Age | Commit message (Collapse) | Author |
|
- See #462.
|
|
- See #462.
|
|
- If looking up a binding signature fails, don't merely return None,
but an Err(_) that explains the lookup failure. For example, a
binding signature may be present, but it may not meet the policy.
- Fixes #460.
|
|
- Previously, we transformed data and detached signatures into
signed messages on the fly, then used the streaming Verifier to
verify the message. However, this introduces a nontrivial
overhead, even if unnecessary copies are carefully avoided.
- Instead, specialize the streaming Decryptor to handle detached
signatures. use crypto::hash_buffered_reader to compute the
hashes over the data, then attach the computed signatures to the
signature packets, and use Decryptor's verification machinery.
- While this is arguably less elegant, it is much simpler, and a lot
faster. Notably, if we operate on files and can mmap them into
memory, we can compute the hash in one call to the compression
function. Verification of detached signatures is an important use
case, so this speedup outweighs the loss of elegance.
- Fixes #457.
|
|
|
|
This option marks the given notation name as good and known. This
affects the verification procedure as unknown critical notations would
otherwise cause the signature verification failure.
Fixes #77.
|
|
|
|
- Use the anyhow crate instead of failure to implement the dynamic
side of our error handling. anyhow::Error derefs to dyn
std::error::Error, allowing better interoperability with other
stdlib-based error handling libraries.
- Fixes #444.
|
|
|
|
- In caa8e0df, we relaxed the dependency on colored as a way to more
flexibly constrain the MSRV. But colored was a transitive
dependency in the first place, and we wouldn't have required any
specific version of it if it wasn't present. We can let the
intermediate dependencies be responsible for the preferred minimum
version, rather than explicitly declaring it ourselves.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
- Change `KeyIter::subkeys` to return a `SubordinateKeyAmalgamation`
instead of a `KeyBundle`.
- Remove `KeyIter::skip_primary`. It does the samething as
`KeyIter::subkeys`, but `KeyIter::subkeys` has a more accurate
type.
|
|
- A `ComponentAmalgamation` derefs to a `ComponentBundle`. Don't
use `ComponentAmalgamation::bundle` if it is unnecessary and
doesn't improve legibility.
|
|
- Introduce three KeyAmalgamation variants:
`PrimaryKeyAmalgamation`, `SubordinateKeyAmalgamation`, and
`ErasedKeyAmalgamation`.
- Unlike a `Key` or a `KeyBundle` with an `UnspecifiedRole`, an
`ErasedKeyAmalgamation` remembers its role. This means that an
`ErasedKeyAmalgamation` can implement the correct semantics even
though the role marker has been erased (hence the name).
- Have `Cert::keys` return `ErasedKeyAmalgamation`s. Recall:
`Cert::keys` can't return a more specific type, because it returns
an iterator that can contain both primary and subordinate keys.
- We use a concrete type instead of a trait object so that when
the user converts a `KeyAmalgamation` to a
`ValidKeyAmalgamation` (via `with_policy`), the
`ValidKeyAmalgamation` retains the type information about the
`KeyAmalgamation`'s role.
- Preserving this type information increases type safety for users
of this API.
|
|
- Add `openpgp/src/cert/prelude.rs` to import most types and traits
related to certificates.
- Use it instead of using the types and traits individually.
|
|
- SerializeInto::serialized_len() provides the same.
|
|
|
|
|
|
|
|
- Add the `bundle()` method to the Amalgamation trait instead of
implementing it on each struct.
|
|
|
|
- Split the ValidAmalgamation trait into two traits, Amalgamation
and ValidAmalgamation, so that the functionality made available by
the Amalgamation trait can be provided by a ComponentAmalgamation,
which doesn't have a policy.
|
|
- The Amalgamation trait only applies to ValidComponents. Rename it
accordingly.
|
|
- In eaaaf33dc15df65a7d34b9f436080e49f30f9715, colored was fixed to
1.9.1 "to keep our MSRV stable" presumably because 1.9.2 bumped
the version of rustc required. However, older versions of colored
still work to build. This was tested on debian, which today has
1.6.1. It's possible that even earlier versions of colored work
as well, but this is all I've tested.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
- Split VerificationResult into Result<GoodChecksum,
VerificationError>.
- Fixes #416.
|
|
- We use marker traits to track with the type system if a Key has
secret key material attached. Previously, it was possible to
subvert that by taking the secret key material using
Key4::set_secret, creating a Key4<SecretParts, ..> without any
secrets.
- Related, the accessor functions returned an
Option<SecretKeyMaterial> even for Key4<SecretParts, ..>.
- Replace set_secret by add_secret and take_secret that also change
the Key's type accordingly. Make the accessors infallible if we
know we have a secret key, rename Key4<P, R>::secret to
Key4<P, R>::optional_secret to make the distinction clear.
- Fixes #435.
|
|
- Add a parameter to CipherSuite::add_subkey, which, if not None,
overrides the default cipher suite for that subkey.
- This makes it easier to create a key with, say, an ECC primary and
an RSA subkey.
|
|
|
|
|
|
- This seems very surprising.
|
|
- The certificate builder is a mid-level interface, and should
therefore use the more user-friendly way of specifying
expiration. Furthermore, with this interface we will be able to
support setting a new expiration in cases where the keys have
different creation times.
- See #429.
|
|
- The former is a misnomer inherited from the RFC: It is a
duration, not a point in time. 'Validity period' makes that
clear, and also emphasizes that the key or signature is valid
during that period.
- See #429.
|
|
- See #431.
|
|
|
|
|
|
|
|
- Move the autocrypt-related functionality to a new crate.
- Fixes #424.
|
|
- Fixes #427.
|
|
|
|
- Likewise KeyBinding, UserIDBinding, UserAttributeBinding,
UnknownBinding, etc.
- Reason: a self-signature on a component is a binding, but
revocations and TPSes are not bindings.
- Consistently call collections of components and associated
signatures bundles now. Likewise for fields, methods.
- Fixes #425.
|
|
|
|
|
|
- Change all functions that need to evaluate the validity of a
signature (either directly or indirectly to take a policy object.
- Use the policy object to allow the user to place additional
constraints on a signature's validity.
- This addresses the first half of #274 (it introduces the policy
object, but does not yet implement any policy).
|
|
|
|
|
|
|
|
|
|
|
|
- Right now, 'sq inspect' skips keys that are not valid. This does
not display keys from the future, or keys with expired
self-signatures.
|