Provided by: sq_0.40.0-1_amd64 
NAME
sq key userid revoke - Revoke a user ID
SYNOPSIS
sq key userid revoke [OPTIONS]
DESCRIPTION
Revoke a user ID.
Creates a revocation certificate for a user ID.
If `--revoker` or `--revoker-file` is provided, then that key is used to create the
revocation certificate. If that key is different from the certificate that is being
revoked, this results in a third-party revocation. This is normally only useful if the
owner of the certificate designated the key to be a designated revoker.
To revoke a user ID, the certificate must be valid under the current policy. If the
certificate is not valid under the current policy, consider revoking the whole
certificate, or fixing it using `sq cert lint` after verifying the certificate's
integrity. If the certificate is valid under the current policy, but the user ID you want
to revoke isn't, you can still revoke the user ID using `--userid-or-add`.
`sq key userid revoke` respects the reference time set by the top-level `--time` argument.
When set, it uses the specified time instead of the current time when determining what
keys are valid, and it sets the revocation certificate's creation time to the reference
time instead of the current time.
OPTIONS
Subcommand options
--allow-non-canonical-userids
Don't reject new user IDs that are not in canonical form.
Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.
--cert=FINGERPRINT|KEYID
Revoke the user ID from the key with the specified fingerprint or key ID
--cert-email=EMAIL
Revoke the user ID from the key where a user ID includes the specified email
address
--cert-file=PATH
Revoke the user ID from the key read from PATH
--cert-userid=USERID
Revoke the user ID from the key with the specified user ID
--email=EMAIL
Use the self-signed user ID with the specified email address
--email-or-add=EMAIL
Use a user ID with the specified email address.
This first searches for a matching self-signed user ID. If there is no self-signed
user ID with the specified email address, it uses a new user ID with the specified
email address, and no display name.
--message=MESSAGE
A short, explanatory text.
The text is shown to a viewer of the revocation certificate, and explains why the
certificate has been revoked. For instance, if Alice has left the organization, it
might say who to contact instead.
--name=DISPLAY_NAME
Use the self-signed user ID with the specified display name
--name-or-add=DISPLAY_NAME
Use a user ID with the specified display name.
This first searches for a matching self-signed user ID. If there is no self-signed
user ID with the specified name, it uses a new user ID with the specified display
name, and no email address.
--output=FILE
Write to the specified FILE.
If not specified, and the certificate was read from the certificate store, imports
the modified certificate into the cert store. If not specified, and the
certificate was read from a file, writes the modified certificate to stdout.
--reason=REASON
The reason for the revocation.
If the reason happened in the past, you should specify that using the `--time`
argument. This allows OpenPGP implementations to more accurately reason about
artifacts whose validity depends on the validity of the user ID.
[possible values: retired, unspecified]
--revoker=FINGERPRINT|KEYID
Use key with the specified fingerprint or key ID to create the revocation
certificate.
Sign the revocation certificate using the specified key. By default, the
certificate being revoked is used. Using this option, it is possible to create a
third-party revocation.
--revoker-email=EMAIL
Use key where a user ID includes the specified email address to create the
revocation certificate.
Sign the revocation certificate using the specified key. By default, the
certificate being revoked is used. Using this option, it is possible to create a
third-party revocation.
--revoker-file=PATH
Read key from PATH to create the revocation certificate.
Sign the revocation certificate using the specified key. By default, the
certificate being revoked is used. Using this option, it is possible to create a
third-party revocation.
--revoker-userid=USERID
Use key with the specified user ID to create the revocation certificate.
Sign the revocation certificate using the specified key. By default, the
certificate being revoked is used. Using this option, it is possible to create a
third-party revocation.
--signature-notation NAME VALUE
Add a notation to the certification.
A user-defined notation's name must be of the form `name@a.domain.you.control.org`.
If the notation's name starts with a `!`, then the notation is marked as being
critical. If a consumer of a signature doesn't understand a critical notation,
then it will ignore the signature. The notation is marked as being human readable.
--userid=USERID
Use the specified self-signed user ID.
The specified user ID must be self signed.
--userid-or-add=USERID
Use the specified user ID.
The specified user ID does not need to be self signed.
Because using a user ID that is not self-signed is often a mistake, you need to use
this option to explicitly opt in. That said, certifying a user ID that is not
self-signed is useful. For instance, you can associate an alternate email address
with a certificate, or you can add a petname, i.e., a memorable, personal name like
"mom".
Global options
See sq(1) for a description of the global options.
EXAMPLES
Retire a user ID on Alice's key.
sq key userid revoke --cert \
EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --userid \
"Alice <alice@example.org>" --reason retired --message \
"No longer at example.org."
SEE ALSO
sq(1), sq-key(1), sq-key-userid(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
0.40.0 (sequoia-openpgp 1.21.2)