Provided by: sq_1.2.0-1_amd64 bug

NAME
       sq key subkey revoke - Revoke a subkey


SYNOPSIS
       sq key subkey revoke [OPTIONS]


DESCRIPTION
       Revoke a subkey.

       Creates a revocation certificate for a subkey.

       If  `--revoker`  or  `--revoker-file`  is  provided,  then  that  key  is  used  to create the revocation
       certificate.  If that key is different from the certificate that is being  revoked,  this  results  in  a
       third-party  revocation.  This is normally only useful if the owner of the certificate designated the key
       to be a designated revoker.

       `sq key subkey revoke` respects the reference time set by the top-level `--time` argument.  When set,  it
       uses the specified time instead of the current time when determining what keys are valid, and it sets the
       revocation certificate's creation time to the reference time instead of the current time.


OPTIONS
   Subcommand options
       --cert=FINGERPRINT|KEYID
              Revoke the specified subkeys on the key with the specified fingerprint or key ID

       --cert-email=EMAIL
              Revoke the specified subkeys on the key where a user ID includes the specified email address

       --cert-file=PATH
              Revoke the specified subkeys on the key read from PATH

       --cert-userid=USERID
              Revoke the specified subkeys on the key with the specified user ID

       --key=FINGERPRINT|KEYID
              Revoke the specified subkey

       --message=MESSAGE
              A short, explanatory text

              The  text is shown to a viewer of the revocation certificate, and explains why the subkey has been
              revoked.  For instance, if Alice has  created  a  new  key,  she  would  generate  a  `superseded`
              revocation  certificate for her old key, and might include the message "I've created a new subkey,
              please refresh the certificate."

       --output=FILE
              Write to the specified FILE

              If not specified, and the certificate was read from the certificate store,  imports  the  modified
              certificate  into  the  cert  store.   If not specified, and the certificate was read from a file,
              writes the modified certificate to stdout.

       --reason=REASON
              The reason for the revocation

              If the reason happened in the past, you should specify that using  the  `--time`  argument.   This
              allows OpenPGP implementations to more accurately reason about artifacts whose validity depends on
              the validity of the user ID.

              [possible values: compromised, superseded, retired, unspecified]

       --revoker=FINGERPRINT|KEYID
              Use key with the specified fingerprint or key ID to create the revocation certificate

              Sign  the  revocation  certificate  using  the  specified  key.  By default, the certificate being
              revoked is used.  Using this option, it is possible to create a third-party revocation.

       --revoker-email=EMAIL
              Use key where a user ID includes the specified email address to create the revocation certificate

              Sign the revocation certificate using the  specified  key.   By  default,  the  certificate  being
              revoked is used.  Using this option, it is possible to create a third-party revocation.

       --revoker-file=PATH
              Read key from PATH to create the revocation certificate

              Sign  the  revocation  certificate  using  the  specified  key.  By default, the certificate being
              revoked is used.  Using this option, it is possible to create a third-party revocation.

       --revoker-userid=USERID
              Use key with the specified user ID to create the revocation certificate

              Sign the revocation certificate using the  specified  key.   By  default,  the  certificate  being
              revoked is used.  Using this option, it is possible to create a third-party revocation.

       --signature-notation NAME VALUE
              Add a notation to the signature

              A  user-defined  notation's  name  must  be  of  the  form `name@a.domain.you.control.org`. If the
              notation's name starts with a `!`, then the notation is marked as being critical.  If  a  consumer
              of  a  signature  doesn't  understand a critical notation, then it will ignore the signature.  The
              notation is marked as being human readable.

   Global options
       See sq(1) for a description of the global options.


EXAMPLES
       Revoke Alice's signing subkey.

              sq key subkey revoke \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8 --reason \
                     retired --message "Subkey rotation."

       Revoke Alice's signing subkey and encryption subkeys.

              sq key subkey revoke \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8 \
                     --key=74DCDEAF17D9B995679EB52BA6E65EA2C8497728 --reason \
                     retired --message "Subkey rotation."


SEE ALSO
       sq(1), sq-key(1), sq-key-subkey(1).

       For the full documentation see <https://book.sequoia-pgp.org>.


VERSION
       1.2.0 (sequoia-openpgp 1.22.0)

Sequoia PGP                                           1.2.0                                                SQ(1)