Provided by: sq_0.37.0-1_amd64 bug

NAME

       sq cert - Manage certificates

SYNOPSIS

       sq cert import [OPTIONS] FILE
       sq cert export [OPTIONS] QUERY
       sq cert lint [OPTIONS] FILE

DESCRIPTION

       Manage certificates.

       We use the term "certificate", or "cert" for short, to refer to OpenPGP keys that do not contain secrets.
       This subcommand provides primitives to generate and otherwise manipulate certs.

       Conversely,  we  use  the  term "key" to refer to OpenPGP keys that do contain secrets.  See `sq key` for
       operations on keys.

SUBCOMMANDS

   sq cert import
       Import certificates into the local certificate store.

   sq cert export
       Export certificates from the local certificate store.

       If multiple predicates are specified a certificate is returned if at least one of them matches.

       This does not check the authenticity of the certificates in anyway.  Before using  the  certificates,  be
       sure to validate and authenticate them.

       When  matching  on  subkeys  or User IDs, the component must have a valid self signature according to the
       policy.  This is not the case when matching the certificate's key handle using `--cert` or when exporting
       all certificates.

       Fails if search criteria are specified and none of them matches any certificates.  Note:  this  means  if
       the certificate store is empty and no search criteria are specified, then this will return success.

   sq cert lint
       Check certificates for issues.

       `sq cert lint` checks the supplied certificates for the following SHA-1-related issues:

         - Whether a certificate revocation uses SHA-1.

         - Whether the current self signature for a non-revoked User ID uses
           SHA-1.

         - Whether the current subkey binding signature for a non-revoked,
           live subkey uses SHA-1.

         - Whether a primary key binding signature ("backsig") for a
           non-revoked, live subkey uses SHA-1.

       Diagnostics are printed to stderr.  At the end, some statistics are shown.  This is useful when examining
       a  keyring.   If  `--fix`  is specified and at least one issue could be fixed, the fixed certificates are
       printed to stdout.

       This tool does not currently support smart cards.  But, if only the subkeys are on  a  smart  card,  this
       tool  may  still  be able to partially repair the certificate.  In particular, it will be able to fix any
       issues with User ID self signatures and subkey binding signatures for encryption-capable subkeys, but  it
       will not be able to generate new primary key binding signatures for any signing-capable subkeys.

EXAMPLES

   sq cert import
       Import a certificate.

              sq cert import juliet.pgp

   sq cert export
       Export all certificates.

              sq cert export --all

       Export certificates with a matching User ID packet.  The binding signatures are checked, but the User IDs
       are not authenticated. Note: this check is case sensitive.

              sq cert export --userid "Alice <alice@example.org>"

       Export  certificates with a User ID containing the email address. The binding signatures are checked, but
       the User IDs are not authenticated.  Note: this check is case insensitive.

              sq cert export --email alice@example.org

       Export certificates where the certificate (i.e., the primary key) has the specified Key ID.

              sq cert export --cert 6F0073F60FD0CBF0

       Export certificates where the primary key or a subkey matches the specified Key ID.

              sq cert export --key 24F3955B0B8DECC8

       Export certificates that contain a User ID with *either* (not both!)  email address.  Note: this check is
       case insensitive.

              sq cert export --email alice@example.org --email \
                     bob@example.org

   sq cert lint
       To gather statistics, simply run:

              sq cert lint keyring.pgp

       To fix a key:

              gpg --export-secret-keys FPR \
                     | sq cert lint --fix -p passw0rd -p password123 \
                     | gpg --import

       To get a list of keys with issues:

              sq cert lint --list-keys keyring.pgp \
                     | while read FPR; do something; done

SEE ALSO

       sq(1), sq-cert-import(1), sq-cert-export(1), sq-cert-lint(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION

       0.34.0 (sequoia-openpgp 1.19.0)

Sequoia PGP                                          0.34.0                                                SQ(1)