Provided by: sq_1.2.0-1_amd64 bug

NAME
       sq cert - Manage certificates


SYNOPSIS
       sq cert import [OPTIONS] FILE
       sq cert export [OPTIONS]
       sq cert list [OPTIONS] FINGERPRINT|KEYID|PATTERN
       sq cert lint [OPTIONS]


DESCRIPTION
       Manage certificates.

       We use the term "certificate", or "cert" for short, to refer to OpenPGP keys that do not contain secrets.
       This subcommand provides primitives to generate and otherwise manipulate certs.

       Conversely,  we  use  the  term "key" to refer to OpenPGP keys that do contain secrets.  See `sq key` for
       operations on keys.


SUBCOMMANDS
   sq cert import
       Import certificates into the local certificate store.

   sq cert export
       Export certificates from the local certificate store.

       If multiple predicates are specified a certificate is returned if at least one of them matches.

       This does not check the authenticity of the certificates in anyway. Before  using  the  certificates,  be
       sure to validate and authenticate them.

       When  matching  on  subkeys  or User IDs, the component must have a valid self signature according to the
       policy.

       Fails if search criteria are specified and none of them matches any certificates.  Note:  this  means  if
       the certificate store is empty and no search criteria are specified, then this will return success.

   sq cert list
       List certificates and user IDs.

       List  certificates  and  user  IDs that match a query, are usable, and can be authenticated.  By default,
       bindings (certificate and user ID pairs) must be fully authenticated.  If  no  certificates  or  bindings
       match a query, then the command returns a non-zero exit code.

       If  no  queries are provided, then all bindings that are usable, and can be authenticated are listed.  If
       there are no such bindings, the command still succeeds.

       By default, unusable certificates, i.e., those that are not valid according to the policy,  are  revoked,
       or  are  not  live, are skipped.  Likewise, user ID self signatures and certifications that are not valid
       according to the policy, and user IDs that are revoked are skipped.

   sq cert lint
       Check certificates for issues.

       `sq cert lint` checks the supplied certificates for the following SHA-1-related issues:

         - Whether a certificate revocation uses SHA-1.

         - Whether the current self signature for a non-revoked User ID uses SHA-1.

         - Whether the current subkey binding signature for a non-revoked, live subkey uses SHA-1.

         - Whether a primary key binding signature ("backsig") for a non-revoked, live subkey uses SHA-1.

       Diagnostics are printed to stderr.  At the end, some statistics are shown.  This is useful when examining
       a keyring.  If `--fix` is specified and at least one issue could be fixed,  the  fixed  certificates  are
       printed to stdout.

       This  tool  does  not  currently support smart cards.  But, if only the subkeys are on a smart card, this
       tool may still be able to partially repair the certificate.  In particular, it will be able  to  fix  any
       issues  with User ID self signatures and subkey binding signatures for encryption-capable subkeys, but it
       will not be able to generate new primary key binding signatures for any signing-capable subkeys.


EXAMPLES
   sq cert import
       Import a certificate.

              sq cert import juliet.pgp

   sq cert export
       Export certificates with a User ID containing the email address.

              sq cert export --cert-email=alice@example.org

       Export certificates that contain a User ID with *either* (not both!)  email address.

              sq cert export --cert-email=alice@example.org \
                     --cert-email=bob@example.org

       Export all certificates.

              sq cert export --all

   sq cert list
       List all bindings  for  user  IDs  containing  an  email  address  from  example.org,  and  that  can  be
       authenticated.

              sq cert list @example.org

       List all authenticated bindings for User IDs containing a specific email address.

              sq cert list --cert-email=alice@example.org

       List all paths to certificates containing a specific email address.

              sq cert list --gossip --show-paths \
                     --cert-email=alice@example.org

   sq cert lint
        Gather statistics on the certificates in a keyring.

              sq cert lint --cert-file certs.pgp

       Fix a key with known problems.

              sq key export --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     | sq cert lint --fix --cert-file=- \
                     | sq cert import


SEE ALSO
       sq(1), sq-cert-import(1), sq-cert-export(1), sq-cert-list(1), sq-cert-lint(1).

       For the full documentation see <https://book.sequoia-pgp.org>.


VERSION
       1.2.0 (sequoia-openpgp 1.22.0)

Sequoia PGP                                           1.2.0                                                SQ(1)