SQ(1) User Commands SQ(1) NAME sq pki vouch add - Certify a User ID for a Certificate SYNOPSIS sq pki vouch add [OPTIONS] DESCRIPTION Certify a User ID for a Certificate. Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web of Trust. This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for approval. See also `sq key approvals`. By default a certification expires after 10 years. Using the `--expiration` argument specific validity periods may be defined. It allows for providing a point in time for validity to end or a validity duration. `sq pki vouch add` respects the reference time set by the top-level `--time` argument. It sets the certification's creation time to the reference time. OPTIONS Subcommand options --add-email=EMAIL Use a user ID with the specified email address The user ID consists of just the email address. The email address does not have to appear in a self-signed user ID. --add-userid=USERID Use the specified user ID The specified user ID does not need to be self signed. Because using a user ID that is not self-signed is often a mistake, you need to use this option to explicitly opt in. --all Use all self-signed user IDs --allow-non-canonical-userids Don't reject new user IDs that are not in canonical form Canonical user IDs are of the form `Name (Comment) `. --amount=AMOUNT Set the amount of trust Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted. [default: full] --cert=FINGERPRINT|KEYID Use certificates with the specified fingerprint or key ID --cert-file=PATH Read certificates from PATH --certifier=FINGERPRINT|KEYID Create the certification using the key with the specified fingerprint or key ID --certifier-email=EMAIL Create the certification using the key where a user ID includes the specified email address --certifier-file=PATH Create the certification using the key read from PATH --certifier-self Create the certification using your default certification key This uses the certificates set in the configuration file under `pki.vouch.certifier-self` as certification key. Currently, there is no default certification key. --certifier-userid=USERID Create the certification using the key with the specified user ID --email=EMAIL Use a user ID consisting of just the email address, if the email address occurs in a self-signed user ID --expiration=EXPIRATION Sets the expiration time EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration. A duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time. The default can be changed in the configuration file using the setting `pki.vouch.expiration`. [default: 10y] --local Make the certification a local certification Normally, local certifications are not exported. --non-revocable Mark the certification as being non-revocable That is, you cannot later revoke this certification. This should normally only be used with an expiration. --output=FILE Write to FILE or stdout if omitted --signature-notation NAME VALUE Add a notation to the signature A user-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a `!`, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. --userid=USERID Use the specified self-signed user ID The specified user ID must be self signed. --userid-by-email=EMAIL Use the self-signed user ID with the specified email address Global options See sq(1) for a description of the global options. EXAMPLES Alice certifies that Bob controls 3F68CB84CE537C9A and bob@example.org. sq pki vouch add \ --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \ --cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \ --email=bob@example.org Alice certifies that Bob controls 3F68CB84CE537C9A and bob@bobs.lair.net, which is not a self-signed user ID. sq pki vouch add \ --certifier=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \ --cert=511257EBBF077B7AEDAE5D093F68CB84CE537C9A \ --add-email=bob@bobs.lair.net SEE ALSO sq(1), sq-pki(1), sq-pki-vouch(1). For the full documentation see . VERSION 1.2.0 (sequoia-openpgp 1.22.0) Sequoia PGP 1.2.0 SQ(1)