Provided by: sq_0.40.0-1_amd64 
NAME
sq cert - Manage certificates
SYNOPSIS
sq cert import [OPTIONS] FILE
sq cert export [OPTIONS]
sq cert list [OPTIONS] PATTERN
sq cert lint [OPTIONS]
DESCRIPTION
Manage certificates.
We use the term "certificate", or "cert" for short, to refer to OpenPGP keys that do not
contain secrets. This subcommand provides primitives to generate and otherwise manipulate
certs.
Conversely, we use the term "key" to refer to OpenPGP keys that do contain secrets. See
`sq key` for operations on keys.
SUBCOMMANDS
sq cert import
Import certificates into the local certificate store.
sq cert export
Export certificates from the local certificate store.
If multiple predicates are specified a certificate is returned if at least one of them
matches.
This does not check the authenticity of the certificates in anyway. Before using the
certificates, be sure to validate and authenticate them.
When matching on subkeys or User IDs, the component must have a valid self signature
according to the policy.
Fails if search criteria are specified and none of them matches any certificates. Note:
this means if the certificate store is empty and no search criteria are specified, then
this will return success.
sq cert list
List all authenticated bindings (User ID and certificate pairs).
Only bindings that meet the specified trust amount (by default bindings that are fully
authenticated, i.e., have a trust amount of 120), are shown.
Even if no bindings are shown, the exit status is 0.
If `--email` is provided, then a pattern matches if it is a case insensitive substring of
the email address as-is or the normalized email address. Note: unlike the email address,
the pattern is not normalized. In particular, puny code normalization is not done on the
pattern.
sq cert lint
Check certificates for issues.
`sq cert lint` checks the supplied certificates for the following SHA-1-related issues:
- Whether a certificate revocation uses SHA-1.
- Whether the current self signature for a non-revoked User ID uses SHA-1.
- Whether the current subkey binding signature for a non-revoked, live subkey uses
SHA-1.
- Whether a primary key binding signature ("backsig") for a non-revoked, live subkey
uses SHA-1.
Diagnostics are printed to stderr. At the end, some statistics are shown. This is useful
when examining a keyring. If `--fix` is specified and at least one issue could be fixed,
the fixed certificates are printed to stdout.
This tool does not currently support smart cards. But, if only the subkeys are on a smart
card, this tool may still be able to partially repair the certificate. In particular, it
will be able to fix any issues with User ID self signatures and subkey binding signatures
for encryption-capable subkeys, but it will not be able to generate new primary key
binding signatures for any signing-capable subkeys.
EXAMPLES
sq cert import
Import a certificate.
sq cert import juliet.pgp
sq cert export
Export certificates with a User ID containing the email address.
sq cert export --cert-email=alice@example.org
Export certificates that contain a User ID with *either* (not both!) email address.
sq cert export --cert-email=alice@example.org \
--cert-email=bob@example.org
Export all certificates.
sq cert export --all
sq cert list
List all bindings for user IDs containing an email address from example.org, and that can
be authenticated.
sq cert list @example.org
sq cert lint
Gather statistics on the certificates in a keyring.
sq cert lint --cert-file certs.pgp
Fix a key with known problems.
sq key export --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
| sq cert lint --fix --cert-file=- \
| sq cert import
SEE ALSO
sq(1), sq-cert-import(1), sq-cert-export(1), sq-cert-list(1), sq-cert-lint(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
0.40.0 (sequoia-openpgp 1.21.2)