash(&mut hash); for digests in attestations.chunks(digests_per_sig) { let mut body = Vec::with_capacity(digest_size * digests.len()); digests.iter().for_each(|d| body.extend(d)); attestation_signatures.push( SignatureBuilder::new(SignatureType__AttestedKey) .set_signature_creation_time(t)? .modify_hashed_area(|mut a| { a.add(Subpacket::new( SubpacketValue::Unknown { tag: SubpacketTag__AttestedCertifications, body, }, true)?)?; Ok(a) })? .sign_hash(&mut pk_signer, hash.clone())?); } } // Finally, add the new signatures. let key = key.insert_packets(attestation_signatures)?; let mut sink = config.create_or_stdout_safe(m.value_of("output"))?; if m.is_present("binary") { key.as_tsk().serialize(&mut sink)?; } else { key.as_tsk().armored().serialize(&mut sink)?; } Ok(()) } sequoia-sq-0.25.0/src/commands/keyring.rs010064400017500001750000000272501402044017700164610ustar 00000000000000use std::{ collections::HashMap, collections::hash_map::Entry, fs::File, io, path::PathBuf, }; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::{ Result, armor, cert::{ Cert, CertParser, }, Fingerprint, packet::{ UserID, UserAttribute, Key, }, parse::Parse, serialize::Serialize, }; use crate::{ Config, open_or_stdin, }; pub fn dispatch(config: Config, m: &clap::ArgMatches) -> Result<()> { match m.subcommand() { ("filter", Some(m)) => { let any_uid_predicates = m.is_present("name") || m.is_present("email") || m.is_present("domain"); let uid_predicate = |uid: &UserID| { let mut keep = false; if let Some(names) = m.values_of("name") { for name in names { keep |= uid .name().unwrap_or(None) .map(|n| n == name) .unwrap_or(false); } } if let Some(emails) = m.values_of("email") { for email in emails { keep |= uid .email().unwrap_or(None) .map(|n| n == email) .unwrap_or(false); } } if let Some(domains) = m.values_of("domain") { for domain in domains { keep |= uid .email().unwrap_or(None) .map(|n| n.ends_with(&format!("@{}", domain))) .unwrap_or(false); } } keep }; let any_ua_predicates = false; let ua_predicate = |_ua: &UserAttribute| false; let any_key_predicates = false; let key_predicate = |_key: &Key<_, _>| false; let filter_fn = |c: Cert| -> Option { if ! (c.userids().any(|c| uid_predicate(&c)) || c.user_attributes().any(|c| ua_predicate(&c)) || c.keys().subkeys().any(|c| key_predicate(&c))) { // If there are no filters, pass it through. Some(c) } else if m.is_present("prune-certs") { let c = c .retain_userids(|c| { ! any_uid_predicates || uid_predicate(&c) }) .retain_user_attributes(|c| { ! any_ua_predicates || ua_predicate(&c) }) .retain_subkeys(|c| { ! any_key_predicates || key_predicate(&c) }); if c.userids().count() == 0 && c.user_attributes().count() == 0 && c.keys().subkeys().count() == 0 { // We stripped all components, omit this cert. None } else { Some(c) } } else { Some(c) } }; let to_certificate = m.is_present("to-certificate"); // XXX: Armor type selection is a bit problematic. If any // of the certificates contain a secret key, it would be // better to use Kind::SecretKey here. However, this // requires buffering all certs, which has its own // problems. let mut output = config.create_or_stdout_pgp(m.value_of("output"), m.is_present("binary"), armor::Kind::PublicKey)?; filter(m.values_of("input"), &mut output, filter_fn, to_certificate)?; output.finalize() }, ("join", Some(m)) => { // XXX: Armor type selection is a bit problematic. If any // of the certificates contain a secret key, it would be // better to use Kind::SecretKey here. However, this // requires buffering all certs, which has its own // problems. let mut output = config.create_or_stdout_pgp(m.value_of("output"), m.is_present("binary"), armor::Kind::PublicKey)?; filter(m.values_of("input"), &mut output, |c| Some(c), false)?; output.finalize() }, ("merge", Some(m)) => { let mut output = config.create_or_stdout_pgp(m.value_of("output"), m.is_present("binary"), armor::Kind::PublicKey)?; merge(m.values_of("input"), &mut output)?; output.finalize() }, ("list", Some(m)) => { let mut input = open_or_stdin(m.value_of("input"))?; list(&mut input) }, ("split", Some(m)) => { let mut input = open_or_stdin(m.value_of("input"))?; let prefix = // The prefix is either specified explicitly... m.value_of("prefix").map(|p| p.to_owned()) .unwrap_or( // ... or we derive it from the input file... m.value_of("input").and_then(|i| { let p = PathBuf::from(i); // (but only use the filename) p.file_name().map(|f| String::from(f.to_string_lossy())) }) // ... or we use a generic prefix... .unwrap_or(String::from("output")) // ... finally, add a hyphen to the derived prefix. + "-"); split(&mut input, &prefix, m.is_present("binary")) }, _ => unreachable!(), } } /// Joins certificates and keyrings into a keyring, applying a filter. fn filter(inputs: Option, output: &mut dyn io::Write, mut filter: F, to_certificate: bool) -> Result<()> where F: FnMut(Cert) -> Option, { if let Some(inputs) = inputs { for name in inputs { for cert in CertParser::from_file(name)? { let cert = cert.context( format!("Malformed certificate in keyring {:?}", name))?; if let Some(cert) = filter(cert) { if to_certificate { cert.serialize(output)?; } else { cert.as_tsk().serialize(output)?; } } } } } else { for cert in CertParser::from_reader(io::stdin())? { let cert = cert.context("Malformed certificate in keyring")?; if let Some(cert) = filter(cert) { if to_certificate { cert.serialize(output)?; } else { cert.as_tsk().serialize(output)?; } } } } Ok(()) } /// Lists certs in a keyring. fn list(input: &mut (dyn io::Read + Sync + Send)) -> Result<()> { for (i, cert) in CertParser::from_reader(input)?.enumerate() { let cert = cert.context("Malformed certificate in keyring")?; print!("{}. {:X}", i, cert.fingerprint()); // Try to be more helpful by including the first userid in the // listing. if let Some(email) = cert.userids().nth(0) .and_then(|uid| uid.email().unwrap_or(None)) { print!(" {}", email); } println!(); } Ok(()) } /// Splits a keyring into individual certs. fn split(input: &mut (dyn io::Read + Sync + Send), prefix: &str, binary: bool) -> Result<()> { for (i, cert) in CertParser::from_reader(input)?.enumerate() { let cert = cert.context("Malformed certificate in keyring")?; let filename = format!( "{}{}-{:X}", prefix, i, cert.fingerprint()); // Try to be more helpful by including the first userid in the // filename. let mut sink = if let Some(f) = cert.userids().nth(0) .and_then(|uid| uid.email().unwrap_or(None)) .and_then(to_filename_fragment) { let filename_email = format!("{}-{}", filename, f); if let Ok(s) = File::create(filename_email) { s } else { // Degrade gracefully in case our sanitization // produced an invalid filename on this system. File::create(&filename) .context(format!("Writing cert to {:?} failed", filename))? } } else { File::create(&filename) .context(format!("Writing cert to {:?} failed", filename))? }; if binary { cert.as_tsk().serialize(&mut sink)?; } else { use sequoia_openpgp::serialize::stream::{Message, Armorer}; let message = Message::new(sink); let mut message = Armorer::new(message) // XXX: should detect kind, see above .kind(sequoia_openpgp::armor::Kind::PublicKey) .build()?; cert.as_tsk().serialize(&mut message)?; message.finalize()?; } } Ok(()) } /// Merge multiple keyrings. fn merge(inputs: Option, output: &mut dyn io::Write) -> Result<()> { let mut certs: HashMap> = HashMap::new(); if let Some(inputs) = inputs { for name in inputs { for cert in CertParser::from_file(name)? { let cert = cert.context( format!("Malformed certificate in keyring {:?}", name))?; match certs.entry(cert.fingerprint()) { e @ Entry::Vacant(_) => { e.or_insert(Some(cert)); } Entry::Occupied(mut e) => { let e = e.get_mut(); let curr = e.take().unwrap(); *e = Some(curr.merge_public_and_secret(cert) .expect("Same certificate")); } } } } } else { for cert in CertParser::from_reader(io::stdin())? { let cert = cert.context("Malformed certificate in keyring")?; match certs.entry(cert.fingerprint()) { e @ Entry::Vacant(_) => { e.or_insert(Some(cert)); } Entry::Occupied(mut e) => { let e = e.get_mut(); let curr = e.take().unwrap(); *e = Some(curr.merge_public_and_secret(cert) .expect("Same certificate")); } } } } for (_, cert) in certs.iter_mut() { cert.take().unwrap().as_tsk().serialize(output)?; } Ok(()) } /// Sanitizes a string to a safe filename fragment. fn to_filename_fragment>(s: S) -> Option { let mut r = String::with_capacity(s.as_ref().len()); s.as_ref().chars().filter_map(|c| match c { '/' | ':' | '\\' => None, c if c.is_ascii_whitespace() => None, c if c.is_ascii() => Some(c), _ => None, }).for_each(|c| r.push(c)); if r.len() > 0 { Some(r) } else { None } } sequoia-sq-0.25.0/src/commands/merge_signatures.rs010064400017500001750000000115401402044017700203470ustar 00000000000000use anyhow::Context as _; use std::io; extern crate sequoia_openpgp as openpgp; use crate::openpgp::packet::Literal; use crate::openpgp::packet::Tag; use crate::openpgp::parse::{PacketParser, PacketParserResult, Parse}; use crate::openpgp::serialize::stream::{LiteralWriter, Message}; use crate::openpgp::serialize::Serialize; use crate::openpgp::{Packet, Result}; pub fn merge_signatures( input1: &mut (dyn io::Read + Send + Sync), input2: &mut (dyn io::Read + Send + Sync), mut sink: Message, ) -> Result<()> { let parser1 = PacketParser::from_reader(input1).context("Failed to build parser")?; let parser2 = PacketParser::from_reader(input2).context("Failed to build parser")?; let (ops1, post_ops_parser1) = read_while_by_tag(parser1, Tag::OnePassSig)?; let (ops2, post_ops_parser2) = read_while_by_tag(parser2, Tag::OnePassSig)?; let ops1 = ops1 .into_iter() .map(ops_with_last_false) .collect::>>()?; write_packets(ops1, &mut sink)?; write_packets(ops2, &mut sink)?; let (sink_new, post_literal_parser1, post_literal_parser2) = compare_and_write_literal(sink, post_ops_parser1, post_ops_parser2)?; sink = sink_new; let (sigs2, _) = read_while_by_tag(post_literal_parser2, Tag::Signature)?; let (sigs1, _) = read_while_by_tag(post_literal_parser1, Tag::Signature)?; write_packets(sigs2, &mut sink)?; write_packets(sigs1, &mut sink)?; sink.finalize().context("Failed to write data")?; Ok(()) } fn ops_with_last_false(p: Packet) -> Result { if let Packet::OnePassSig(mut ops) = p { ops.set_last(false); Ok(Packet::OnePassSig(ops)) } else { Err(anyhow::anyhow!("Not a OnePassSig packet")) } } fn write_packets(packets: Vec, mut sink: &mut Message) -> Result<()> { for packet in packets { packet.serialize(&mut sink)?; } Ok(()) } fn compare_and_write_literal<'a, 'b, 'c>( sink: Message<'a>, ppr1: PacketParserResult<'b>, ppr2: PacketParserResult<'c>, ) -> Result<(Message<'a>, PacketParserResult<'b>, PacketParserResult<'c>)> { // We want to compare the bodies of the literal packets, by comparing their digests. // Digests are only known after reading the packets, so: // First, move both parsers past the literal packet, copy out the body of one of them. // Second, compare the packets which now include the correct hashes, // normalize to ignore metadata. let (mut lp1, ppr1) = read_while_by_tag(ppr1, Tag::Literal)?; let lp1 = lp1.remove(0); let (sink, lp2, ppr2) = write_literal_(sink, ppr2)?; let lp1 = normalize_literal(lp1)?; let lp2 = normalize_literal(lp2)?; eprintln!("lp1: {:?}", lp1); eprintln!("lp2: {:?}", lp2); if lp1 == lp2 { Ok((sink, ppr1, ppr2)) } else { Err(anyhow::anyhow!("Literal Packets differ, aborting!")) } } // Clear date and filename. fn normalize_literal(p: Packet) -> Result { if let Packet::Literal(mut l) = p { l.set_date(None)?; l.set_filename(&[])?; Ok(l) } else { Err(anyhow::anyhow!("Not a literal packet")) } } fn write_literal_<'a, 'b>( mut sink: Message<'a>, ppr: PacketParserResult<'b>, ) -> Result<(Message<'a>, Packet, PacketParserResult<'b>)> { if let PacketParserResult::Some(mut pp) = ppr { // Assemble a new Literal packet. // Cannot use packet.serialize because that does not include the body. if let Packet::Literal(l) = pp.packet.clone() { // Create a literal writer to wrap the data in a literal // message packet. let mut literal = LiteralWriter::new(sink) .format(l.format()) .build() .context("Failed to create literal writer")?; // Do not add any metadata as it is unprotected anyway. // Just copy all the data. io::copy(&mut pp, &mut literal).context("Failed to copy data")?; // Pop the literal writer. sink = literal .finalize_one() .context("Failed to write literal packet")? .unwrap(); } let foo = pp.recurse()?; //TODO rename Ok((sink, foo.0, foo.1)) } else { Err(anyhow::anyhow!("Unexpected end of file")) } } fn read_while_by_tag( mut ppr: PacketParserResult, tag: Tag, ) -> Result<(Vec, PacketParserResult)> { let mut result = vec![]; while let PacketParserResult::Some(pp) = ppr { let next_tag_matches = pp.header().ctb().tag() == tag; if !next_tag_matches { return Ok((result, PacketParserResult::Some(pp))); } // Start parsing the next packet, recursing. let (packet, next_ppr) = pp.recurse()?; ppr = next_ppr; result.push(packet); } Ok((result, ppr)) } sequoia-sq-0.25.0/src/commands/mod.rs010064400017500001750000000434501402044017700155700ustar 00000000000000use anyhow::Context as _; use std::cmp::Ordering; use std::collections::{HashMap, HashSet}; use std::fs::File; use std::io::{self, Write}; use std::time::SystemTime; use rpassword; use sequoia_openpgp as openpgp; use crate::openpgp::{ armor, }; use crate::openpgp::types::{ CompressionAlgorithm, }; use crate::openpgp::cert::prelude::*; use crate::openpgp::crypto; use crate::openpgp::{Cert, KeyID, Result}; use crate::openpgp::packet::prelude::*; use crate::openpgp::parse::{ Parse, PacketParserResult, }; use crate::openpgp::parse::stream::*; use crate::openpgp::serialize::stream::{ Message, Signer, LiteralWriter, Encryptor, Recipient, Compressor, padding::Padder, }; use crate::openpgp::policy::Policy; use crate::{ Config, parse_armor_kind, }; #[cfg(feature = "autocrypt")] pub mod autocrypt; pub mod decrypt; pub use self::decrypt::decrypt; pub mod sign; pub use self::sign::sign; pub mod dump; pub use self::dump::dump; mod inspect; pub use self::inspect::inspect; pub mod key; pub mod merge_signatures; pub use self::merge_signatures::merge_signatures; pub mod keyring; #[cfg(feature = "net")] pub mod net; pub mod certify; /// Returns suitable signing keys from a given list of Certs. fn get_signing_keys(certs: &[openpgp::Cert], p: &dyn Policy, timestamp: Option) -> Result> { let mut keys = Vec::new(); 'next_cert: for tsk in certs { for key in tsk.keys().with_policy(p, timestamp).alive().revoked(false) .for_signing() .supported() .map(|ka| ka.key()) { if let Some(secret) = key.optional_secret() { let unencrypted = match secret { SecretKeyMaterial::Encrypted(ref e) => { let password = rpassword::read_password_from_tty(Some( &format!("Please enter password to decrypt {}/{}: ", tsk, key))).unwrap(); e.decrypt(key.pk_algo(), &password.into()) .expect("decryption failed") }, SecretKeyMaterial::Unencrypted(ref u) => u.clone(), }; keys.push(crypto::KeyPair::new(key.clone(), unencrypted) .unwrap()); break 'next_cert; } } return Err(anyhow::anyhow!( format!("Found no suitable signing key on {}", tsk))); } Ok(keys) } pub fn encrypt<'a>(policy: &'a dyn Policy, input: &mut dyn io::Read, message: Message<'a>, npasswords: usize, recipients: &'a [openpgp::Cert], signers: Vec, mode: openpgp::types::KeyFlags, compression: &str, time: Option, use_expired_subkey: bool, ) -> Result<()> { let mut passwords: Vec = Vec::with_capacity(npasswords); for n in 0..npasswords { let nprompt = format!("Enter password {}: ", n + 1); passwords.push(rpassword::read_password_from_tty(Some( if npasswords > 1 { &nprompt } else { "Enter password: " }))?.into()); } if recipients.len() + passwords.len() == 0 { return Err(anyhow::anyhow!( "Neither recipient nor password given")); } let mut signers = get_signing_keys(&signers, policy, time)?; // Build a vector of recipients to hand to Encryptor. let mut recipient_subkeys: Vec = Vec::new(); for cert in recipients.iter() { let mut count = 0; for key in cert.keys().with_policy(policy, None).alive().revoked(false) .key_flags(&mode).supported().map(|ka| ka.key()) { recipient_subkeys.push(key.into()); count += 1; } if count == 0 { let mut expired_keys = Vec::new(); for ka in cert.keys().with_policy(policy, None).revoked(false) .key_flags(&mode).supported() { let key = ka.key(); expired_keys.push( (ka.binding_signature().key_expiration_time(key) .expect("Key must have an expiration time"), key)); } expired_keys.sort_by_key(|(expiration_time, _)| *expiration_time); if let Some((expiration_time, key)) = expired_keys.last() { if use_expired_subkey { recipient_subkeys.push((*key).into()); } else { use chrono::{DateTime, offset::Utc}; return Err(anyhow::anyhow!( "The last suitable encryption key of cert {} expired \ on {}\n\ Hint: Use --use-expired-subkey to use it anyway.", cert, DateTime::::from(*expiration_time))); } } else { return Err(anyhow::anyhow!( "Cert {} has no suitable encryption key", cert)); } } } // We want to encrypt a literal data packet. let encryptor = Encryptor::for_recipients(message, recipient_subkeys) .add_passwords(passwords); let mut sink = encryptor.build() .context("Failed to create encryptor")?; match compression { "none" => (), "pad" => sink = Padder::new(sink).build()?, "zip" => sink = Compressor::new(sink).algo(CompressionAlgorithm::Zip).build()?, "zlib" => sink = Compressor::new(sink).algo(CompressionAlgorithm::Zlib).build()?, "bzip2" => sink = Compressor::new(sink).algo(CompressionAlgorithm::BZip2).build()?, _ => unreachable!("all possible choices are handled") } // Optionally sign message. if ! signers.is_empty() { let mut signer = Signer::new(sink, signers.pop().unwrap()); for s in signers { signer = signer.add_signer(s); if let Some(time) = time { signer = signer.creation_time(time); } } for r in recipients.iter() { signer = signer.add_intended_recipient(r); } sink = signer.build()?; } let mut literal_writer = LiteralWriter::new(sink).build() .context("Failed to create literal writer")?; // Finally, copy stdin to our writer stack to encrypt the data. io::copy(input, &mut literal_writer) .context("Failed to encrypt")?; literal_writer.finalize() .context("Failed to encrypt")?; Ok(()) } struct VHelper<'a> { #[allow(dead_code)] config: Config<'a>, signatures: usize, certs: Option>, labels: HashMap, trusted: HashSet, good_signatures: usize, good_checksums: usize, unknown_checksums: usize, bad_signatures: usize, bad_checksums: usize, broken_signatures: usize, } impl<'a> VHelper<'a> { fn new(config: &Config<'a>, signatures: usize, certs: Vec) -> Self { VHelper { config: config.clone(), signatures: signatures, certs: Some(certs), labels: HashMap::new(), trusted: HashSet::new(), good_signatures: 0, good_checksums: 0, unknown_checksums: 0, bad_signatures: 0, bad_checksums: 0, broken_signatures: 0, } } fn print_status(&self) { fn p(dirty: &mut bool, what: &str, quantity: usize) { if quantity > 0 { eprint!("{}{} {}{}", if *dirty { ", " } else { "" }, quantity, what, if quantity == 1 { "" } else { "s" }); *dirty = true; } } let mut dirty = false; p(&mut dirty, "good signature", self.good_signatures); p(&mut dirty, "good checksum", self.good_checksums); p(&mut dirty, "unknown checksum", self.unknown_checksums); p(&mut dirty, "bad signature", self.bad_signatures); p(&mut dirty, "bad checksum", self.bad_checksums); p(&mut dirty, "broken signatures", self.broken_signatures); if dirty { eprintln!("."); } } fn print_sigs(&mut self, results: &[VerificationResult]) { use crate::print_error_chain; use self::VerificationError::*; for result in results { let (issuer, level) = match result { Ok(GoodChecksum { sig, ka, .. }) => (ka.key().keyid(), sig.level()), Err(MalformedSignature { error, .. }) => { eprintln!("Malformed signature:"); print_error_chain(error); self.broken_signatures += 1; continue; }, Err(MissingKey { sig, .. }) => { let issuer = sig.get_issuers().get(0) .expect("missing key checksum has an issuer") .to_string(); let what = match sig.level() { 0 => "checksum".into(), n => format!("level {} notarizing checksum", n), }; eprintln!("No key to check {} from {}", what, issuer); self.unknown_checksums += 1; continue; }, Err(UnboundKey { cert, error, .. }) => { eprintln!("Signing key on {} is not bound:", cert.fingerprint()); print_error_chain(error); self.bad_checksums += 1; continue; }, Err(BadKey { ka, error, .. }) => { eprintln!("Signing key on {} is bad:", ka.cert().fingerprint()); print_error_chain(error); self.bad_checksums += 1; continue; }, Err(BadSignature { sig, ka, error }) => { let issuer = ka.fingerprint().to_string(); let what = match sig.level() { 0 => "checksum".into(), n => format!("level {} notarizing checksum", n), }; eprintln!("Error verifying {} from {}:", what, issuer); print_error_chain(error); self.bad_checksums += 1; continue; } }; let trusted = self.trusted.contains(&issuer); let what = match (level == 0, trusted) { (true, true) => "signature".into(), (false, true) => format!("level {} notarization", level), (true, false) => "checksum".into(), (false, false) => format!("level {} notarizing checksum", level), }; let issuer_str = issuer.to_string(); let label = self.labels.get(&issuer).unwrap_or(&issuer_str); eprintln!("Good {} from {}", what, label); if trusted { self.good_signatures += 1; } else { self.good_checksums += 1; } } } } impl<'a> VerificationHelper for VHelper<'a> { fn get_certs(&mut self, _ids: &[openpgp::KeyHandle]) -> Result> { let certs = self.certs.take().unwrap(); // Get all keys. let seen: HashSet<_> = certs.iter() .flat_map(|cert| { cert.keys().map(|ka| ka.key().fingerprint().into()) }).collect(); // Explicitly provided keys are trusted. self.trusted = seen.clone(); Ok(certs) } fn check(&mut self, structure: MessageStructure) -> Result<()> { for layer in structure { match layer { MessageLayer::Compression { algo } => eprintln!("Compressed using {}", algo), MessageLayer::Encryption { sym_algo, aead_algo } => if let Some(aead_algo) = aead_algo { eprintln!("Encrypted and protected using {}/{}", sym_algo, aead_algo); } else { eprintln!("Encrypted using {}", sym_algo); }, MessageLayer::SignatureGroup { ref results } => self.print_sigs(results), } } if self.good_signatures >= self.signatures && self.bad_signatures + self.bad_checksums == 0 { Ok(()) } else { self.print_status(); Err(anyhow::anyhow!("Verification failed")) } } } pub fn verify(config: Config, input: &mut (dyn io::Read + Sync + Send), detached: Option<&mut (dyn io::Read + Sync + Send)>, output: &mut dyn io::Write, signatures: usize, certs: Vec) -> Result<()> { let helper = VHelper::new(&config, signatures, certs); let helper = if let Some(dsig) = detached { let mut v = DetachedVerifierBuilder::from_reader(dsig)? .with_policy(&config.policy, None, helper)?; v.verify_reader(input)?; v.into_helper() } else { let mut v = VerifierBuilder::from_reader(input)? .with_policy(&config.policy, None, helper)?; io::copy(&mut v, output)?; v.into_helper() }; helper.print_status(); Ok(()) } pub fn split(input: &mut (dyn io::Read + Sync + Send), prefix: &str) -> Result<()> { // We (ab)use the mapping feature to create byte-accurate dumps of // nested packets. let mut ppr = openpgp::parse::PacketParserBuilder::from_reader(input)? .map(true).build()?; // This encodes our position in the tree. let mut pos = vec![0]; while let PacketParserResult::Some(pp) = ppr { if let Some(ref map) = pp.map() { let filename = format!( "{}{}--{}{:?}", prefix, pos.iter().map(|n| format!("{}", n)) .collect::>().join("-"), pp.packet.kind().map(|_| "").unwrap_or("Unknown-"), pp.packet.tag()); let mut sink = File::create(filename) .context("Failed to create output file")?; // Write all the bytes. for field in map.iter() { sink.write_all(field.as_bytes())?; } } let old_depth = Some(pp.recursion_depth()); ppr = pp.recurse()?.1; let new_depth = ppr.as_ref().map(|pp| pp.recursion_depth()).ok(); // Update pos. match old_depth.cmp(&new_depth) { Ordering::Less => pos.push(0), Ordering::Equal => *pos.last_mut().unwrap() += 1, Ordering::Greater => { pos.pop(); }, } } Ok(()) } /// Joins the given files. pub fn join(config: Config, m: &clap::ArgMatches) -> Result<()> { // Either we know what kind of armor we want to produce, or we // need to detect it using the first packet we see. let kind = parse_armor_kind(m.value_of("kind")); let output = m.value_of("output"); let mut sink = if m.is_present("binary") { // No need for any auto-detection. Some(config.create_or_stdout_pgp(output, true, // Binary. armor::Kind::File)?) } else if let Some(kind) = kind { Some(config.create_or_stdout_pgp(output, false, // Armored. kind)?) } else { None // Defer. }; /// Writes a bit-accurate copy of all top-level packets in PPR to /// OUTPUT. fn copy(config: &Config, mut ppr: PacketParserResult, output: Option<&str>, sink: &mut Option) -> Result<()> { while let PacketParserResult::Some(pp) = ppr { if sink.is_none() { // Autodetect using the first packet. let kind = match pp.packet { Packet::Signature(_) => armor::Kind::Signature, Packet::SecretKey(_) => armor::Kind::SecretKey, Packet::PublicKey(_) => armor::Kind::PublicKey, Packet::PKESK(_) | Packet::SKESK(_) => armor::Kind::Message, _ => armor::Kind::File, }; *sink = Some(config.create_or_stdout_pgp(output, false, // Armored. kind)?); } // We (ab)use the mapping feature to create byte-accurate // copies. for field in pp.map().expect("must be mapped").iter() { sink.as_mut().expect("initialized at this point") .write_all(field.as_bytes())?; } ppr = pp.next()?.1; } Ok(()) } if let Some(inputs) = m.values_of("input") { for name in inputs { let ppr = openpgp::parse::PacketParserBuilder::from_file(name)? .map(true).build()?; copy(&config, ppr, output, &mut sink)?; } } else { let ppr = openpgp::parse::PacketParserBuilder::from_reader(io::stdin())? .map(true).build()?; copy(&config, ppr, output, &mut sink)?; } sink.unwrap().finalize()?; Ok(()) } sequoia-sq-0.25.0/src/commands/net.rs010064400017500001750000000135411402044017700155750ustar 00000000000000//! Network services. use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::{ Result, KeyHandle, KeyID, Fingerprint, cert::{ Cert, CertParser, }, packet::{ UserID, }, parse::Parse, serialize::Serialize, }; use sequoia_net as net; use net::{ KeyServer, wkd, }; use crate::{ Config, open_or_stdin, serialize_keyring, }; fn parse_network_policy(m: &clap::ArgMatches) -> net::Policy { match m.value_of("policy").expect("has default value") { "offline" => net::Policy::Offline, "anonymized" => net::Policy::Anonymized, "encrypted" => net::Policy::Encrypted, "insecure" => net::Policy::Insecure, _ => unreachable!(), } } pub fn dispatch_keyserver(config: Config, m: &clap::ArgMatches) -> Result<()> { let network_policy = parse_network_policy(m); let mut ks = if let Some(uri) = m.value_of("server") { KeyServer::new(network_policy, &uri) } else { KeyServer::keys_openpgp_org(network_policy) }.context("Malformed keyserver URI")?; let mut rt = tokio::runtime::Builder::new() .basic_scheduler() .enable_io() .enable_time() .build()?; match m.subcommand() { ("get", Some(m)) => { let query = m.value_of("query").unwrap(); let handle: Option = { let q_fp = query.parse::(); let q_id = query.parse::(); if let Ok(Fingerprint::V4(_)) = q_fp { q_fp.ok().map(Into::into) } else if let Ok(KeyID::V4(_)) = q_id { q_fp.ok().map(Into::into) } else { None } }; if let Some(handle) = handle { let cert = rt.block_on(ks.get(handle)) .context("Failed to retrieve cert")?; let mut output = config.create_or_stdout_safe(m.value_of("output"))?; if ! m.is_present("binary") { cert.armored().serialize(&mut output) } else { cert.serialize(&mut output) }.context("Failed to serialize cert")?; } else if let Ok(Some(addr)) = UserID::from(query).email() { let certs = rt.block_on(ks.search(addr)) .context("Failed to retrieve certs")?; let mut output = config.create_or_stdout_safe(m.value_of("output"))?; serialize_keyring(&mut output, &certs, m.is_present("binary"))?; } else { Err(anyhow::anyhow!( "Query must be a fingerprint, a keyid, \ or an email address: {:?}", query))?; } }, ("send", Some(m)) => { let mut input = open_or_stdin(m.value_of("input"))?; let cert = Cert::from_reader(&mut input). context("Malformed key")?; rt.block_on(ks.send(&cert)) .context("Failed to send key to server")?; }, _ => unreachable!(), } Ok(()) } pub fn dispatch_wkd(config: Config, m: &clap::ArgMatches) -> Result<()> { let network_policy = parse_network_policy(m); let mut rt = tokio::runtime::Builder::new() .basic_scheduler() .enable_io() .enable_time() .build()?; match m.subcommand() { ("url", Some(m)) => { let email_address = m.value_of("input").unwrap(); let wkd_url = wkd::Url::from(email_address)?; // XXX: Add other subcomand to specify whether it should be // created with the advanced or the direct method. let url = wkd_url.to_url(None)?; println!("{}", url); }, ("get", Some(m)) => { // Check that the policy allows https. network_policy.assert(net::Policy::Encrypted)?; let email_address = m.value_of("input").unwrap(); // XXX: EmailAddress could be created here to // check it's a valid email address, print the error to // stderr and exit. // Because it might be created a WkdServer struct, not // doing it for now. let certs = rt.block_on(wkd::get(&email_address))?; // ```text // The HTTP GET method MUST return the binary representation of the // OpenPGP key for the given mail address. // [draft-koch]: https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-07 // ``` // But to keep the parallelism with `store export` and `keyserver get`, // The output is armored if not `--binary` option is given. let mut output = config.create_or_stdout_safe(m.value_of("output"))?; serialize_keyring(&mut output, &certs, m.is_present("binary"))?; }, ("generate", Some(m)) => { let domain = m.value_of("domain").unwrap(); let f = open_or_stdin(m.value_of("input"))?; let base_path = m.value_of("base_directory").expect("required"); let variant = if m.is_present("direct_method") { wkd::Variant::Direct } else { wkd::Variant::Advanced }; let parser = CertParser::from_reader(f)?; let certs: Vec = parser.filter_map(|cert| cert.ok()) .collect(); for cert in certs { wkd::insert(&base_path, domain, variant, &cert) .context(format!("Failed to generate the WKD in \ {}.", base_path))?; } }, _ => unreachable!(), } Ok(()) } sequoia-sq-0.25.0/src/commands/sign.rs010064400017500001750000000340101402044017700157410ustar 00000000000000use anyhow::Context as _; use std::fs; use std::io; use std::path::PathBuf; use std::time::SystemTime; use tempfile::NamedTempFile; use sequoia_openpgp as openpgp; use crate::openpgp::armor; use crate::openpgp::{Packet, Result}; use crate::openpgp::packet::prelude::*; use crate::openpgp::packet::signature::subpacket::NotationData; use crate::openpgp::parse::{ Parse, PacketParserResult, }; use crate::openpgp::serialize::Serialize; use crate::openpgp::serialize::stream::{ Message, Armorer, Signer, LiteralWriter, }; use crate::openpgp::types::SignatureType; use crate::{ Config, }; pub fn sign(config: Config, input: &mut (dyn io::Read + Sync + Send), output_path: Option<&str>, secrets: Vec, detached: bool, binary: bool, append: bool, notarize: bool, time: Option, notations: &[(bool, NotationData)]) -> Result<()> { match (detached, append|notarize) { (_, false) | (true, true) => sign_data(config, input, output_path, secrets, detached, binary, append, time, notations), (false, true) => sign_message(config, input, output_path, secrets, binary, notarize, time, notations), } } fn sign_data(config: Config, input: &mut dyn io::Read, output_path: Option<&str>, secrets: Vec, detached: bool, binary: bool, append: bool, time: Option, notations: &[(bool, NotationData)]) -> Result<()> { let (mut output, prepend_sigs, tmp_path): (Box, Vec, Option) = if detached && append && output_path.is_some() { // First, read the existing signatures. let mut sigs = Vec::new(); let mut ppr = openpgp::parse::PacketParser::from_file(output_path.unwrap())?; while let PacketParserResult::Some(pp) = ppr { let (packet, ppr_tmp) = pp.recurse()?; ppr = ppr_tmp; match packet { Packet::Signature(sig) => sigs.push(sig), p => return Err( anyhow::anyhow!( format!("{} in detached signature", p.tag())) .context("Invalid detached signature").into()), } } // Then, create a temporary file to write to. If we are // successful with adding our signature(s), we rename the // file replacing the old one. let tmp_file = NamedTempFile::new_in( PathBuf::from(output_path.unwrap()).parent() .unwrap_or(&PathBuf::from(".")))?; let tmp_path = tmp_file.path().into(); (Box::new(tmp_file), sigs, Some(tmp_path)) } else { (config.create_or_stdout_safe(output_path)?, Vec::new(), None) }; let mut keypairs = super::get_signing_keys(&secrets, &config.policy, time)?; if keypairs.is_empty() { return Err(anyhow::anyhow!("No signing keys found")); } // Stream an OpenPGP message. // The sink may be a NamedTempFile. Carefully keep a reference so // that we can rename it. let mut message = Message::new(&mut output); if ! binary { message = Armorer::new(message) .kind(if detached { armor::Kind::Signature } else { armor::Kind::Message }) .build()?; } // When extending a detached signature, prepend any existing // signatures first. for sig in prepend_sigs.into_iter() { Packet::Signature(sig).serialize(&mut message)?; } let mut builder = SignatureBuilder::new(SignatureType::Binary); for (critical, n) in notations.iter() { builder = builder.add_notation( n.name(), n.value(), Some(n.flags().clone()), *critical)?; } let mut signer = Signer::with_template( message, keypairs.pop().unwrap(), builder); if let Some(time) = time { signer = signer.creation_time(time); } for s in keypairs { signer = signer.add_signer(s); } if detached { signer = signer.detached(); } let signer = signer.build().context("Failed to create signer")?; let mut writer = if detached { // Detached signatures do not need a literal data packet, just // hash the data as is. signer } else { // We want to wrap the data in a literal data packet. LiteralWriter::new(signer).build() .context("Failed to create literal writer")? }; // Finally, copy stdin to our writer stack to sign the data. io::copy(input, &mut writer) .context("Failed to sign")?; writer.finalize() .context("Failed to sign")?; if let Some(path) = tmp_path { // Atomically replace the old file. fs::rename(path, output_path.expect("must be Some if tmp_path is Some"))?; } Ok(()) } fn sign_message(config: Config, input: &mut (dyn io::Read + Sync + Send), output_path: Option<&str>, secrets: Vec, binary: bool, notarize: bool, time: Option, notations: &[(bool, NotationData)]) -> Result<()> { let mut output = config.create_or_stdout_pgp(output_path, binary, armor::Kind::Message)?; sign_message_(config, input, &mut output, secrets, notarize, time, notations)?; output.finalize()?; Ok(()) } fn sign_message_(config: Config, input: &mut (dyn io::Read + Sync + Send), output: &mut (dyn io::Write + Sync + Send), secrets: Vec, notarize: bool, time: Option, notations: &[(bool, NotationData)]) -> Result<()> { let mut keypairs = super::get_signing_keys(&secrets, &config.policy, time)?; if keypairs.is_empty() { return Err(anyhow::anyhow!("No signing keys found")); } let mut sink = Message::new(output); // Create a parser for the message to be notarized. let mut ppr = openpgp::parse::PacketParser::from_reader(input) .context("Failed to build parser")?; // Once we see a signature, we can no longer strip compression. let mut seen_signature = false; #[derive(PartialEq, Eq, Debug)] enum State { InFirstSigGroup, AfterFirstSigGroup, Signing { // Counts how many signatures are being notarized. If // this drops to zero, we pop the signer from the stack. signature_count: isize, }, Done, }; let mut state = if ! notarize { State::InFirstSigGroup } else { // Pretend we have passed the first signature group so // that we put our signature first. State::AfterFirstSigGroup }; while let PacketParserResult::Some(mut pp) = ppr { if let Err(err) = pp.possible_message() { return Err(err.context("Malformed OpenPGP message").into()); } match pp.packet { Packet::PKESK(_) | Packet::SKESK(_) => return Err(anyhow::anyhow!( "Signing encrypted data is not implemented")), Packet::Literal(_) => if let State::InFirstSigGroup = state { // Cope with messages that have no signatures, or // with a ops packet without the last flag. state = State::AfterFirstSigGroup; }, // To implement this, we'd need to stream the // compressed data packet inclusive framing, but // currently the partial body filter transparently // removes the framing. // // If you do implement this, there is a half-disabled test // in tests/sq-sign.rs. Packet::CompressedData(_) if seen_signature => return Err(anyhow::anyhow!( "Signing a compress-then-sign message is not implemented")), _ => (), } match state { State::AfterFirstSigGroup => { // After the first signature group, we push the signer // onto the writer stack. let mut builder = SignatureBuilder::new(SignatureType::Binary); for (critical, n) in notations.iter() { builder = builder.add_notation( n.name(), n.value(), Some(n.flags().clone()), *critical)?; } let mut signer = Signer::with_template( sink, keypairs.pop().unwrap(), builder); if let Some(time) = time { signer = signer.creation_time(time); } for s in keypairs.drain(..) { signer = signer.add_signer(s); } sink = signer.build().context("Failed to create signer")?; state = State::Signing { signature_count: 0, }; }, State::Signing { signature_count } if signature_count == 0 => { // All signatures that are being notarized are // written, pop the signer from the writer stack. sink = sink.finalize_one() .context("Failed to sign data")? .unwrap(); state = State::Done; }, _ => (), } if let Packet::Literal(_) = pp.packet { let l = if let Packet::Literal(l) = pp.packet.clone() { l } else { unreachable!() }; // Create a literal writer to wrap the data in a literal // message packet. let mut literal = LiteralWriter::new(sink).format(l.format()); if let Some(f) = l.filename() { literal = literal.filename(f)?; } if let Some(d) = l.date() { literal = literal.date(d)?; } let mut literal = literal.build() .context("Failed to create literal writer")?; // Finally, just copy all the data. io::copy(&mut pp, &mut literal) .context("Failed to sign data")?; // Pop the literal writer. sink = literal.finalize_one() .context("Failed to sign data")? .unwrap(); } let (packet, ppr_tmp) = if seen_signature { // Once we see a signature, we can no longer strip // compression. pp.next() } else { pp.recurse() }.context("Parsing failed")?; ppr = ppr_tmp; match packet { Packet::OnePassSig(mut ops) => { let was_last = ops.last(); match state { State::InFirstSigGroup => { // We want to append our signature here, hence // we set last to false. ops.set_last(false); if was_last { // The signature group ends here. state = State::AfterFirstSigGroup; } }, State::Signing { ref mut signature_count } => *signature_count += 1, _ => (), } Packet::OnePassSig(ops).serialize(&mut sink)?; seen_signature = true; }, Packet::Signature(sig) => { Packet::Signature(sig).serialize(&mut sink) .context("Failed to serialize")?; if let State::Signing { ref mut signature_count } = state { *signature_count -= 1; } }, _ => (), } } if let PacketParserResult::EOF(eof) = ppr { if let Err(err) = eof.is_message() { return Err(err.context("Malformed OpenPGP message").into()); } } else { unreachable!() } match state { State::Signing { signature_count } => { assert_eq!(signature_count, 0); sink.finalize() .context("Failed to sign data")?; }, State::Done => (), _ => panic!("Unexpected state: {:?}", state), } Ok(()) } pub fn clearsign(config: Config, mut input: impl io::Read + Sync + Send, mut output: impl io::Write + Sync + Send, secrets: Vec, time: Option, notations: &[(bool, NotationData)]) -> Result<()> { let mut keypairs = super::get_signing_keys(&secrets, &config.policy, time)?; if keypairs.is_empty() { return Err(anyhow::anyhow!("No signing keys found")); } // Prepare a signature template. let mut builder = SignatureBuilder::new(SignatureType::Text); for (critical, n) in notations.iter() { builder = builder.add_notation( n.name(), n.value(), Some(n.flags().clone()), *critical)?; } let message = Message::new(&mut output); let mut signer = Signer::with_template( message, keypairs.pop().unwrap(), builder) .cleartext(); if let Some(time) = time { signer = signer.creation_time(time); } for s in keypairs { signer = signer.add_signer(s); } let mut message = signer.build().context("Failed to create signer")?; // Finally, copy stdin to our writer stack to sign the data. io::copy(&mut input, &mut message) .context("Failed to sign")?; message.finalize() .context("Failed to sign")?; Ok(()) } sequoia-sq-0.25.0/src/sq-usage.rs010064400017500001750000001266171402044017700147440ustar 00000000000000//! A command-line frontend for Sequoia. //! //! # Usage //! //! ```text //! A command-line frontend for Sequoia, an implementation of OpenPGP //! //! Functionality is grouped and available using subcommands. Currently, //! this interface is completely stateless. Therefore, you need to supply //! all configuration and certificates explicitly on each invocation. //! //! OpenPGP data can be provided in binary or ASCII armored form. This //! will be handled automatically. Emitted OpenPGP data is ASCII armored //! by default. //! //! We use the term "certificate", or cert for short, to refer to OpenPGP //! keys that do not contain secrets. Conversely, we use the term "key" //! to refer to OpenPGP keys that do contain secrets. //! //! USAGE: //! sq [FLAGS] [OPTIONS] //! //! FLAGS: //! -f, --force //! Overwrites existing files //! //! -h, --help //! Prints help information //! //! -V, --version //! Prints version information //! //! //! OPTIONS: //! --known-notation ... //! Adds NOTATION to the list of known notations. This is used when //! validating signatures. Signatures that have unknown notations with //! the critical bit set are considered invalid. //! //! SUBCOMMANDS: //! encrypt Encrypts a message //! decrypt Decrypts a message //! sign Signs messages or data files //! verify Verifies signed messages or detached signatures //! key Manages keys //! keyring Manages collections of keys or certs //! certify Certifies a User ID for a Certificate //! autocrypt Communicates certificates using Autocrypt //! keyserver Interacts with keyservers //! wkd Interacts with Web Key Directories //! armor Converts binary to ASCII //! dearmor Converts ASCII to binary //! inspect Inspects data, like file(1) //! packet Low-level packet manipulation //! help Prints this message or the help of the given subcommand(s) //! ``` //! //! ## Subcommand encrypt //! //! ```text //! Encrypts a message //! //! Encrypts a message for any number of recipients and with any number of //! passwords, optionally signing the message in the process. //! //! The converse operation is "sq decrypt". //! //! USAGE: //! sq encrypt [FLAGS] [OPTIONS] [--] [FILE] //! //! FLAGS: //! -B, --binary //! Emits binary data //! //! -h, --help //! Prints help information //! //! -s, --symmetric //! Adds a password to encrypt with. The message can be decrypted with //! either one of the recipient's keys, or any password. //! --use-expired-subkey //! If a certificate has only expired encryption-capable subkeys, falls //! back to using the one that expired last //! //! OPTIONS: //! --compression //! Selects compression scheme to use [default: pad] [possible values: //! none, pad, zip, zlib, bzip2] //! --mode //! Selects what kind of keys are considered for encryption. Transport //! select subkeys marked as suitable for transport encryption, rest //! selects those for encrypting data at rest, and all selects all //! encryption-capable subkeys. [default: all] [possible values: //! transport, rest, all] //! -o, --output //! Writes to FILE or stdout if omitted //! //! --recipient-cert ... //! Encrypts for all recipients in CERT-RING //! //! --signer-key ... //! Signs the message with KEY //! //! -t, --time