NAME

       sq-network-search - Retrieve certificates using all supported network services

SYNOPSIS

       sq network search [OPTIONS] QUERY

DESCRIPTION

       Retrieve certificates using all supported network services.

       This  command  will  try to locate relevant certificates given a query, which may be a fingerprint, a key
       ID, an email address, or a https URL.  It may also discover and import certificate  related  to  the  one
       queried, such as alternative certs, expired certs, or revoked certs.

       Discovering  related  certs  is  useful:  alternative  certs  support  key rotations, expired certs allow
       verification of signatures made in the past, and discovering  revoked  certs  is  important  to  get  the
       revocation information.  The PKI mechanism will help to select the correct cert, see `sq pki`.

       By  default, any returned certificates are stored in the local certificate store.  This can be overridden
       by using `--output` option.

       When a certificate is retrieved from a verifying key server (currently, this is  limited  to  a  list  of
       known servers: `hkps://keys.openpgp.org`, `hkps://keys.mailvelope.com`, and `hkps://mail-api.proton.me`),
       WKD,  DANE,  or  via  https,  and  imported  into  the  local  certificate  store,  the User IDs are also
       certificated with a local server-specific key.   That  proxy  certificate  is  in  turn  certified  as  a
       minimally trusted CA (trust amount: 1 of 120) by the local trust root.  How much a proxy key server CA is
       trusted can be tuned using `sq pki link add` or `sq pki link retract` in the usual way.

OPTIONS

   Subcommand options
       --all  Fetch updates for all known certificates

       --iterations=N
              Iterate to find related updates and certs

              The    default    can    be    changed    in    the   configuration   file   using   the   setting
              `network.search.iterations`.

              [default: 3]

       --output=FILE
              Write to FILE (or stdout when omitted) instead of importing into the certificate store

       --server=URI
              Set a key server to use (can be given multiple times)

              The   default   can   be   changed   in    the    configuration    file    using    the    setting
              `network.keyserver.servers`.

              [default:    hkps://keys.openpgp.org,    hkps://mail-api.proton.me,    hkps://keys.mailvelope.com,
              hkps://keyserver.ubuntu.com, hkps://sks.pod01.fleetstreetops.com]

       --use-dane=ENABLE
              Use DANE to search for certs

              The default can be changed in the configuration file using the setting `network.search.use-dane`.

              [default: true]

              [possible values: true, false]

       --use-wkd=ENABLE
              Use WKD to search for certs

              The default can be changed in the configuration file using the setting `network.search.use-wkd`.

              [default: true]

              [possible values: true, false]

        QUERY Retrieve certificate(s) using QUERY

              This may be a fingerprint, a KeyID, an email address, or a https URL.

   Global options
       See sq(1) for a description of the global options.

EXAMPLES

       Search for the Qubes master signing certificate.

              sq network search 427F11FD0FAA4B080123F01CDDFA1A3E36879494

       Search for certificates that have are associated with an email address.

              sq network search alice@example.org

SEE ALSO

       sq(1), sq-network(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION

       1.3.1

Sequoia PGP                                           1.3.1                                                SQ(1)