CHANGELOG.md

@@ -1,134 +1,3 @@
-# Keyfork v0.2.4
-
-This release includes a lot of "maintenance" changes, without any changes in
-end-user functionality.
-
-### Changes in keyfork:
-
-The most significant change in this release is the reorganization of some of
-the subcommands, where they would be better as enum-traits, such as `keyfork
-derive` and `keyfork wizard`.
-
-```
-b254ba7 cleanup post-merge
-58d3c34 Merge branch 'main' into ryansquared/staging-since-latest
-35f57fc Merge branch 'ryansquared/keyfork-mnemonic-refactors'
-a2eb5fd bump dependencies with listed vulnerabilities (not affected)
-5219c5a keyfork: enum-trait-ify choose-your-own commands
-b26f296 keyfork-derive-path-data: move all pathcrafting here
-35ab5e6 keyfork-mnemonic-util => keyfork-mnemonic
-f5627e5 keyfork-mnemonic-util: impl try_from_slice and from_array
-02e5b54 keyfork-mnemonic-util::generate_seed: return const size array
-```
-
-### Changes in keyfork-derive-openpgp:
-
-```
-b254ba7 cleanup post-merge
-35f57fc Merge branch 'ryansquared/keyfork-mnemonic-refactors'
-a2eb5fd bump dependencies with listed vulnerabilities (not affected)
-b26f296 keyfork-derive-path-data: move all pathcrafting here
-```
-
-### Changes in keyfork-derive-path-data:
-
-This change now centralizes all special Keyfork paths. This means crates should
-no longer be required to implement their own path parsing logic.
-
-```
-b26f296 keyfork-derive-path-data: move all pathcrafting here
-```
-
-### Changes in keyfork-derive-util:
-
-```
-35ab5e6 keyfork-mnemonic-util => keyfork-mnemonic
-```
-
-### Changes in keyfork-mnemonic:
-
-`keyfork-mnemonic-util` has finally been renamed to `keyfork-mnemonic`. The
-method names `as_bytes() => as_slice()`, `to_bytes() => to_vec()`, and
-`into_bytes() => into_vec()`, and the function names
-`from_bytes() => try_from_slice()` and
-`from_nonstandard_bytes() => from_array()`, have been implemented to more
-closely represent the native types they are representing. Additionally,
-`Mnemonic::generate_seed()` has been modified to return a constant size array;
-this is a breaking change, but should have minimal impact.
-
-```
-35ab5e6 keyfork-mnemonic-util => keyfork-mnemonic
-3ee81b6 keyfork-mnemonic-util: impl as_slice to_vec into_vec
-f5627e5 keyfork-mnemonic-util: impl try_from_slice and from_array
-02e5b54 keyfork-mnemonic-util::generate_seed: return const size array
-```
-
-### Changes in keyfork-prompt:
-
-```
-35ab5e6 keyfork-mnemonic-util => keyfork-mnemonic
-```
-
-### Changes in keyfork-shard:
-
-```
-58d3c34 Merge branch 'main' into ryansquared/staging-since-latest
-35ab5e6 keyfork-mnemonic-util => keyfork-mnemonic
-f5627e5 keyfork-mnemonic-util: impl try_from_slice and from_array
-```
-
-### Changes in keyforkd:
-
-```
-35ab5e6 keyfork-mnemonic-util => keyfork-mnemonic
-02e5b54 keyfork-mnemonic-util::generate_seed: return const size array
-536e6da keyforkd{,-client}: lots of documentationings
-```
-
-### Changes in keyforkd-client:
-
-```
-536e6da keyforkd{,-client}: lots of documentationings
-```
-
-# Keyfork v0.2.3
-
-This release includes a bugfix for the wizard where the wizard was too strict
-about when keys were "alive".
-
-### Changes in keyfork:
-
-```
-dd4354f keyfork: bump keyfork-shard
-```
-
-### Changes in keyfork-shard:
-
-```
-ba64db8 update Cargo.toml and Cargo.lock
-fa84a2a keyfork-shard: Be less strict about keys
-```
-
-# Keyfork v0.2.2
-
-This release adds a new wizard, intended to be used at DEFCON 32.
-
-### Changes in keyfork:
-
-```
-8d40d26 keyfork: add `bottoms-up` wizard
-```
-
-### Changes in keyfork-derive-openpgp:
-
-This change also includes a minor change, allowing the derivation path for
-`keyfork-derive-openpg` to derive further than two paths, which was useful in
-the testing of the wizard.
-
-```
-8d40d26 keyfork: add `bottoms-up` wizard
-```
-
 # Keyfork v0.2.1
 
 This release contains an emergency bugfix for Keyfork Shard, which previously

Cargo.toml

@@ -25,57 +25,6 @@ members = [
     "crates/util/smex",
 ]
 
-[workspace.dependencies]
-
-# Keyfork dependencies
-keyforkd = { version = "0.1.1", path = "crates/daemon/keyforkd", registry = "distrust", default-features = false }
-keyforkd-client = { version = "0.2.0", path = "crates/daemon/keyforkd-client", registry = "distrust", default-features = false }
-keyforkd-models = { version = "0.2.0", path = "crates/daemon/keyforkd-models", registry = "distrust", default-features = false }
-keyfork-derive-key = { version = "0.1.1", path = "crates/derive/keyfork-derive-key", registry = "distrust", default-features = false }
-keyfork-derive-openpgp = { version = "0.1.2", path = "crates/derive/keyfork-derive-openpgp", registry = "distrust", default-features = false }
-keyfork-derive-path-data = { version = "0.1.1", path = "crates/derive/keyfork-derive-path-data", registry = "distrust", default-features = false }
-keyfork-derive-util = { version = "0.2.0", path = "crates/derive/keyfork-derive-util", registry = "distrust", default-features = false }
-keyfork-shard = { version = "0.2.2", path = "crates/keyfork-shard", registry = "distrust", default-features = false }
-keyfork-qrcode = { version = "0.1.1", path = "crates/qrcode/keyfork-qrcode", registry = "distrust", default-features = false }
-keyfork-zbar = { version = "0.1.0", path = "crates/qrcode/keyfork-zbar", registry = "distrust", default-features = false }
-keyfork-zbar-sys = { version = "0.1.0", path = "crates/qrcode/keyfork-zbar-sys", registry = "distrust", default-features = false }
-keyfork-bin = { version = "0.1.0", path = "crates/util/keyfork-bin", registry = "distrust", default-features = false }
-keyfork-bug = { version = "0.1.0", path = "crates/util/keyfork-bug", registry = "distrust", default-features = false }
-keyfork-crossterm = { version = "0.27.1", path = "crates/util/keyfork-crossterm", registry = "distrust", default-features = false }
-keyfork-entropy = { version = "0.1.1", path = "crates/util/keyfork-entropy", registry = "distrust", default-features = false }
-keyfork-frame = { version = "0.1.0", path = "crates/util/keyfork-frame", registry = "distrust", default-features = false }
-keyfork-mnemonic = { version = "0.4.0", path = "crates/util/keyfork-mnemonic", registry = "distrust", default-features = false }
-keyfork-prompt = { version = "0.1.1", path = "crates/util/keyfork-prompt", registry = "distrust", default-features = false }
-keyfork-slip10-test-data = { version = "0.1.0", path = "crates/util/keyfork-slip10-test-data", registry = "distrust", default-features = false }
-smex = { version = "0.1.0", path = "crates/util/smex", registry = "distrust", default-features = false }
-
-# External dependencies
-
-# Cryptography
-ed25519-dalek = "2.1.1"
-hmac = "0.12.1"
-k256 = { version = "0.13.3", default-features = false, features = ["std"] }
-sha2 = "0.10.8"
-
-# OpenPGP
-card-backend-pcsc = "0.5.0"
-openpgp-card = { version = "0.4.1" }
-openpgp-card-sequoia = { version = "0.2.0", default-features = false }
-sequoia-openpgp = { version = "1.21.2", default-features = false, features = ["compression"] }
-
-# Serialization
-bincode = "1.3.3"
-serde = { version= "1.0.195", features = ["derive"] }
-serde_json = "1.0.111"
-
-# Misc.
-anyhow = "1.0.79"
-hex-literal = "0.4.1"
-image = { version = "0.25.2", default-features = false }
-thiserror = "1.0.56"
-tokio = "1.35.1"
-v4l = "0.14.0"
-
 [profile.dev.package.keyfork-qrcode]
 opt-level = 3
 debug = true

bacon.toml

@@ -1,92 +0,0 @@
-# This is a configuration file for the bacon tool
-#
-# Bacon repository: https://github.com/Canop/bacon
-# Complete help on configuration: https://dystroy.org/bacon/config/
-# You can also check bacon's own bacon.toml file
-#  as an example: https://github.com/Canop/bacon/blob/main/bacon.toml
-
-default_job = "check"
-
-[jobs.check]
-command = ["cargo", "check", "--color", "always"]
-need_stdout = false
-
-[jobs.check-all]
-command = ["cargo", "check", "--all-targets", "--color", "always"]
-need_stdout = false
-
-[jobs.clippy]
-command = [
-    "cargo", "clippy",
-    "--all-targets",
-    "--color", "always",
-]
-need_stdout = false
-
-[jobs.clippy-unwrap]
-command = [
-    "cargo", "clippy",
-    "--lib",
-    "--color", "always",
-    "--",
-    "-W",
-    "clippy::unwrap_used",
-    "-W",
-    "clippy::expect_used",
-]
-need_stdout = false
-
-# This job lets you run
-# - all tests: bacon test
-# - a specific test: bacon test -- config::test_default_files
-# - the tests of a package: bacon test -- -- -p config
-[jobs.test]
-command = [
-    "cargo", "test", "--color", "always",
-    "--", "--color", "always", # see https://github.com/Canop/bacon/issues/124
-]
-need_stdout = true
-
-[jobs.doc]
-command = ["cargo", "doc", "--color", "always", "--no-deps"]
-need_stdout = false
-
-# If the doc compiles, then it opens in your browser and bacon switches
-# to the previous job
-[jobs.doc-open]
-command = ["cargo", "doc", "--color", "always", "--no-deps", "--open"]
-need_stdout = false
-on_success = "back" # so that we don't open the browser at each change
-
-# You can run your application and have the result displayed in bacon,
-# *if* it makes sense for this crate.
-# Don't forget the `--color always` part or the errors won't be
-# properly parsed.
-# If your program never stops (eg a server), you may set `background`
-# to false to have the cargo run output immediately displayed instead
-# of waiting for program's end.
-[jobs.run]
-command = [
-    "cargo", "run",
-    "--color", "always",
-    # put launch parameters for your program behind a `--` separator
-]
-need_stdout = true
-allow_warnings = true
-background = true
-
-# This parameterized job runs the example of your choice, as soon
-# as the code compiles.
-# Call it as
-#    bacon ex -- my-example
-[jobs.ex]
-command = ["cargo", "run", "--color", "always", "--example"]
-need_stdout = true
-allow_warnings = true
-
-# You may define here keybindings that would be specific to
-# a project, for example a shortcut to launch a specific job.
-# Shortcuts to internal functions (scrolling, toggling, etc.)
-# should go in your personal global prefs.toml file instead.
-[keybindings]
-# alt-m = "job:my-job"

crates/daemon/keyforkd-client/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyforkd-client"
-version = "0.2.1"
+version = "0.2.0"
 edition = "2021"
 license = "MIT"
 
@@ -12,14 +12,14 @@ ed25519 = ["keyfork-derive-util/ed25519", "ed25519-dalek"]
 secp256k1 = ["keyfork-derive-util/secp256k1", "k256"]
 
 [dependencies]
-keyfork-derive-util = { workspace = true, default-features = false }
-keyfork-frame = { workspace = true }
-keyforkd-models = { workspace = true }
-bincode = { workspace = true }
-thiserror = { workspace = true }
-k256 = { workspace = true, default-features = false, features = ["std"], optional = true }
-ed25519-dalek = { workspace = true, optional = true }
+keyfork-derive-util = { version = "0.2.0", path = "../../derive/keyfork-derive-util", default-features = false, registry = "distrust" }
+keyfork-frame = { version = "0.1.0", path = "../../util/keyfork-frame", registry = "distrust" }
+keyforkd-models = { version = "0.2.0", path = "../keyforkd-models", registry = "distrust" }
+bincode = "1.3.3"
+thiserror = "1.0.49"
+k256 = { version = "0.13.3", optional = true }
+ed25519-dalek = { version = "2.1.1", optional = true }
 
 [dev-dependencies]
-keyfork-slip10-test-data = { workspace = true }
-keyforkd = { workspace = true }
+keyfork-slip10-test-data = { path = "../../util/keyfork-slip10-test-data", registry = "distrust" }
+keyforkd = { path = "../keyforkd", registry = "distrust" }

crates/daemon/keyforkd-client/src/tests.rs

@@ -11,7 +11,7 @@ fn secp256k1_test_suite() {
 
     let tests = test_data()
         .unwrap()
-        .remove("secp256k1")
+        .remove(&"secp256k1".to_string())
         .unwrap();
 
     for seed_test in tests {
@@ -70,7 +70,7 @@ fn secp256k1_test_suite() {
 fn ed25519_test_suite() {
     use ed25519_dalek::SigningKey;
 
-    let tests = test_data().unwrap().remove("ed25519").unwrap();
+    let tests = test_data().unwrap().remove(&"ed25519".to_string()).unwrap();
 
     for seed_test in tests {
         let seed = seed_test.seed;

crates/daemon/keyforkd-models/Cargo.toml

@@ -7,6 +7,6 @@ license = "MIT"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-keyfork-derive-util = { workspace = true, default-features = false }
-serde = { workspace = true }
-thiserror = { workspace = true }
+keyfork-derive-util = { version = "0.2.0", path = "../../derive/keyfork-derive-util", default-features = false, registry = "distrust" }
+serde = { version = "1.0.190", features = ["derive"] }
+thiserror = "1.0.50"

crates/daemon/keyforkd/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyforkd"
-version = "0.1.2"
+version = "0.1.1"
 edition = "2021"
 license = "AGPL-3.0-only"
 
@@ -12,28 +12,28 @@ tracing = ["tower/tracing", "tokio/tracing", "dep:tracing", "dep:tracing-subscri
 multithread = ["tokio/rt-multi-thread"]
 
 [dependencies]
-keyfork-bug = { workspace = true }
-keyfork-derive-util = { workspace = true }
-keyfork-frame = { workspace = true, features = ["async"] }
-keyfork-mnemonic = { workspace = true }
-keyfork-derive-path-data = { workspace = true }
-keyforkd-models = { workspace = true }
+keyfork-bug = { version = "0.1.0", path = "../../util/keyfork-bug", registry = "distrust" }
+keyfork-derive-util = { version = "0.2.0", path = "../../derive/keyfork-derive-util", registry = "distrust" }
+keyfork-frame = { version = "0.1.0", path = "../../util/keyfork-frame", features = ["async"], registry = "distrust" }
+keyfork-mnemonic = { version = "0.3.0", path = "../../util/keyfork-mnemonic", registry = "distrust" }
+keyfork-derive-path-data = { version = "0.1.0", path = "../../derive/keyfork-derive-path-data", registry = "distrust" }
+keyforkd-models = { version = "0.2.0", path = "../keyforkd-models", registry = "distrust" }
 
 # Not personally audited
-bincode = { workspace = true }
+bincode = "1.3.3"
 
 # Ecosystem trust, not personally audited
-tokio = { workspace = true, features = ["io-util", "macros", "rt", "io-std", "net", "fs", "signal"] }
+tokio = { version = "1.32.0", features = ["io-util", "macros", "rt", "io-std", "net", "fs", "signal"] }
 tracing = { version = "0.1.37", optional = true }
 tracing-error = { version = "0.2.0", optional = true }
 tracing-subscriber = { version = "0.3.17", optional = true, features = ["env-filter"] }
 tower = { version = "0.4.13", features = ["tokio", "util"] }
 
 # Personally audited
-thiserror = { workspace = true }
-serde = { workspace = true }
+thiserror = "1.0.47"
+serde = { version = "1.0.186", features = ["derive"] }
 tempfile = { version = "3.10.0", default-features = false }
 
 [dev-dependencies]
-hex-literal = { workspace = true }
-keyfork-slip10-test-data = { workspace = true }
+hex-literal = "0.4.1"
+keyfork-slip10-test-data = { path = "../../util/keyfork-slip10-test-data", registry = "distrust" }

crates/daemon/keyforkd/src/main.rs

@@ -1,4 +1,4 @@
-//! Launch the Keyfork Server from using a mnemonic passed through standard input.
+//!
 
 use keyfork_mnemonic::Mnemonic;
 

crates/daemon/keyforkd/src/service.rs

@@ -113,7 +113,7 @@ mod tests {
     async fn properly_derives_secp256k1() {
         let tests = test_data()
             .unwrap()
-            .remove("secp256k1")
+            .remove(&"secp256k1".to_string())
             .unwrap();
 
         for per_seed in tests {
@@ -146,7 +146,7 @@ mod tests {
 
     #[tokio::test]
     async fn properly_derives_ed25519() {
-        let tests = test_data().unwrap().remove("ed25519").unwrap();
+        let tests = test_data().unwrap().remove(&"ed25519".to_string()).unwrap();
 
         for per_seed in tests {
             let seed = &per_seed.seed;

crates/derive/keyfork-derive-age/Cargo.toml

@@ -1,16 +0,0 @@
-[package]
-name = "keyfork-derive-age"
-version = "0.1.0"
-edition = "2021"
-license = "AGPL-3.0-only"
-
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
-[dependencies]
-keyfork-derive-util = { workspace = true, default-features = false, features = ["ed25519"] }
-keyforkd-client = { workspace = true }
-smex = { workspace = true }
-thiserror = "1.0.48"
-bech32 = "0.11.0"
-keyfork-derive-path-data = { workspace = true }
-ed25519-dalek = "2.1.1"

crates/derive/keyfork-derive-age/src/main.rs

@@ -1,69 +0,0 @@
-use std::{env, process::ExitCode, str::FromStr};
-
-use keyfork_derive_path_data::paths;
-use keyfork_derive_util::{DerivationPath, ExtendedPrivateKey, PathError};
-use keyforkd_client::Client;
-
-use ed25519_dalek::SigningKey;
-
-type XPrv = ExtendedPrivateKey<SigningKey>;
-
-/// Any error that can occur while deriving a key.
-#[derive(Debug, thiserror::Error)]
-pub enum Error {
-    /// The given path could not be parsed.
-    #[error("Could not parse the given path: {0}")]
-    PathFormat(#[from] PathError),
-
-    /// The request to derive data failed.
-    #[error("Unable to perform key derivation request: {0}")]
-    KeyforkdClient(#[from] keyforkd_client::Error),
-}
-
-#[allow(missing_docs)]
-pub type Result<T, E = Error> = std::result::Result<T, E>;
-
-fn validate(path: &str) -> Result<DerivationPath> {
-    let index = paths::AGE.inner().first().unwrap();
-
-    let path = DerivationPath::from_str(path)?;
-    assert!(
-        path.len() >= 2,
-        "Expected path of at least m/{index}/account_id'"
-    );
-
-    let given_index = path.iter().next().expect("checked .len() above");
-    assert_eq!(
-        index, given_index,
-        "Expected derivation path starting with m/{index}, got: {given_index}",
-    );
-
-    Ok(path)
-}
-
-fn run() -> Result<(), Box<dyn std::error::Error>> {
-    let mut args = env::args();
-    let program_name = args.next().expect("program name");
-    let args = args.collect::<Vec<_>>();
-    let path = match args.as_slice() {
-        [path] => validate(path)?,
-        _ => panic!("Usage: {program_name} path"),
-    };
-
-    let mut client = Client::discover_socket()?;
-    // TODO: should this key be clamped to Curve25519 specs?
-    let xprv: XPrv = client.request_xprv(&path)?;
-    let hrp = bech32::Hrp::parse("AGE-SECRET-KEY-")?;
-    let age_key = bech32::encode::<bech32::Bech32>(hrp, &xprv.private_key().to_bytes())?;
-    println!("{}", age_key.to_uppercase());
-    Ok(())
-}
-
-fn main() -> ExitCode {
-    if let Err(e) = run() {
-        eprintln!("Error: {e}");
-        ExitCode::FAILURE
-    } else {
-        ExitCode::SUCCESS
-    }
-}

crates/derive/keyfork-derive-key/Cargo.toml

@@ -7,7 +7,7 @@ license = "AGPL-3.0-only"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-keyfork-derive-util = { workspace = true }
-keyforkd-client = { workspace = true }
-smex = { workspace = true }
-thiserror = { workspace = true }
+keyfork-derive-util = { version = "0.2.0", path = "../keyfork-derive-util", registry = "distrust" }
+keyforkd-client = { version = "0.2.0", path = "../../daemon/keyforkd-client", registry = "distrust" }
+smex = { version = "0.1.0", path = "../../util/smex", registry = "distrust" }
+thiserror = "1.0.48"

crates/derive/keyfork-derive-key/src/main.rs

@@ -1,4 +1,4 @@
-//! Query the Keyfork Server to generate a hex-encoded key for a given algorithm.
+//!
 
 use std::{env, process::ExitCode, str::FromStr};
 

crates/derive/keyfork-derive-openpgp/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyfork-derive-openpgp"
-version = "0.1.3"
+version = "0.1.2"
 edition = "2021"
 license = "AGPL-3.0-only"
 
@@ -10,10 +10,10 @@ default = ["bin"]
 bin = ["sequoia-openpgp/crypto-nettle"]
 
 [dependencies]
-keyfork-derive-util = { workspace = true, default-features = false, features = ["ed25519"] }
-keyforkd-client = { workspace = true, default-features = false, features = ["ed25519"] }
-ed25519-dalek = { workspace = true }
-sequoia-openpgp = { workspace = true }
-anyhow = { workspace = true }
-thiserror = { workspace = true }
-keyfork-derive-path-data = { workspace = true }
+keyfork-derive-util = { version = "0.2.0", path = "../keyfork-derive-util", default-features = false, features = ["ed25519"], registry = "distrust" }
+keyforkd-client = { version = "0.2.0", path = "../../daemon/keyforkd-client", default-features = false, features = ["ed25519"], registry = "distrust" }
+ed25519-dalek = "2.0.0"
+sequoia-openpgp = { version = "1.17.0", default-features = false }
+anyhow = "1.0.75"
+thiserror = "1.0.49"
+keyfork-derive-path-data = { version = "0.1.1", path = "../keyfork-derive-path-data" }

crates/derive/keyfork-derive-openpgp/src/lib.rs

@@ -19,14 +19,8 @@ use sequoia_openpgp::{
     Cert, Packet,
 };
 
-// TODO: this key type is actually _not_ the extended private key, so it should be renamed
-// something like Prv or PrvKey.
-
-/// The private key type used with OpenPGP.
 pub type XPrvKey = SigningKey;
-
-/// The extended private key type used with OpenPGP.
-pub type XPrv = ExtendedPrivateKey<XPrvKey>;
+pub type XPrv = ExtendedPrivateKey<SigningKey>;
 
 /// An error occurred while creating an OpenPGP key.
 #[derive(Debug, thiserror::Error)]

crates/derive/keyfork-derive-openpgp/src/main.rs

@@ -1,8 +1,8 @@
-//! Query the Keyfork Servre to derive an OpenPGP Secret Key.
+//!
 
 use std::{env, process::ExitCode, str::FromStr};
 
-use keyfork_derive_util::DerivationPath;
+use keyfork_derive_util::{DerivationIndex, DerivationPath};
 use keyfork_derive_path_data::paths;
 use keyforkd_client::Client;
 

crates/derive/keyfork-derive-path-data/Cargo.toml

@@ -1,11 +1,11 @@
 [package]
 name = "keyfork-derive-path-data"
-version = "0.1.2"
+version = "0.1.1"
 edition = "2021"
 license = "MIT"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-keyfork-derive-util = { workspace = true, default-features = false }
+keyfork-derive-util = { version = "0.2.0", path = "../keyfork-derive-util", default-features = false, registry = "distrust" }
 once_cell = "1.19.0"

crates/derive/keyfork-derive-path-data/src/lib.rs

@@ -6,7 +6,6 @@ use once_cell::sync::Lazy;
 
 use keyfork_derive_util::{DerivationIndex, DerivationPath};
 
-/// All common paths for key derivation.
 pub mod paths {
     use super::*;
 

crates/derive/keyfork-derive-util/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyfork-derive-util"
-version = "0.2.1"
+version = "0.2.0"
 edition = "2021"
 license = "MIT"
 
@@ -12,25 +12,25 @@ secp256k1 = ["k256"]
 ed25519 = ["ed25519-dalek"]
 
 [dependencies]
-keyfork-mnemonic = { workspace = true }
-keyfork-bug = { workspace = true }
+keyfork-mnemonic = { version = "0.3.0", path = "../../util/keyfork-mnemonic", registry = "distrust" }
+keyfork-bug = { version = "0.1.0", path = "../../util/keyfork-bug", registry = "distrust" }
 
 # Included in Rust
 digest = "0.10.7"
-sha2 = { workspace = true }
+sha2 = "0.10.7"
 
 # Rust-Crypto ecosystem, not personally audited
 ripemd = "0.1.3"
-hmac = { workspace = true, features = ["std"] }
+hmac = { version = "0.12.1", features = ["std"] }
 
 # Personally audited
-serde = { workspace = true }
-thiserror = { workspace = true }
+serde = { version = "1.0.186", features = ["derive"] }
+thiserror = "1.0.47"
 
 # Optional, not personally audited
-k256 = { workspace = true, default-features = false, features = ["std", "arithmetic"], optional = true }
-ed25519-dalek = { workspace = true, optional = true }
+k256 = { version = "0.13.1", default-features = false, features = ["std", "arithmetic"], optional = true }
+ed25519-dalek = { version = "2.0.0", optional = true }
 
 [dev-dependencies]
-hex-literal = { workspace = true }
-keyfork-slip10-test-data = { workspace = true }
+hex-literal = "0.4.1"
+keyfork-slip10-test-data = { version = "0.1.0", path = "../../util/keyfork-slip10-test-data", registry = "distrust" }

crates/derive/keyfork-derive-util/src/extended_key/mod.rs

@@ -41,9 +41,9 @@
 //! }
 //! ```
 
-#[allow(missing_docs)]
+///
 pub mod private_key;
-#[allow(missing_docs)]
+///
 pub mod public_key;
 
 pub use {private_key::ExtendedPrivateKey, public_key::ExtendedPublicKey};

crates/derive/keyfork-derive-util/src/tests.rs

@@ -15,7 +15,7 @@ fn secp256k1() {
 
     let tests = test_data()
         .unwrap()
-        .remove("secp256k1")
+        .remove(&"secp256k1".to_string())
         .unwrap();
 
     for per_seed in tests {
@@ -62,7 +62,7 @@ fn secp256k1() {
 fn ed25519() {
     use ed25519_dalek::SigningKey;
 
-    let tests = test_data().unwrap().remove("ed25519").unwrap();
+    let tests = test_data().unwrap().remove(&"ed25519".to_string()).unwrap();
 
     for per_seed in tests {
         let seed = &per_seed.seed;

crates/keyfork-shard/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyfork-shard"
-version = "0.2.3"
+version = "0.2.1"
 edition = "2021"
 license = "AGPL-3.0-only"
 
@@ -14,27 +14,27 @@ openpgp-card = ["openpgp-card-sequoia", "card-backend-pcsc", "card-backend", "de
 qrcode = ["keyfork-qrcode"]
 
 [dependencies]
-keyfork-bug = { workspace = true }
-keyfork-prompt = { workspace = true, default-features = false, features = ["mnemonic"] }
-keyfork-qrcode = { workspace = true, optional = true, default-features = false }
-smex = { workspace = true }
+keyfork-bug = { version = "0.1.0", path = "../util/keyfork-bug", registry = "distrust" }
+keyfork-prompt = { version = "0.1.1", path = "../util/keyfork-prompt", default-features = false, features = ["mnemonic"], registry = "distrust" }
+keyfork-qrcode = { version = "0.1.1", path = "../qrcode/keyfork-qrcode", optional = true, default-features = false, registry = "distrust" }
+smex = { version = "0.1.0", path = "../util/smex", registry = "distrust" }
 
 sharks = "0.5.0"
-thiserror = { workspace = true }
+thiserror = "1.0.50"
 
 # Remote operator mode
-keyfork-mnemonic = { workspace = true }
+keyfork-mnemonic = { version = "0.3.0", path = "../util/keyfork-mnemonic", registry = "distrust" }
 x25519-dalek = { version = "2.0.0", features = ["getrandom"] }
 aes-gcm = { version = "0.10.3", features = ["std"] }
 hkdf = { version = "0.12.4", features = ["std"] }
-sha2 = { workspace = true }
+sha2 = "0.10.8"
 
 # OpenPGP
-keyfork-derive-openpgp = { workspace = true, default-features = false }
-anyhow = { workspace = true, optional = true }
+keyfork-derive-openpgp = { version = "0.1.0", path = "../derive/keyfork-derive-openpgp", default-features = false, registry = "distrust" }
+anyhow = { version = "1.0.79", optional = true }
 card-backend = { version = "0.2.0", optional = true }
-card-backend-pcsc = { workspace = true, optional = true }
-openpgp-card-sequoia = { workspace = true, optional = true }
-openpgp-card = { workspace = true, optional = true }
-sequoia-openpgp = { workspace = true, optional = true }
+card-backend-pcsc = { version = "0.5.0", optional = true }
+openpgp-card-sequoia = { version = "0.2.0", optional = true, default-features = false }
+openpgp-card = { version = "0.4.0", optional = true }
+sequoia-openpgp = { version = "1.17.0", optional = true, default-features = false }
 base64 = "0.22.0"

crates/keyfork-shard/src/bin/keyfork-shard-combine-openpgp.rs

@@ -1,4 +1,4 @@
-//! Combine OpenPGP shards and output the hex-encoded secret.
+//!
 
 use std::{
     env,

crates/keyfork-shard/src/bin/keyfork-shard-decrypt-openpgp.rs

@@ -1,4 +1,4 @@
-//! Decrypt a single OpenPGP shard and encapsulate it for remote transport.
+//!
 
 use std::{
     env,

crates/keyfork-shard/src/bin/keyfork-shard-remote.rs

@@ -1,4 +1,4 @@
-//! Combine OpenPGP shards using remote transport and output the hex-encoded secret.
+//!
 
 use std::{
     env,

crates/keyfork-shard/src/bin/keyfork-shard-split-openpgp.rs

@@ -1,4 +1,4 @@
-//! Split a hex-encoded secret into OpenPGP shards
+//!
 
 use std::{env, path::PathBuf, process::ExitCode, str::FromStr};
 

crates/keyfork-shard/src/openpgp.rs

@@ -25,7 +25,7 @@ use openpgp::{
         stream::{DecryptionHelper, DecryptorBuilder, VerificationHelper},
         Parse,
     },
-    policy::{NullPolicy, StandardPolicy, Policy},
+    policy::{NullPolicy, Policy, StandardPolicy},
     serialize::{
         stream::{ArbitraryWriter, Encryptor2, LiteralWriter, Message, Recipient, Signer},
         Marshal,
@@ -77,10 +77,6 @@ pub enum Error {
     /// An IO error occurred.
     #[error("IO error: {0}")]
     Io(#[source] std::io::Error),
-
-    /// No valid keys were found for the given recipient.
-    #[error("No valid keys were found for the recipient {0}")]
-    NoValidKeys(KeyID),
 }
 
 #[allow(missing_docs)]
@@ -185,7 +181,7 @@ impl EncryptedMessage {
     }
 }
 
-/// Encoding and decoding shards using OpenPGP.
+///
 pub struct OpenPGP<P: PromptHandler> {
     p: PhantomData<P>,
 }
@@ -243,13 +239,6 @@ impl<P: PromptHandler> OpenPGP<P> {
                 certs.insert(certfp, cert);
             }
         }
-        for cert in certs.values() {
-            let policy = StandardPolicy::new();
-            let valid_cert = cert.with_policy(&policy, None).map_err(Error::Sequoia)?;
-            if get_encryption_keys(&valid_cert).next().is_none() {
-                return Err(Error::NoValidKeys(valid_cert.keyid()))
-            }
-        }
         Ok(certs.into_values().collect())
     }
 }
@@ -588,8 +577,7 @@ fn get_encryption_keys<'a>(
     openpgp::packet::key::UnspecifiedRole,
 > {
     cert.keys()
-        // NOTE: this causes complications on Airgap systems
-        // .alive()
+        .alive()
         .revoked(false)
         .supported()
         .for_storage_encryption()

crates/keyfork/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyfork"
-version = "0.2.4"
+version = "0.2.2"
 edition = "2021"
 license = "AGPL-3.0-only"
 
@@ -23,25 +23,25 @@ sequoia-crypto-backend-openssl = ["sequoia-openpgp/crypto-openssl"]
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-keyfork-bin = { workspace = true }
-keyforkd = { workspace = true, features = ["tracing"] }
-keyforkd-client = { workspace = true, default-features = false, features = ["ed25519"] }
-keyfork-derive-util = { workspace = true, default-features = true }
-keyfork-derive-openpgp = { workspace = true }
-keyfork-derive-path-data = { workspace = true }
-keyfork-entropy = { workspace = true }
-keyfork-mnemonic = { workspace = true }
-keyfork-prompt = { workspace = true }
-keyfork-qrcode = { workspace = true, default-features = false }
-keyfork-shard = { workspace = true, default-features = false, features = ["openpgp", "openpgp-card", "qrcode"] }
-smex = { workspace = true }
+keyfork-bin = { version = "0.1.0", path = "../util/keyfork-bin", registry = "distrust" }
+keyforkd = { version = "0.1.0", path = "../daemon/keyforkd", features = ["tracing"], registry = "distrust" }
+keyforkd-client = { version = "0.2.0", path = "../daemon/keyforkd-client", default-features = false, features = ["ed25519"], registry = "distrust" }
+keyfork-derive-openpgp = { version = "0.1.1", path = "../derive/keyfork-derive-openpgp", registry = "distrust" }
+keyfork-derive-util = { version = "0.2.0", path = "../derive/keyfork-derive-util", default-features = false, features = ["ed25519"], registry = "distrust" }
+keyfork-entropy = { version = "0.1.0", path = "../util/keyfork-entropy", registry = "distrust" }
+keyfork-mnemonic = { version = "0.3.0", path = "../util/keyfork-mnemonic", registry = "distrust" }
+keyfork-prompt = { version = "0.1.0", path = "../util/keyfork-prompt", registry = "distrust" }
+keyfork-qrcode = { version = "0.1.0", path = "../qrcode/keyfork-qrcode", default-features = false, registry = "distrust" }
+keyfork-shard = { version = "0.2.0", path = "../keyfork-shard", default-features = false, features = ["openpgp", "openpgp-card", "qrcode"], registry = "distrust" }
+smex = { version = "0.1.0", path = "../util/smex", registry = "distrust" }
 
 clap = { version = "4.4.2", features = ["derive", "env", "wrap_help"] }
-thiserror = { workspace = true }
-serde = { workspace = true }
-tokio = { workspace = true, features = ["rt-multi-thread"] }
-card-backend-pcsc = { workspace = true }
-openpgp-card-sequoia = { workspace = true }
-openpgp-card = { workspace = true }
+thiserror = "1.0.48"
+serde = { version = "1.0.192", features = ["derive"] }
+tokio = { version = "1.35.1", default-features = false, features = ["rt-multi-thread"] }
+card-backend-pcsc = "0.5.0"
+openpgp-card-sequoia = { version = "0.2.0", default-features = false }
+openpgp-card = "0.4.1"
 clap_complete = { version = "4.4.6", optional = true }
-sequoia-openpgp = { workspace = true }
+sequoia-openpgp = { version = "1.17.0", default-features = false, features = ["compression"] }
+keyfork-derive-path-data = { version = "0.1.1", path = "../derive/keyfork-derive-path-data" }

crates/keyfork/src/cli/derive.rs

@@ -10,7 +10,7 @@ use keyfork_derive_openpgp::{
     },
     XPrvKey,
 };
-use keyfork_derive_util::DerivationIndex;
+use keyfork_derive_util::{DerivationIndex, DerivationPath};
 use keyfork_derive_path_data::paths;
 use keyforkd_client::Client;
 

crates/keyfork/src/cli/wizard.rs

@@ -17,7 +17,7 @@ use keyfork_derive_openpgp::{
     XPrv,
 };
 use keyfork_derive_path_data::paths;
-use keyfork_derive_util::DerivationIndex;
+use keyfork_derive_util::{DerivationIndex, DerivationPath};
 use keyfork_mnemonic::Mnemonic;
 use keyfork_prompt::{
     default_terminal,

crates/qrcode/keyfork-qrcode/Cargo.toml

@@ -14,9 +14,9 @@ decode-backend-rqrr = ["dep:rqrr"]
 decode-backend-zbar = ["dep:keyfork-zbar"]
 
 [dependencies]
-keyfork-bug = { workspace = true }
-keyfork-zbar = { workspace = true, optional = true }
-image = { workspace = true, default-features = false, features = ["jpeg"] }
-rqrr = { version = "0.7.0", optional = true }
-thiserror = { workspace = true }
-v4l = { workspace = true }
+keyfork-bug = { version = "0.1.0", path = "../../util/keyfork-bug", registry = "distrust" }
+keyfork-zbar = { version = "0.1.0", path = "../keyfork-zbar", optional = true, registry = "distrust" }
+image = { version = "0.24.7", default-features = false, features = ["jpeg"] }
+rqrr = { version = "0.6.0", optional = true }
+thiserror = "1.0.56"
+v4l = "0.14.0"

crates/qrcode/keyfork-qrcode/src/bin/keyfork-qrcode-scan.rs

@@ -1,4 +1,4 @@
-#![allow(missing_docs)]
+//!
 
 use std::time::Duration;
 

crates/qrcode/keyfork-qrcode/src/lib.rs

@@ -2,7 +2,7 @@
 
 use keyfork_bug as bug;
 
-use image::ImageReader;
+use image::io::Reader as ImageReader;
 use std::{
     io::{Cursor, Write},
     time::{Duration, Instant},
@@ -103,11 +103,6 @@ pub fn qrencode(
 const VIDEO_FORMAT_READ_ERROR: &str = "Failed to read video device format";
 
 /// Continuously scan the `index`-th camera for a QR code.
-///
-/// # Errors
-///
-/// The function may return an error if the hardware is unable to scan video or if an image could
-/// not be decoded.
 #[cfg(feature = "decode-backend-rqrr")]
 pub fn scan_camera(timeout: Duration, index: usize) -> Result<Option<String>, QRCodeScanError> {
     let device = Device::new(index)?;
@@ -138,11 +133,6 @@ pub fn scan_camera(timeout: Duration, index: usize) -> Result<Option<String>, QR
 }
 
 /// Continuously scan the `index`-th camera for a QR code.
-///
-/// # Errors
-///
-/// The function may return an error if the hardware is unable to scan video or if an image could
-/// not be decoded.
 #[cfg(feature = "decode-backend-zbar")]
 pub fn scan_camera(timeout: Duration, index: usize) -> Result<Option<String>, QRCodeScanError> {
     let device = Device::new(index)?;

crates/qrcode/keyfork-zbar/Cargo.toml

@@ -13,9 +13,9 @@ bin = ["image"]
 image = ["dep:image"]
 
 [dependencies]
-keyfork-zbar-sys = { workspace = true }
-image = { workspace = true, default-features = false, optional = true }
-thiserror = { workspace = true }
+keyfork-zbar-sys = { version = "0.1.0", path = "../keyfork-zbar-sys", registry = "distrust" }
+image = { version = "0.24.7", default-features = false, optional = true }
+thiserror = "1.0.56"
 
 [dev-dependencies]
-v4l = { workspace = true }
+v4l = "0.14.0"

crates/qrcode/keyfork-zbar/examples/v4l-scan.rs

@@ -33,7 +33,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
                 .decode()?,
         );
 
-        if let Some(symbol) = scanner.scan_image(&image).first() {
+        if let Some(symbol) = scanner.scan_image(&image).get(0) {
             println!("{}", String::from_utf8_lossy(symbol.data()));
             return Ok(());
         }

crates/qrcode/keyfork-zbar/src/symbol.rs

@@ -1,4 +1,4 @@
-//! A Symbol represents some form of encoded data.
+//!
 
 use super::sys;
 

crates/util/keyfork-bin/Cargo.toml

@@ -9,4 +9,4 @@ license = "MIT"
 [dependencies]
 
 [dev-dependencies]
-anyhow = { workspace = true }
+anyhow = "1.0.79"

crates/util/keyfork-crossterm/Cargo.toml

@@ -55,16 +55,16 @@ crossterm_winapi = { version = "0.9.1", optional = true }
 libc = "0.2"
 signal-hook = { version = "0.3.17", optional = true }
 filedescriptor = { version = "0.8", optional = true }
-mio = { version = "1.0", features = ["os-poll"], optional = true }
-signal-hook-mio = { version = "0.2.3", features = ["support-v1_0"], optional = true }
+mio = { version = "0.8", features = ["os-poll"], optional = true }
+signal-hook-mio = { version = "0.2.3", features = ["support-v0_8"], optional = true }
 
 # Dev dependencies (examples, ...)
 [dev-dependencies]
-tokio = { workspace = true, features = ["full"] }
+tokio = { version = "1.25", features = ["full"] }
 futures = "0.3"
 futures-timer = "3.0"
 async-std = "1.12"
-serde_json = { workspace = true }
+serde_json = "1.0"
 serial_test = "2.0.0"
 
 # Examples

crates/util/keyfork-crossterm/examples/is_tty.rs

@@ -1,4 +1,4 @@
-#![allow(missing_docs)]
+//!
 
 use keyfork_crossterm::{
     execute,

crates/util/keyfork-crossterm/src/event/source/unix/mio.rs

@@ -1,7 +1,7 @@
 use std::{collections::VecDeque, io, time::Duration};
 
 use mio::{unix::SourceFd, Events, Interest, Poll, Token};
-use signal_hook_mio::v1_0::Signals;
+use signal_hook_mio::v0_8::Signals;
 
 #[cfg(feature = "event-stream")]
 use crate::event::sys::Waker;

crates/util/keyfork-entropy/Cargo.toml

@@ -11,5 +11,5 @@ default = ["bin"]
 bin = ["smex"]
 
 [dependencies]
-keyfork-bug = { workspace = true }
-smex = { workspace = true, optional = true }
+keyfork-bug = { version = "0.1.0", path = "../keyfork-bug", registry = "distrust" }
+smex = { version = "0.1.0", path = "../smex", optional = true, registry = "distrust" }

crates/util/keyfork-entropy/src/main.rs

@@ -1,4 +1,4 @@
-//! Generate entropy of a given size, encoded as hex.
+//!
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
     let bit_size: usize = std::env::args()

crates/util/keyfork-frame/Cargo.toml

@@ -12,13 +12,13 @@ async = ["dep:tokio"]
 
 [dependencies]
 # Included in Rust
-sha2 = { workspace = true }
+sha2 = "0.10.7"
 
 # Personally audited
-thiserror = { workspace = true }
+thiserror = "1.0.47"
 
 # Optional, not personally audited
-tokio = { workspace = true, optional = true, features = ["io-util"] }
+tokio = { version = "1.32.0", optional = true, features = ["io-util"] }
 
 [dev-dependencies]
 insta = "1.31.0"

crates/util/keyfork-mnemonic/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyfork-mnemonic"
-version = "0.4.0"
+version = "0.3.0"
 description = "Utilities to generate and manage seeds based on BIP-0039 mnemonics."
 repository = "https://git.distrust.co/public/keyfork"
 edition = "2021"
@@ -11,14 +11,14 @@ default = ["bin"]
 bin = ["smex"]
 
 [dependencies]
-smex = { workspace = true, optional = true }
-keyfork-bug = { workspace = true }
+smex = { version = "0.1.0", path = "../smex", optional = true, registry = "distrust" }
+keyfork-bug = { version = "0.1.0", path = "../keyfork-bug", registry = "distrust" }
 
-sha2 = { workspace = true }
-hmac = { workspace = true }
+sha2 = "0.10.7"
+hmac = "0.12.1"
 pbkdf2 = "0.12.2"
 
 [dev-dependencies]
 bip39 = "2.0.0"
 hex = "0.4.3"
-serde_json = { workspace = true }
+serde_json = "1.0.105"

crates/util/keyfork-mnemonic/src/bin/keyfork-mnemonic-from-seed.rs

@@ -1,4 +1,4 @@
-//! Generate a mnemonic from hex-encoded input.
+//!
 
 use keyfork_mnemonic::Mnemonic;
 

crates/util/keyfork-prompt/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keyfork-prompt"
-version = "0.1.2"
+version = "0.1.1"
 description = "Prompt management utilities for Keyfork"
 repository = "https://git.distrust.co/public/keyfork"
 edition = "2021"
@@ -13,7 +13,7 @@ default = ["mnemonic"]
 mnemonic = ["keyfork-mnemonic"]
 
 [dependencies]
-keyfork-bug = { workspace = true }
-keyfork-crossterm = { workspace = true, default-features = false, features = ["use-dev-tty", "events", "bracketed-paste"] }
-keyfork-mnemonic = { workspace = true, optional = true }
-thiserror = { workspace = true }
+keyfork-bug = { version = "0.1.0", path = "../keyfork-bug", registry = "distrust" }
+keyfork-crossterm = { version = "0.27.1", path = "../keyfork-crossterm", default-features = false, features = ["use-dev-tty", "events", "bracketed-paste"], registry = "distrust" }
+keyfork-mnemonic = { version = "0.3.0", path = "../keyfork-mnemonic", optional = true, registry = "distrust" }
+thiserror = "1.0.51"

crates/util/keyfork-prompt/examples/test-basic-prompt.rs

@@ -1,4 +1,4 @@
-#![allow(missing_docs)]
+//!
 
 use std::io::{stdin, stdout};
 

crates/util/keyfork-prompt/src/terminal.rs

@@ -1,9 +1,3 @@
-//! A terminal prompt handler.
-//!
-//! This prompt handler uses a raw terminal device to read inputs and uses ANSI escape codes to
-//! provide formatting for prompts. Because of these reasons, it is not intended to be
-//! machine-readable.
-
 use std::{
     borrow::Borrow,
     io::{stderr, stdin, BufRead, BufReader, Read, Stderr, Stdin, Write},

crates/util/keyfork-slip10-test-data/Cargo.toml

@@ -5,4 +5,4 @@ edition = "2021"
 license = "MIT"
 
 [dependencies]
-smex = { workspace = true }
+smex = { version = "0.1.0", path = "../smex", registry = "distrust" }

deny.toml

@@ -11,9 +11,6 @@
 
 # Root options
 
-# The graph table configures how the dependency graph is constructed and thus
-# which crates the checks are performed against
-[graph]
 # If 1 or more target triples (and optionally, target_features) are specified,
 # only the specified targets will be checked when running `cargo deny check`.
 # This means, if a particular package is only ever used as a target specific
@@ -25,7 +22,7 @@
 targets = [
     # The triple can be any string, but only the target triples built in to
     # rustc (as of 1.40) can be checked against actual config expressions
-    #"x86_64-unknown-linux-musl",
+    #{ triple = "x86_64-unknown-linux-musl" },
     # You can also specify which target_features you promise are enabled for a
     # particular target. target_features are currently not validated against
     # the actual valid features supported by the target architecture.
@@ -49,9 +46,6 @@ no-default-features = false
 # If set, these feature will be enabled when collecting metadata. If `--features`
 # is specified on the cmd line they will take precedence over this option.
 #features = []
-
-# The output table provides options for how/if diagnostics are outputted
-[output]
 # When outputting inclusion graphs in diagnostics that include features, this
 # option can be used to specify the depth at which feature edges will be added.
 # This option is included since the graphs can be quite large and the addition
@@ -63,20 +57,38 @@ feature-depth = 1
 # More documentation for the advisories section can be found here:
 # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
 [advisories]
-# The path where the advisory databases are cloned/fetched into
-#db-path = "$CARGO_HOME/advisory-dbs"
+# The path where the advisory database is cloned/fetched into
+db-path = "~/.cargo/advisory-db"
 # The url(s) of the advisory databases to use
-#db-urls = ["https://github.com/rustsec/advisory-db"]
+db-urls = ["https://github.com/rustsec/advisory-db"]
+# The lint level for security vulnerabilities
+vulnerability = "deny"
+# The lint level for unmaintained crates
+unmaintained = "warn"
+# The lint level for crates that have been yanked from their source registry
+yanked = "warn"
+# The lint level for crates with security notices. Note that as of
+# 2019-12-17 there are no security notice advisories in
+# https://github.com/rustsec/advisory-db
+notice = "warn"
 # A list of advisory IDs to ignore. Note that ignored advisories will still
 # output a note when they are encountered.
 ignore = [
     #"RUSTSEC-0000-0000",
-    #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
-    #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish
-    #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" },
-
-    { id = "RUSTSEC-2023-0071", reason = "Not applicable, vulnerable path is not used" },
+    # Not applicable, RSA is not used for crypto operations in the dep it's
+    # used for, openpgp-card
+    "RUSTSEC-2023-0071",
 ]
+# Threshold for security vulnerabilities, any vulnerability with a CVSS score
+# lower than the range specified will be ignored. Note that ignored advisories
+# will still output a note when they are encountered.
+# * None - CVSS Score 0.0
+# * Low - CVSS Score 0.1 - 3.9
+# * Medium - CVSS Score 4.0 - 6.9
+# * High - CVSS Score 7.0 - 8.9
+# * Critical - CVSS Score 9.0 - 10.0
+#severity-threshold =
+
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.
 # Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.
@@ -87,6 +99,8 @@ ignore = [
 # More documentation for the licenses section can be found here:
 # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
 [licenses]
+# The lint level for crates which do not have a detectable license
+unlicensed = "deny"
 # List of explicitly allowed licenses
 # See https://spdx.org/licenses/ for list of possible licenses
 # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
@@ -100,8 +114,30 @@ allow = [
     "LGPL-2.0",
     "LGPL-3.0",
     "Unicode-3.0",
+    #"Apache-2.0 WITH LLVM-exception",
 ]
-
+# List of explicitly disallowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
+deny = [
+    #"Nokia",
+]
+# Lint level for licenses considered copyleft
+copyleft = "warn"
+# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
+# * both - The license will be approved if it is both OSI-approved *AND* FSF
+# * either - The license will be approved if it is either OSI-approved *OR* FSF
+# * osi - The license will be approved if it is OSI approved
+# * fsf - The license will be approved if it is FSF Free
+# * osi-only - The license will be approved if it is OSI-approved *AND NOT* FSF
+# * fsf-only - The license will be approved if it is FSF *AND NOT* OSI-approved
+# * neither - This predicate is ignored and the default lint level is used
+allow-osi-fsf-free = "neither"
+# Lint level used when no other predicates are matched
+# 1. License isn't in the allow or deny lists
+# 2. License isn't copyleft
+# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
+default = "deny"
 # The confidence threshold for detecting a license from license text.
 # The higher the value, the more closely the license text must be to the
 # canonical license text of a valid SPDX license file.
@@ -112,7 +148,7 @@ confidence-threshold = 0.8
 exceptions = [
     # Each entry is the crate and version constraint, and its specific allow
     # list
-    #{ allow = ["Zlib"], crate = "adler32" },
+    #{ allow = ["Zlib"], name = "adler32", version = "*" },
     { allow = ["BSL-1.0"], name = "xxhash-rust", version = "*" },
 ]
 
@@ -120,8 +156,10 @@ exceptions = [
 # adding a clarification entry for it allows you to manually specify the
 # licensing information
 #[[licenses.clarify]]
-# The package spec the clarification applies to
-#crate = "ring"
+# The name of the crate the clarification applies to
+#name = "ring"
+# The optional version constraint for the crate
+#version = "*"
 # The SPDX expression for the license requirements of the crate
 #expression = "MIT AND ISC AND OpenSSL"
 # One or more files in the crate's source used as the "source of truth" for
@@ -130,8 +168,8 @@ exceptions = [
 # and the crate will be checked normally, which may produce warnings or errors
 # depending on the rest of your configuration
 #license-files = [
-# Each entry is a crate relative path, and the (opaque) hash of its contents
-#{ path = "LICENSE", hash = 0xbd0eed23 }
+    # Each entry is a crate relative path, and the (opaque) hash of its contents
+    #{ path = "LICENSE", hash = 0xbd0eed23 }
 #]
 
 [licenses.private]
@@ -171,24 +209,25 @@ workspace-default-features = "allow"
 external-default-features = "allow"
 # List of crates that are allowed. Use with care!
 allow = [
-    #"ansi_term@0.11.0",
-    #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is allowed" },
+    #{ name = "ansi_term", version = "=0.11.0" },
 ]
 # List of crates to deny
 deny = [
-    #"ansi_term@0.11.0",
-    #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is banned" },
+    # Each entry the name of a crate and a version range. If version is
+    # not specified, all versions will be matched.
+    #{ name = "ansi_term", version = "=0.11.0" },
+    #
     # Wrapper crates can optionally be specified to allow the crate when it
     # is a direct dependency of the otherwise banned crate
-    #{ crate = "ansi_term@0.11.0", wrappers = ["this-crate-directly-depends-on-ansi_term"] },
-    { name = "serde", version = ">1.0.171, <1.0.184", reason = "ships with prebuilt binaries" }
+    #{ name = "ansi_term", version = "=0.11.0", wrappers = [] },
+    { name = "serde", version = ">1.0.171, <1.0.184" }
 ]
 
 # List of features to allow/deny
 # Each entry the name of a crate and a version range. If version is
 # not specified, all versions will be matched.
 #[[bans.features]]
-#crate = "reqwest"
+#name = "reqwest"
 # Features to not allow
 #deny = ["json"]
 # Features to allow
@@ -209,18 +248,14 @@ deny = [
 
 # Certain crates/versions that will be skipped when doing duplicate detection.
 skip = [
-    #"ansi_term@0.11.0",
-    #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason why it can't be updated/removed" },
+    #{ name = "ansi_term", version = "=0.11.0" },
 ]
 # Similarly to `skip` allows you to skip certain crates during duplicate
 # detection. Unlike skip, it also includes the entire tree of transitive
 # dependencies starting at the specified crate, up to a certain depth, which is
 # by default infinite.
 skip-tree = [
-    { name = "windows-sys" },
-    { name = "windows-targets" },
-    #"ansi_term@0.11.0", # will be skipped along with _all_ of its direct and transitive dependencies
-    #{ crate = "ansi_term@0.11.0", depth = 20 },
+    #{ name = "ansi_term", version = "=0.11.0", depth = 20 },
 ]
 
 # This section is considered when running `cargo deny check sources`.

scripts/make-changelog-blurb.sh

@@ -3,13 +3,12 @@ set -o pipefail
 
 LAST_REF="$1"
 CURRENT_REF="${2:-HEAD}"
-IGNORE="${3:-ABCDEFG}"
 
 cargo metadata --format-version=1 | \
   jq -r '.packages[] | select(.source == null) | .name + " " + .manifest_path' | \
   while read crate manifest_path; do
     crate_path="$(dirname $manifest_path)"
-    git_log="$(git log --format='%h %s' "$LAST_REF".."$CURRENT_REF" "$crate_path" | { grep -v "$IGNORE" || true; })"
+    git_log="$(git log --format='%h %s' "$LAST_REF"..HEAD "$crate_path")"
     if test ! -z "$git_log"; then
       echo "### Changes in $crate:"
       echo ""

scripts/sign-new-versions.sh

@@ -10,7 +10,7 @@ cargo metadata --format-version=1 | jq -r '.packages[] | select(.source == null)
 
 while read crate manifest_path version <&3; do
   crate_path="$(dirname $manifest_path)"
-  git_log="$(git log --format='%h %s' "$LAST_REF".."$CURRENT_REF" "$crate_path")"
+  git_log="$(git log --format='%h %s' "$LAST_REF"..HEAD "$crate_path")"
   git_tag="$(git tag --list "$crate-v${version}")"
   if test ! -z "$git_log" -a -z "$git_tag"; then
     {