.TH SQ 1 0.38.0 "Sequoia PGP" "User Commands" .SH NAME sq cert lint \- Check certificates for issues .SH SYNOPSIS .br \fBsq cert lint\fR [\fIOPTIONS\fR] .SH DESCRIPTION Check certificates for issues. .PP `sq cert lint` checks the supplied certificates for the following SHA\-1\-related issues: .PP \- Whether a certificate revocation uses SHA\-1. .PP \- Whether the current self signature for a non\-revoked User ID uses SHA\-1. .PP \- Whether the current subkey binding signature for a non\-revoked, live subkey uses SHA\-1. .PP \- Whether a primary key binding signature ("backsig") for a non\-revoked, live subkey uses SHA\-1. .PP Diagnostics are printed to stderr. At the end, some statistics are shown. This is useful when examining a keyring. If `\-\-fix` is specified and at least one issue could be fixed, the fixed certificates are printed to stdout. .PP This tool does not currently support smart cards. But, if only the subkeys are on a smart card, this tool may still be able to partially repair the certificate. In particular, it will be able to fix any issues with User ID self signatures and subkey binding signatures for encryption\-capable subkeys, but it will not be able to generate new primary key binding signatures for any signing\-capable subkeys. .PP .SH OPTIONS .SS "Subcommand options" .TP \fB\-\-binary\fR Emit binary data .TP \fB\-\-cert\fR=\fIFINGERPRINT|KEYID\fR Lint the specified certificate .TP \fB\-\-cert\-file\fR=\fICERT_FILE\fR Lint the certificates in the specified file .TP \fB\-\-export\-secret\-keys\fR When fixing a certificate, the fixed certificate is exported without any secret key material. Using this switch causes any secret key material to also be exported .TP \fB\-\-fix\fR Attempts to fix certificates, when possible .TP \fB\-\-list\-keys\fR If set, outputs a list of fingerprints, one per line, of certificates that have issues. This output is intended for use by scripts. .IP This option implies `\-\-quiet`. If you also specify `\-\-fix`, errors will still be printed to stderr, and fixed certificates will still be emitted to stdout. .TP \fB\-\-output\fR=\fIFILE\fR Write to the specified FILE. If not specified, and the certificate was read from the certificate store, imports the modified certificate into the cert store. If not specified, and the certificate was read from a file, writes the modified certificate to stdout. .TP \fB\-\-quiet\fR Quiet; does not output any diagnostics .SS "Global options" See \fBsq\fR(1) for a description of the global options. .SH "EXIT STATUS" If `\-\-fix` is not specified: 2 if any issues were found, 1 if not issues were found, but there were errors reading the input, 0 if there were no issues. .PP If `\-\-fix` is specified: 3 if any issues could not be fixed, 1 if not issues were found, but there were errors reading the input, 0 if all issues were fixed or there were no issues. .PP .SH EXAMPLES .PP .PP To gather statistics, simply run: .PP .nf .RS sq cert lint keyring.pgp .RE .PP .fi .PP To fix a key: .PP .nf .RS gpg \-\-export\-secret\-keys FPR \\ .RE .RS .RS | sq cert lint \-\-fix \-p passw0rd \-p password123 \\ .RE .RE .RS .RS | gpg \-\-import .RE .RE .PP .fi .PP To get a list of keys with issues: .PP .nf .RS sq cert lint \-\-list\-keys keyring.pgp \\ .RE .RS .RS | while read FPR; do something; done .RE .RE .fi .SH "SEE ALSO" .nh \fBsq\fR(1), \fBsq\-cert\fR(1). .hy .PP For the full documentation see . .SH VERSION 0.38.0 (sequoia\-openpgp 1.21.2)