sq armor

Converts binary to ASCII.

To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII-encoded representation.

The converse operation is "sq dearmor".

sq autocrypt decode

Reads Autocrypt-encoded certificates.

Given an autocrypt header (or an key-gossip header), this command extracts the certificate encoded within it.

The converse operation is "sq autocrypt encode-sender".

sq autocrypt encode-sender

Encodes a certificate into an Autocrypt header.

A certificate can be encoded and included in a header of an email message. This command encodes the certificate, adds the senders email address (which must match the one used in the "From" header), and the senders "prefer-encrypt" state (see the Autocrypt spec for more information).

The converse operation is "sq autocrypt decode".

sq certify

Certifies a User ID for a Certificate.

Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id. In the context of emails this means that the same entity controls the key and the email address. These kind of certifications form the basis for the Web Of Trust.

This command emits the certificate with the new certification. The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation. See also "sq key attest-certification".

By default a certification expires after 5 years. Using the "--expiry=EXPIRY" argument specific validity periods may be defined. It allows for providing a point in time for validity to end or a validity duration.

"sq certify" respects the reference time set by the top-level "--time" argument. It sets the certification's creation time to the reference time.

sq dane get

Looks up certificates using DANE.

By default, any returned certificates are stored in the local certificate store. This can be overridden by using "--output" option.

When a certificate is downloaded using DANE, and imported into the local certificate store, any User IDs with the email address that was looked up are certificated with a local DANE-specific key. That proxy certificate is in turn certified as a minimally trusted CA (trust amount: 1 of 120) by the local trust root. How much the DANE proxy CA is trusted can be tuned using "sq link add" or "sq link retract" in the usual way.

sq dearmor

Converts ASCII to binary.

To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor. sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII-encoded OpenPGP data to its binary representation.

The converse operation is "sq armor".

sq decrypt

Decrypts a message.

Decrypts a message using either supplied keys, or by prompting for a password. If message tampering is detected, an error is returned. See below for details.

If certificates are supplied using the "--signer-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "--signatures" parameter.

If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated.

The converse operation is "sq encrypt".

sq encrypt

Encrypts a message.

Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process.

The converse operation is "sq decrypt".

"sq encrypt" respects the reference time set by the top-level "--time" argument. It uses the reference time when selecting encryption keys, and it sets the signature's creation time to the reference time.

sq export

Exports certificates from the local certificate store.

If multiple predicates are specified a certificate is returned if at least one of them matches.

This does not check the authenticity of the certificates in anyway. Before using the certificates, be sure to validate and authenticate them.

When matching on subkeys or User IDs, the component must have a valid self signature according to the policy. This is not the case when matching the certificate's key handle using `--cert` or when exporting all certificates.

Fails if search criteria are specified and none of them matches any certificates. Note: this means if the certificate store is empty and no search criteria are specified, then this will return success.

sq import

Imports certificates into the local certificate store.

sq inspect

Inspects data, like file(1).

It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at. This subcommand inspects the data and provides a meaningful human-readable description of it.

"sq inspect" respects the reference time set by the top-level "--time" argument. It uses the reference time when determining what binding signatures are active.

sq key adopt

Binds keys from one certificate to another.

This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible.

sq key attest-certifications

Attests to third-party certifications allowing for their distribution.

To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third-party certifications.

After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver.

sq key extract-cert

Converts a key to a cert.

After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver.

sq key generate

Generates a new key.

Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users.

When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place.

After generating a key, use "sq key extract-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver.

By default a key expires after 3 years. Using the "--expiry=EXPIRY" argument specific validity periods may be defined. It allows for providing a point in time for validity to end or a validity duration.

"sq key generate" respects the reference time set by the top-level "--time" argument. It sets the creation time of the key, any subkeys, and the binding signatures to the reference time.

sq key password

Changes password protecting secrets.

Secret key material in keys can be protected by a password. This subcommand changes or clears this encryption password.

To emit the key with unencrypted secrets, either use `--clear` or supply a zero-length password when prompted for the new password.

sq key revoke

Revokes a certificate.

Creates a revocation certificate for the certificate.

If "--revocation-file" is provided, then that key is used to create the signature. If that key is different from the certificate being revoked, this creates a third-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker.

If "--revocation-file" is not provided, then the certificate must include a certification-capable key.

"sq key revoke" respects the reference time set by the top-level "--time" argument. When set, it uses the specified time instead of the current time, when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time.

sq key subkey add

Adds a newly generated Subkey.

A subkey has one or more flags. "--can-sign" sets the signing flag, and means that the key may be used for signing. "--can-authenticate" sets the authentication flags, and means that the key may be used for authentication (e.g., as an SSH key). These two flags may be combined.

"--can-encrypt=storage" sets the storage encryption flag, and means that the key may be used for storage encryption. "--can-encrypt=transport" sets the transport encryption flag, and means that the key may be used for transport encryption. "--can-encrypt=universal" sets both the storage and the transport encryption flag, and means that the key may be used for both storage and transport encryption. Only one of the encryption flags may be used and it can not be combined with the signing or authentication flag.

At least one flag must be chosen.

Furthermore the subkey may use one of several available cipher suites, that can be selected using "--cipher-suite".

By default a new subkey never expires. However, its validity period is limited by that of the primary key it is added for. Using the "--expiry=EXPIRY" argument specific validity periods may be defined. It allows for providing a point in time for validity to end or a validity duration.

"sq key subkey add" respects the reference time set by the top-level "--time" argument. It sets the creation time of the subkey to the specified time.

sq key subkey revoke

Revokes a subkey.

Creates a revocation certificate for a subkey.

If "--revocation-file" is provided, then that key is used to create the signature. If that key is different from the certificate being revoked, this creates a third-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker.

If "--revocation-file" is not provided, then the certificate must include a certification-capable key.

"sq key subkey revoke" respects the reference time set by the top-level "--time" argument. When set, it uses the specified time instead of the current time, when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time.

sq key userid add

Adds a User ID.

A User ID can contain a name, like "Juliet" or an email address, like "<juliet@example.org>". Historically, a name and email address were often combined as a single User ID, like "Juliet <juliet@example.org>".

"sq userid add" respects the reference time set by the top-level "--time" argument. It sets the creation time of the User ID's binding signature to the specified time.

sq key userid revoke

Revokes a User ID.

Creates a revocation certificate for a User ID.

If "--revocation-key" is provided, then that key is used to create the signature. If that key is different from the certificate being revoked, this creates a third-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker.

If "--revocation-key" is not provided, then the certificate must include a certification-capable key.

"sq key userid revoke" respects the reference time set by the top-level "--time" argument. When set, it uses the specified time instead of the current time, when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time.

sq key userid strip

Strips a User ID.

Note that this operation does not reliably remove User IDs from a certificate that has already been disseminated! (OpenPGP software typically appends new information it receives about a certificate to its local copy of that certificate. Systems that have obtained a copy of your certificate with the User ID that you are trying to strip will not drop that User ID from their copy.)

In most cases, you will want to use the 'sq key userid revoke' operation instead. That issues a revocation for a User ID, which can be used to mark the User ID as invalidated.

However, this operation can be useful in very specific cases, in particular: to remove a mistakenly added User ID before it has been uploaded to key servers or otherwise shared.

Stripping a User ID may change how a certificate is interpreted. This is because information about the certificate like algorithm preferences, the primary key's key flags, etc. is stored in the User ID's binding signature.

sq keyring filter

Joins keys into a keyring applying a filter.

This can be used to filter keys based on given predicates, e.g. whether they have a user id containing an email address with a certain domain. Additionally, the keys can be pruned to only include components matching the predicates.

If no filters are supplied, everything matches.

If multiple predicates are given, they are or'ed, i.e. a key matches if any of the predicates match. To require all predicates to match, chain multiple invocations of this command. See EXAMPLES for inspiration.

sq keyring join

Joins keys or keyrings into a single keyring.

Unlike "sq keyring merge", multiple versions of the same key are not merged together.

The converse operation is "sq keyring split".

sq keyring lint

Command-line frontends for Sequoia `sq keyring lint` checks the supplied certificates for the following SHA-1-related issues:.

- Whether a certificate revocation uses SHA-1.

- Whether the current self signature for a non-revoked User ID uses
SHA-1.

- Whether the current subkey binding signature for a non-revoked,
live subkey uses SHA-1.

- Whether a primary key binding signature ("backsig") for a
non-revoked, live subkey uses SHA-1.

Diagnostics are printed to stderr. At the end, some statistics are shown. This is useful when examining a keyring. If `--fix` is specified and at least one issue could be fixed, the fixed certificates are printed to stdout.

This tool does not currently support smart cards. But, if only the subkeys are on a smart card, this tool may still be able to partially repair the certificate. In particular, it will be able to fix any issues with User ID self signatures and subkey binding signatures for encryption-capable subkeys, but it will not be able to generate new primary key binding signatures for any signing-capable subkeys.

EXIT STATUS:

If `--fix` is not specified:
2 if any issues were found,
1 if not issues were found, but there were errors reading the input,
0 if there were no issues.

If `--fix` is specified:
3 if any issues could not be fixed,
1 if not issues were found, but there were errors reading the input,
0 if all issues were fixed or there were no issues.

sq keyring list

Lists keys in a keyring.

Prints the fingerprint as well as the primary userid for every certificate encountered in the keyring.

sq keyring merge

Merges keys or keyrings into a single keyring.

Unlike "sq keyring join", the certificates are buffered and multiple versions of the same certificate are merged together. Where data is replaced (e.g., secret key material), data from the later certificate is preferred.

sq keyring split

Splits a keyring into individual keys.

Splitting up a keyring into individual keys helps with curating a keyring.

The converse operation is "sq keyring join".

sq keyserver get

Retrieves a certificate from a keyserver.

By default, any returned certificates are stored in the local certificate store. This can be overridden by using "--output" option.

When a certificate is downloaded from a verifying keyserver (currently, this is limited to a list of known servers: keys.openpgp.org, keys.mailvelope.com, and mail-api.proton.me), and imported into the local certificate store, the User IDs are also certificated with a local server-specific key. That proxy certificate is in turn certified as a minimally trusted CA (trust amount: 1 of 120) by the local trust root. How much a proxy key server CA is trusted can be tuned using "sq link add" or "sq link retract" in the usual way.

sq keyserver send

Sends a key.

sq link add

Link a certificate and a User ID. This cause "sq" to considers the certificate and User ID binding to be authentic.

A certificate can also be accepted as a certification authority, which is also known as a trusted introducer, by using the "--ca" or "--depth" option.

A link can be retracted using "sq link retract".

This command is similar to "sq certify", but the certifications it makes are done using the certificate directory's trust root, not an arbitrary key. Further, the certificates are marked as non-exportable. The former makes it easier to manage certifications, especially when the user's certification key is offline. And the latter improves the user's privacy, by reducing the chance that parts of the user's social graph is leaked when a certificate is shared.

By default a link never expires. Using the "--expiry=EXPIRY" argument specific validity periods may be defined. It allows for providing a point in time for validity to end or a validity duration.

"sq link" respects the reference time set by the top-level "--time" argument. It sets the link's creation time to the reference time.

sq link list

Lists links.

This command lists all bindings that are linked or whose link has been retracted.

sq link retract

Retracts links.

This command retracts links that were previously created using "sq link add". See that subcommand's documentation for more details. Note: this is called "retract" and not "remove", because the certifications are not removed. Instead a new certification is added, which says that the binding has not been authenticated.

"sq link retract" respects the reference time set by the top-level "--time" argument. This causes a link to be retracted as of a particular time instead of the current time.

sq output-versions

List supported output versions.

sq packet decrypt

Unwraps an encryption container.

Decrypts a message, dumping the content of the encryption container without further processing. The result is a valid OpenPGP message that can, among other things, be inspected using "sq packet dump".

sq packet dump

Lists packets.

Creates a human-readable description of the packet sequence. Additionally, it can print cryptographic artifacts, and print the raw octet stream similar to hexdump(1), annotating specifically which bytes are parsed into OpenPGP values.

To inspect encrypted messages, either supply the session key, or see "sq decrypt --dump" or "sq packet decrypt".

sq packet join

Joins packets split across files.

Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data.

The converse operation is "sq packet split".

sq packet split

Splits a message into packets.

Splitting a packet sequence into individual packets, then recombining them freely with "sq packet join" is a great way to experiment with OpenPGP data.

The converse operation is "sq packet join".

sq sign

Signs messages or data files.

Creates signed messages or detached signatures. Detached signatures are often used to sign software packages.

The converse operation is "sq verify".

"sq sign" respects the reference time set by the top-level "--time" argument. When set, it uses the specified time instead of the current time, when determining what keys are valid, and it sets the signature's creation time to the reference time instead of the current time.

sq verify

Verifies signed messages or detached signatures.

When verifying signed messages, the message is written to stdout or the file given to --output.

When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages.

Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "--signatures" parameter. If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated.

A signature is considered to have been authenticated if the signer can be authenticated. If the signer is provided via "--signer-file", then the signer is considered authenticated. Otherwise, the signer is looked up and authenticated using the web of trust. If at least one User ID can be fully authenticated, then the signature is considered to have been authenticated. If the signature includes a Signer User ID subpacket, then only that User ID is considered. Note: the User ID need not be self signed.

The converse operation is "sq sign".

If you are looking for a standalone program to verify detached signatures, consider using sequoia-sqv.

"sq verify" respects the reference time set by the top-level "--time" argument. When set, it verifies the message as of the reference time instead of the current time.

sq wkd direct-url

Prints the direct Web Key Directory URL of an email address.

sq wkd generate

Generates a Web Key Directory for the given domain and keys.

If the WKD exists, the new keys will be inserted and it is updated and existing ones will be updated.

A WKD is per domain, and can be queried using the advanced or the direct method. The advanced method uses a URL with a subdomain 'openpgpkey'. As per the specification, the advanced method is to be preferred. The direct method may only be used if the subdomain doesn't exist. The advanced method allows web key directories for several domains on one web server.

The contents of the generated WKD must be copied to a web server so that they are accessible under https://openpgpkey.example.com/.well-known/openpgp/... for the advanced version, and https://example.com/.well-known/openpgp/... for the direct version. sq does not copy files to the web server.

sq wkd get

Looks up certificates in a Web Key Directory.

By default, any returned certificates are stored in the local certificate store. This can be overridden by using "--output" option.

When a certificate is downloaded from a WKD, and imported into the local certificate store, any User IDs with the email address that was looked up are certificated with a local WKD-specific key. That proxy certificate is in turn certified as a minimally trusted CA (trust amount: 1 of 120) by the local trust root. How much the WKD proxy CA is trusted can be tuned using "sq link add" or "sq link retract" in the usual way.

sq wkd url

Prints the advanced Web Key Directory URL of an email address.

sq wot authenticate

Authenticate a binding.

Authenticate a binding (a certificate and User ID) by looking for a path from the trust roots to the specified binding in the web of trust. Because certifications may express uncertainty (i.e., certifications may be marked as conveying only partial or marginal trust), multiple paths may be needed.

If a binding could be authenticated to the specified level (by default: fully authenticated, i.e., a trust amount of 120), then the exit status is 0. Otherwise the exit status is 1.

If any valid paths to the binding are found, they are printed on stdout whether they are sufficient to authenticate the binding or not.

sq wot identify

Identify a certificate.

Identify a certificate by finding authenticated bindings (User ID and certificate pairs).

If a binding could be authenticated to the specified level (by default: fully authenticated, i.e., a trust amount of 120), then the exit status is 0. Otherwise the exit status is 1.

If a binding could be patially authenticated (i.e., its trust amount is greater than 0), then the binding is displayed, even if the trust is below the specified threshold.

sq wot list

List all authenticated bindings (User ID and certificate pairs).

Only bindings that meet the specified trust amount (by default bindings that are fully authenticated, i.e., have a trust amount of 120), are shown.

Even if no bindings are shown, the exit status is 0.

If --email is provided, then a pattern matches if it is a case insensitive substring of the email address as-is or the normalized email address. Note: unlike the email address, the pattern is not normalized. In particular, puny code normalization is not done on the pattern.

sq wot lookup

Lookup the certificates associated with a User ID.

Identifies authenticated bindings (User ID and certificate pairs) where the User ID matches the specified User ID.

If a binding could be authenticated to the specified level (by default: fully authenticated, i.e., a trust amount of 120), then the exit status is 0. Otherwise the exit status is 1.

If a binding could be patially authenticated (i.e., its trust amount is greater than 0), then the binding is displayed, even if the trust is below the specified threshold.

sq wot path

Verify the specified path.

A path is a sequence of certificates starting at the root, and a User ID. This function checks that each path segment has a valid certification, which also satisfies any constraints (trust amount, trust depth, regular expressions).

If a valid path is not found, then this subcommand also lints the path. In particular, it report if any certifications are insufficient, e.g., not enough trust depth, or invalid, e.g., because they use SHA-1, but the use of SHA-1 has been disabled.

sq armor

Convert a binary certificate to ASCII

sq armor binary-juliet.pgp

Convert a binary message to ASCII

sq armor binary-message.pgp

sq autocrypt decode

Extract all certificates from a mail

sq autocrypt decode autocrypt.eml

sq autocrypt encode-sender

Encodes a certificate

sq autocrypt encode-sender juliet.pgp

Encodes a certificate with an explicit sender address

sq autocrypt encode-sender --email juliet@example.org juliet.pgp

Encodes a certificate while indicating the willingness to encrypt

sq autocrypt encode-sender --prefer-encrypt mutual juliet.pgp

sq certify

Juliet certifies that Romeo controls romeo.pgp and romeo@example.org

sq certify juliet.pgp romeo.pgp "<romeo@example.org>"

Certify the User ID "Ada", and set the certification time to July

21, 2013 at midnight UTC:

sq certify --time 20130721 neal.pgp ada.pgp Ada

sq dearmor

Convert a ASCII certificate to binary

sq dearmor ascii-juliet.pgp

Convert a ASCII message to binary

sq dearmor ascii-message.pgp

sq decrypt

Decrypt a file using a secret key

sq decrypt --recipient-file juliet.pgp ciphertext.pgp

Decrypt a file verifying signatures

sq decrypt --recipient-file juliet.pgp --signer-file romeo.pgp ciphertext.pgp

Decrypt a file using a password

sq decrypt ciphertext.pgp

sq encrypt

Encrypt a file using a certificate

sq encrypt --recipient-file romeo.pgp message.txt

Encrypt a file creating a signature in the process

sq encrypt --recipient-file romeo.pgp --signer-file juliet.pgp message.txt

Encrypt a file using a password

sq encrypt --symmetric message.txt

sq export

Exports all certificates.

sq export > all.pgp

Exports certificates with a matching User ID packet. The binding

signatures are checked, but the User IDs are not authenticated.

Note: this check is case sensitive.

sq export --userid 'Alice <alice@example.org>'

Exports certificates with a User ID containing the email address.

The binding signatures are checked, but the User IDs are not

authenticated. Note: this check is case insensitive.

sq export --email 'alice@example.org'

Exports certificates where the certificate (i.e., the primary key)

has the specified Key ID.

sq export --cert 1234567812345678

Exports certificates where the primary key or a subkey matches the

specified Key ID.

sq export --key 1234567812345678

Exports certificates that contain a User ID with *either* (not

both!) email address. Note: this check is case insensitive.

sq export --email alice@example.org --email bob@example.org

sq import

Imports a certificate.

sq import < juliet.pgp

sq inspect

Inspects a certificate

sq inspect juliet.pgp

Inspects a certificate ring

sq inspect certs.pgp

Inspects a message

sq inspect message.pgp

Inspects a detached signature

sq inspect message.sig

Show the certificate as it looked on July 21, 2013

sq inspect --time 20130721 cert.pgp

sq key adopt

Adopt an subkey into the new cert

sq key adopt --keyring juliet-old.pgp --key 0123456789ABCDEF -- juliet-new.pgp

sq key attest-certifications

Attest to all certifications present on the key

sq key attest-certifications juliet.pgp

Retract prior attestations on the key

sq key attest-certifications --none juliet.pgp

sq key extract-cert

First, this generates a key

sq key generate --userid "<juliet@example.org>" --output juliet.key.pgp

Then, this extracts the certificate for distribution

sq key extract-cert --output juliet.cert.pgp juliet.key.pgp

sq key generate

First, this generates a key

sq key generate --userid "<juliet@example.org>" --output juliet.key.pgp

Then, this extracts the certificate for distribution

sq key extract-cert --output juliet.cert.pgp juliet.key.pgp

Generates a key protecting it with a password

sq key generate --userid "<juliet@example.org>" --with-password

Generates a key with multiple userids

sq key generate --userid "<juliet@example.org>" --userid "Juliet Capulet"

Generates a key whose creation time is June 9, 2011 at midnight UTC

sq key generate --time 20110609 --userid "Noam" --output noam.pgp

sq key password

First, generate a key

sq key generate --userid "<juliet@example.org>" --output juliet.key.pgp

Then, encrypt the secrets in the key with a password.

sq key password < juliet.key.pgp > juliet.encrypted_key.pgp

And remove the password again.

sq key password --clear < juliet.encrypted_key.pgp > juliet.decrypted_key.pgp

sq key subkey add

First, this generates a key

sq key generate --userid "alice <alice@example.org>" --output alice.key.pgp

Add a new Subkey for universal encryption which expires at the same time as

the primary key

sq key subkey add --output alice-new.key.pgp --can-encrypt universal alice.key.pgp

Add a new Subkey for signing using the rsa3k cipher suite which expires in five days

sq key subkey add --output alice-new.key.pgp --can-sign --cipher-suite rsa3k --expiry 5d alice.key.pgp

sq key userid add

First, this generates a key

sq key generate --userid "<juliet@example.org>" --output juliet.key.pgp

Then, this adds a User ID

sq key userid add --userid "Juliet" juliet.key.pgp \

--output juliet-new.key.pgp

This adds a User ID whose creation time is set to June 28, 2022 at

midnight UTC:

sq key userid add --userid "Juliet" --creation-time 20210628 \

juliet.key.pgp --output juliet-new.key.pgp

sq key userid strip

First, this generates a key

sq key generate --userid "<juliet@example.org>" --output juliet.key.pgp

Then, this strips a User ID

sq key userid strip --userid "<juliet@example.org>" \

--output juliet-new.key.pgp juliet.key.pgp

sq keyring filter

Converts a key to a cert (i.e., remove any secret key material)

sq keyring filter --to-cert cat juliet.pgp

Gets the keys with a user id on example.org

sq keyring filter --domain example.org keys.pgp

Gets the keys with a user id on example.org or example.net

sq keyring filter --domain example.org --domain example.net keys.pgp

Gets the keys with a user id with the name Juliet

sq keyring filter --name Juliet keys.pgp

Gets the keys with a user id with the name Juliet on example.org

sq keyring filter --domain example.org keys.pgp | \

sq keyring filter --name Juliet

Gets the keys with a user id on example.org, pruning other userids

sq keyring filter --domain example.org --prune-certs certs.pgp

sq keyring join

Collect certs for an email conversation

sq keyring join juliet.pgp romeo.pgp alice.pgp

sq keyring lint

# To gather statistics, simply run:

$ sq keyring lint keyring.pgp

# To fix a key:

$ gpg --export-secret-keys FPR | sq keyring lint --fix -p passw0rd -p password123 | gpg --import

# To get a list of keys with issues:

$ sq keyring lint --list-keys keyring.pgp | while read FPR; do something; done

sq keyring list

List all certs

sq keyring list certs.pgp

List all certs with a userid on example.org

sq keyring filter --domain example.org certs.pgp | sq keyring list

sq keyring merge

Merge certificate updates

sq keyring merge certs.pgp romeo-updates.pgp

sq keyring split

Split all certs

sq keyring split certs.pgp

Split all certs, merging them first to avoid duplicates

sq keyring merge certs.pgp | sq keyring split

sq link add

The user links 0123456789ABCDEF and the User ID

"<romeo@example.org>".

sq link add 0123456789ABCDEF "<romeo@example.org>"

The user examines 0123456789ABCDEF and then accepts the certificate

0123456789ABCDEF with its current set of self-signed User IDs.

sq export --cert 0123456789ABCDEF | sq inspect

...

sq link add 0123456789ABCDEF

The user links the certificate and its current self-signed User

IDs for a week.

sq link add --expires-in 1w 0123456789ABCDEF

The user accepts the certificate, and its current self-signed User

IDs as a certification authority. That is, the certificate is

considered a trust root.

sq link add --ca '*' 0123456789ABCDEF

The user accepts the certificate and its current self-signed User

IDs as a partially trusted certification authority.

sq link add --ca --amount 60 0123456789ABCDEF

The user retracts their acceptance of 0123456789ABCDEF and any

associated User IDs. This effectively invalidates any links.

sq link retract 0123456789ABCDEF

sq packet decrypt

Unwraps the encryption revealing the signed message

sq packet decrypt --recipient-file juliet.pgp ciphertext.pgp

sq packet dump

Prints the packets of a certificate

sq packet dump juliet.pgp

Prints cryptographic artifacts of a certificate

sq packet dump --mpis juliet.pgp

Prints a hexdump of a certificate

sq packet dump --hex juliet.pgp

Prints the packets of an encrypted message

sq packet dump --session-key AAAABBBBCCCC... ciphertext.pgp

sq packet join

Split a certificate into individual packets

sq packet split juliet.pgp

Then join only a subset of these packets

sq packet join juliet.pgp-[0-3]*

sq packet split

Split a certificate into individual packets

sq packet split juliet.pgp

sq sign

Create a signed message

sq sign --signer-file juliet.pgp message.txt

Create a detached signature

sq sign --detached --signer-file juliet.pgp message.txt

Create a signature with the specified creation time

sq sign --time 20020304 --detached --signer-file juliet.pgp message.txt

sq verify

Verify a signed message

sq verify --signer-file juliet.pgp signed-message.pgp

Verify a detached message

sq verify --signer-file juliet.pgp --detached message.sig message.txt

Verify a message as of June 9, 2011 at midnight UTC:

sq verify --time 20130721 msg.pgp

sq wkd generate

Generate a WKD in /tmp/wkdroot from certs.pgp for example.com.

sq wkd generate /tmp/wkdroot example.com certs.ppg

sq wot authenticate

# Authenticate a binding.

$ sq --keyring keyring.pgp \

wot \

--partial \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

authenticate \

C7966E3E7CE67DBBECE5FC154E2AD944CFC78C86 \

'Alice <alice@example.org>'

# The same as above, but this time generate output in DOT format

# and convert it to an SVG using Graphviz's DOT compiler.

$ sq --format dot \

--keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot authenticate \

--partial \

C7966E3E7CE67DBBECE5FC154E2AD944CFC78C86 \

'Alice <alice@example.org>' \

| dot -Tsvg -o alice.pgp

# Try and authenticate each binding where the User ID has the

# specified email address.

$ sq --keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot authenticate \

C7966E3E7CE67DBBECE5FC154E2AD944CFC78C86 \

--email 'alice@example.org'

# The same as above, but this time generate output in DOT format

# and convert it to an SVG using Graphviz's DOT compiler.

$ sq --format dot \

--keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot authenticate \

C7966E3E7CE67DBBECE5FC154E2AD944CFC78C86 \

--email 'alice@example.org' \

| dot -Tsvg -o alice.svg

sq wot identify

# Identify a certificate.

$ sq --keyring keyring.pgp \

--partial \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot identify \

C7B1406CD2F612E9CE2136156F2DA183236153AE

# The same as above, but output in DOT format and convert it to

# an SVG using Graphviz's DOT compiler.

$ sq --format dot \

--keyring keyring.pgp \

--partial \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot identify \

C7B1406CD2F612E9CE2136156F2DA183236153AE \

| dot -Tsvg -o C7B1406CD2F612E9CE2136156F2DA183236153AE.svg

sq wot list

List all bindings for example.org that are at least partially

authenticated.

sq --keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot list \

--partial \

@example.org

The same as above, but output in DOT format and convert it to

an SVG using Graphviz's DOT compiler.

sq --format dot \

--keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot list \

--partial \

@example.org \

| dot -Tsvg -o example_org.svg

sq wot lookup

# Lookup a certificate with the given User ID.

$ sq --keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot lookup \

--partial \

'Alice <alice@example.org>'

# The same as above, but output in DOT format and convert it to

# an SVG using Graphviz's DOT compiler.

$ sq --format dot \

--keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot lookup \

--partial \

'Alice <alice@example.org>' \

| dot -Tsvg -o alice.svg

# Lookup a certificate with the given email address.

$ sq --keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot lookup \

--email 'alice@example.org'

# The same as above, but output in DOT format and convert it to

# an SVG using Graphviz's DOT compiler.

$ sq --format dot \

--keyring keyring.pgp \

--trust-root 8F17777118A33DDA9BA48E62AACB3243630052D9 \

wot lookup \

--email 'alice@example.org' \

| dot -Tsvg -o alice.svg

sq wot path

Verify that Neal ceritified Justus's certificate for a particular User ID.

sq --keyring keyring.pgp \

wot path \

8F17777118A33DDA9BA48E62AACB3243630052D9 \

CBCD8F030588653EEDD7E2659B7DD433F254904A \

"Justus Winter <justus@sequoia-pgp.org>"

The same as above, but output in DOT format and convert it to

an SVG using Graphviz's DOT compiler.

sq --format dot \

--keyring keyring.pgp \

wot path \

8F17777118A33DDA9BA48E62AACB3243630052D9 \

CBCD8F030588653EEDD7E2659B7DD433F254904A \

"Justus Winter <justus@sequoia-pgp.org>" \

| dot -Tsvg -o neal--justus.svg