Support of basic command-line usage (CLI)

[ronaldtse]

Description

"must have full support" for @flowher:

For rnp:

-s, --sign make a signature
--verify verify a signature
-e, --encrypt encrypt data
-d, --decrypt decrypt data (default)
-c, --symmetric encryption only with symmetric cipher

Maybe in a separate CLI rnpk or rekey using librekey:

-k, --list-keys list keys
--generate-key generate a new key pair
--delete-keys remove keys from the public keyring
--delete-secret-keys remove keys from the secret keyring
--full-generate-key full featured key pair generation
--export export keys
--import import/merge keys

Steps to Reproduce

N/A.

Expected Behavior

All of the listed commands are working.

Actual Behavior

N/A.

[ronaldtse]

Feel free to add/modify the above list (with discussions).

[ni4]

@ronaldtse I agree on the list of high-level commands. However thinking now about required arguments for each of them, like hash algorithms, symmetric algorithms, key protection (S2K iterations/sym arg) and so on.

[ronaldtse]

Agree with @ni4's comment on elaborating out the details of CLI arguments. The other use case that was mentioned (I think @flowher and @ni4 ), but we didn't elaborate, is using rnp to simply encrypt a file using a passphrase. We should do it here.

[ni4]

For now I see the following commands and/or parameters. Some of the are not implemented, some of them may be renamed or not required right now. It is just to have the whole list. Discussion/comments are appreciated.

For rnp:

Following commands and configuration parameters should be supported:

-s, --sign sign a file or stdin. May be stacked with -e (to produce signed and encrypted data).
    [--signer] : signing key id or user id, may be multiple for multiple signing keys
    [--hash] : hash algorithm where it is applicable (mostly for RSA)
    [--duration] : signature validity duration, as 120d, 1y etc
    [--creationtime] : signature validity start
    [-z 0..9] : compression level for the stored data (not applicable for detached)
    [--zlib, --bzip, --zip] : compression algorithm selection
    [-a, --armour] : armored output
    [--detached] : produce detached signature
    [--cleartext] : treat input as the text and produce cleartext signature
    [--filename] : set the signed data filename to the specified value (for stdin signing or if out file name must be different from source)
    [--output] : output file name
    [--password] : password for the secret key
    [--pass-fd] : file descriptor for password input

--verify verify file’s/stdin’s signature. Also can be used to verify detached signature
--verify-cat verify signature and display output/save it to the file
    [--output] : output file name

-e, --encrypt encrypt data
    [--recipient] : recipient(s) key id or user id
    [--encalg] : encryption algorithm, i.e. ‘aes-256’ and so on
    [-z 0..9] : compression level for the stored data
    [--zlib, --bzip, --zip] : compression algorithm selection
    [-a, --armour] : armored output
    [--filename] : set the encrypted data filename to the specified value (for stdin signing or if out file name must be different from source)
    [--output] : output file name    

-d, --decrypt decrypt data (default)
-c, --symmetric encryption with password. May be stacked with -e. All parameters from -e, except --userid, apply.
    [--password] : password for symmetric encryption
    [--pass-fd] : file descriptor for password input

-j [--json] : batch/json input mode : input to the CLI is in JSON format where all commands and parameters are specified

For rnpkeys:

-k, --list-keys list keys

--generate-key generate a new key pair
    [--rsa, --dsa, --ecdsa, --eddsa] : choose key algorithm accordingly
    [--bits, --numbits] : number of key bits where applicable (RSA/DSA)
    [--curve] : curve for ECDSA
    [--password] : password for key encryption
    [--pass-fd] : file descriptor for password input
    [--hash] : hash algorithm for s2k
    [--iterations] : number of iterations for s2k
    [--subkey-bits] : number of bits in subkey
    [--userid] : user id of key owner
    [--expires] : key expiration time

--delete-keys remove keys with specified id/user id from the public keyring

--delete-secret-keys remove keys with specified id/user id from the secret keyring

--generate-interactive full featured (interactive) key pair generation

--export export keys

--import import/merge keys

--add-user-id add user id to the key

--add-subkey add subway to the key

--change-password change password of the key and/or s2k parameters

--sign-key sign public key with other key

--trust-key change public key trust parameters

-j [--json] : batch/json input mode : input to the CLI is in JSON format where all commands and parameters are specified

[dewyatt]

(Nitpick - I think we should stop using the terms birthtime and duration, and eventually purge them from the code. Instead, we should use what the RFC uses: creation time and expiration time.)

[ni4]

Completely agree on this. Created #329.

[ronaldtse]

• Since we have -z we should also allow selecting compression algorithms, such as bzip.
• Since we allow changing hashalg and encalg we should allow choice of asymmetric algorithm. (-e)

[ni4]

@ronaldtse Asymmetric algorithm is picked according to the key used, or what do you mean? Agree, adding compression algorithm selection to the comment.

[ronaldtse]

Ah you're right. I got confused with the userid argument 😉 . Maybe it should really have separate user-id and key-id arguments.

[ni4]

We can separate it so user-id will be used only in key context - generation, addition of user id. And for signing/encryption we may use signer and recipient. This would also help to distinguish keys when data is signed-and-encrypted. What do you think?

[ronaldtse]

I agree, the signer and recipient distinction is more clear for users, especially if they are combined with the key identification.

[ronaldtse]

The compression selection is also mentioned in #359 .

[ronaldtse]

@dewyatt @catap do the above command line options look good to you?

[dewyatt]

They look great to me.

[ronaldtse]

Thanks @dewyatt 👍

[catap]

Same for me!

[ronaldtse]

@ni4 could you help update the full list of commands according to https://github.com/riboseinc/rnp/issues/514 ? Then we can start implementing them. Thanks!