slipenkomk/sequoia-sq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2c8ae1ef1b
sequoia-sq/man-sq/sq.1
Justus Winter b89c172c1d
Reincarnation commit. 
- This implementation has been moved from the Sequoia repository to
    its own repository.  To inspect the history, either look at the
    Sequoia repository, or graft it onto this repository like this:

      $ git remote add sequoia https://gitlab.com/sequoia-pgp/sequoia
      $ git fetch sequoia 82eb0d7b240d137141fc0aaaa3dff1685bb11864
      $ git replace --graft <THIS-COMMIT> 82eb0d7b240d137141fc0aaaa3dff1685bb11864
2023-02-21 12:43:43 +01:00

1183 lines
26 KiB
Groff
Raw Blame History

.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.TH SQ 1 0.28.0 Sequoia-PGP "User Commands"
.SH NAME
sq \- A command\-line frontend for Sequoia, an implementation of OpenPGP
.SH SYNOPSIS
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBarmor\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBautocrypt decode\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBautocrypt encode\-sender\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBcertify\fR [\fIOPTIONS\fR] \fICERTIFIER\-KEY\fR \fICERTIFICATE\fR \fIUSERID\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBdane get\fR [\fIOPTIONS\fR] \fIADDRESS\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBdearmor\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBdecrypt\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBencrypt\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBinspect\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkey generate\fR [\fIOPTIONS\fR]
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkey password\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkey userid add\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkey userid strip\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkey extract\-cert\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkey attest\-certifications\fR [\fIOPTIONS\fR] \fIKEY\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkey adopt\fR [\fIOPTIONS\fR] \fITARGET\-KEY\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkeyring list\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkeyring split\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkeyring join\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkeyring merge\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkeyring filter\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkeyserver get\fR [\fIOPTIONS\fR] \fIQUERY\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBkeyserver send\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBoutput\-versions\fR [\fIOPTIONS\fR]
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBpacket dump\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBpacket decrypt\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBpacket split\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBpacket join\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBrevoke certificate\fR [\fIOPTIONS\fR] \fIREASON\fR \fIMESSAGE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBrevoke subkey\fR [\fIOPTIONS\fR] \fISUBKEY\fR \fIREASON\fR \fIMESSAGE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBrevoke userid\fR [\fIOPTIONS\fR] \fIUSERID\fR \fIREASON\fR \fIMESSAGE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBsign\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBverify\fR [\fIOPTIONS\fR] \fIFILE\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBwkd generate\fR [\fIOPTIONS\fR] \fIWEB\-ROOT\fR \fIFQDN\fR \fICERT\-RING\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBwkd get\fR [\fIOPTIONS\fR] \fIADDRESS\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBwkd direct\-url\fR [\fIOPTIONS\fR] \fIADDRESS\fR
.br
\fBsq\fR [\fIGLOBAL OPTIONS\fR] \fBwkd url\fR [\fIOPTIONS\fR] \fIADDRESS\fR
.SH DESCRIPTION
A command\-line frontend for Sequoia, an implementation of OpenPGP.
.PP
Functionality is grouped and available using subcommands. Currently,
this interface is completely stateless. Therefore, you need to supply
all configuration and certificates explicitly on each invocation.
.PP
OpenPGP data can be provided in binary or ASCII armored form. This
will be handled automatically. Emitted OpenPGP data is ASCII armored
by default.
.PP
We use the term "certificate", or cert for short, to refer to OpenPGP
keys that do not contain secrets. Conversely, we use the term "key"
to refer to OpenPGP keys that do contain secrets.
.PP
.SH OPTIONS
.TP
\fB\-f\fR, \fB\-\-force\fR
Overwrites existing files
.TP
\fB\-\-help\fR
Print help information
.TP
\fB\-\-known\-notation\fR=\fINOTATION\fR
Adds NOTATION to the list of known notations
.TP
\fB\-\-output\-format\fR=\fIFORMAT\fR
Produces output in FORMAT, if possible
.TP
\fB\-\-output\-version\fR=\fIVERSION\fR
Produces output variant VERSION.
.TP
\fB\-\-version\fR
Print version information
.SH SUBCOMMANDS
.SS "sq armor"
Converts binary to ASCII.
.PP
To make encrypted data easier to handle and transport, OpenPGP data
can be transformed to an ASCII representation called ASCII Armor. sq
emits armored data by default, but this subcommand can be used to
convert existing OpenPGP data to its ASCII\-encoded representation.
.PP
The converse operation is "sq dearmor".
.PP
.SS "sq autocrypt decode"
Reads Autocrypt\-encoded certificates.
.PP
Given an autocrypt header (or an key\-gossip header), this command
extracts the certificate encoded within it.
.PP
The converse operation is "sq autocrypt encode\-sender".
.PP
.SS "sq autocrypt encode-sender"
Encodes a certificate into an Autocrypt header.
.PP
A certificate can be encoded and included in a header of an email
message. This command encodes the certificate, adds the senders email
address (which must match the one used in the "From" header), and the
senders "prefer\-encrypt" state (see the Autocrypt spec for more
information).
.PP
The converse operation is "sq autocrypt decode".
.PP
.SS "sq certify"
Certifies a User ID for a Certificate.
.PP
Using a certification a keyholder may vouch for the fact that another
certificate legitimately belongs to a user id. In the context of
emails this means that the same entity controls the key and the email
address. These kind of certifications form the basis for the Web Of
Trust.
.PP
This command emits the certificate with the new certification. The
updated certificate has to be distributed, preferably by sending it to
the certificate holder for attestation. See also "sq key
attest\-certification".
.PP
.SS "sq dane get"
Queries for certs using DANE.
.SS "sq dearmor"
Converts ASCII to binary.
.PP
To make encrypted data easier to handle and transport, OpenPGP data
can be transformed to an ASCII representation called ASCII Armor. sq
transparently handles armored data, but this subcommand can be used to
explicitly convert existing ASCII\-encoded OpenPGP data to its binary
representation.
.PP
The converse operation is "sq armor".
.PP
.SS "sq decrypt"
Decrypts a message.
.PP
Decrypts a message using either supplied keys, or by prompting for a
password. If message tampering is detected, an error is returned.
See below for details.
.PP
If certificates are supplied using the "\-\-signer\-cert" option, any
signatures that are found are checked using these certificates.
Verification is only successful if there is no bad signature, and the
number of successfully verified signatures reaches the threshold
configured with the "\-\-signatures" parameter.
.PP
If the signature verification fails, or if message tampering is
detected, the program terminates with an exit status indicating
failure. In addition to that, the last 25 MiB of the message are
withheld, i.e. if the message is smaller than 25 MiB, no output is
produced, and if it is larger, then the output will be truncated.
.PP
The converse operation is "sq encrypt".
.PP
.SS "sq encrypt"
Encrypts a message.
.PP
Encrypts a message for any number of recipients and with any number of
passwords, optionally signing the message in the process.
.PP
The converse operation is "sq decrypt".
.PP
.SS "sq inspect"
Inspects data, like file(1).
.PP
It is often difficult to tell from cursory inspection using cat(1) or
file(1) what kind of OpenPGP one is looking at. This subcommand
inspects the data and provides a meaningful human\-readable description
of it.
.PP
.SS "sq key adopt"
Binds keys from one certificate to another.
.PP
This command allows one to transfer primary keys and subkeys into an
existing certificate. Say you want to transition to a new
certificate, but have an authentication subkey on your current
certificate. You want to keep the authentication subkey because it
allows access to SSH servers and updating their configuration is not
feasible.
.PP
.SS "sq key attest-certifications"
Attests to third\-party certifications allowing for their distribution.
.PP
To prevent certificate flooding attacks, modern key servers prevent
uncontrolled distribution of third\-party certifications on
certificates. To make the key holder the sovereign over the
information over what information is distributed with the certificate,
the key holder needs to explicitly attest to third\-party
certifications.
.PP
After the attestation has been created, the certificate has to be
distributed, e.g. by uploading it to a keyserver.
.PP
.SS "sq key extract-cert"
Converts a key to a cert.
.PP
After generating a key, use this command to get the certificate
corresponding to the key. The key must be kept secure, while the
certificate should be handed out to correspondents, e.g. by uploading
it to a keyserver.
.PP
.SS "sq key generate"
Generates a new key.
.PP
Generating a key is the prerequisite to receiving encrypted messages
and creating signatures. There are a few parameters to this process,
but we provide reasonable defaults for most users.
.PP
When generating a key, we also generate a revocation certificate.
This can be used in case the key is superseded, lost, or compromised.
It is a good idea to keep a copy of this in a safe place.
.PP
After generating a key, use "sq key extract\-cert" to get the
certificate corresponding to the key. The key must be kept secure,
while the certificate should be handed out to correspondents, e.g. by
uploading it to a keyserver.
.PP
.SS "sq key password"
Changes password protecting secrets.
.PP
Secret key material in keys can be protected by a password. This
subcommand changes or clears this encryption password.
.PP
To emit the key with unencrypted secrets, either use `\-\-clear` or
supply a zero\-length password when prompted for the new password.
.PP
.SS "sq key userid add"
Adds a User ID.
.PP
A User ID can contain a name, like "Juliet" or an email address, like
"<juliet@example.org>". Historically, a name and email address were often
combined as a single User ID, like "Juliet <juliet@example.org>".
.PP
.SS "sq key userid strip"
Strips a User ID.
.PP
Note that this operation does not reliably remove User IDs from a
certificate that has already been disseminated! (OpenPGP software
typically appends new information it receives about a certificate
to its local copy of that certificate. Systems that have obtained
a copy of your certificate with the User ID that you are trying to
strip will not drop that User ID from their copy.)
.PP
In most cases, you will want to use the \*(Aqsq revoke userid\*(Aq operation
instead. That issues a revocation for a User ID, which can be used to mark
the User ID as invalidated.
.PP
However, this operation can be useful in very specific cases, in particular:
to remove a mistakenly added User ID before it has been uploaded to key
servers or otherwise shared.
.PP
Stripping a User ID may change how a certificate is interpreted. This
is because information about the certificate like algorithm preferences,
the primary key\*(Aqs key flags, etc. is stored in the User ID\*(Aqs binding
signature.
.PP
.SS "sq keyring filter"
Joins keys into a keyring applying a filter.
.PP
This can be used to filter keys based on given predicates,
e.g. whether they have a user id containing an email address with a
certain domain. Additionally, the keys can be pruned to only include
components matching the predicates.
.PP
If no filters are supplied, everything matches.
.PP
If multiple predicates are given, they are or\*(Aqed, i.e. a key matches
if any of the predicates match. To require all predicates to match,
chain multiple invocations of this command. See EXAMPLES for
inspiration.
.PP
.SS "sq keyring join"
Joins keys or keyrings into a single keyring.
.PP
Unlike "sq keyring merge", multiple versions of the same key are not
merged together.
.PP
The converse operation is "sq keyring split".
.PP
.SS "sq keyring list"
Lists keys in a keyring.
.PP
Prints the fingerprint as well as the primary userid for every
certificate encountered in the keyring.
.PP
.SS "sq keyring merge"
Merges keys or keyrings into a single keyring.
.PP
Unlike "sq keyring join", the certificates are buffered and multiple
versions of the same certificate are merged together. Where data is
replaced (e.g., secret key material), data from the later certificate
is preferred.
.PP
.SS "sq keyring split"
Splits a keyring into individual keys.
.PP
Splitting up a keyring into individual keys helps with curating a
keyring.
.PP
The converse operation is "sq keyring join".
.PP
.SS "sq keyserver get"
Retrieves a key.
.SS "sq keyserver send"
Sends a key.
.SS "sq output-versions"
List supported output versions.
.SS "sq packet decrypt"
Unwraps an encryption container.
.PP
Decrypts a message, dumping the content of the encryption container
without further processing. The result is a valid OpenPGP message
that can, among other things, be inspected using "sq packet dump".
.PP
.SS "sq packet dump"
Lists packets.
.PP
Creates a human\-readable description of the packet sequence.
Additionally, it can print cryptographic artifacts, and print the raw
octet stream similar to hexdump(1), annotating specifically which
bytes are parsed into OpenPGP values.
.PP
To inspect encrypted messages, either supply the session key, or see
"sq decrypt \-\-dump" or "sq packet decrypt".
.PP
.SS "sq packet join"
Joins packets split across files.
.PP
Splitting a packet sequence into individual packets, then recombining
them freely with "sq packet join" is a great way to experiment with
OpenPGP data.
.PP
The converse operation is "sq packet split".
.PP
.SS "sq packet split"
Splits a message into packets.
.PP
Splitting a packet sequence into individual packets, then recombining
them freely with "sq packet join" is a great way to experiment with
OpenPGP data.
.PP
The converse operation is "sq packet join".
.PP
.SS "sq revoke certificate"
Revokes a certificate.
.PP
Creates a revocation certificate for the certificate.
.PP
If "\-\-revocation\-file" is provided, then that key is used to create
the signature. If that key is different from the certificate being
revoked, this creates a third\-party revocation. This is normally only
useful if the owner of the certificate designated the key to be a
designated revoker.
.PP
If "\-\-revocation\-file" is not provided, then the certificate must
include a certification\-capable key.
.PP
.SS "sq revoke subkey"
Revokes a subkey.
.PP
Creates a revocation certificate for a subkey.
.PP
If "\-\-revocation\-file" is provided, then that key is used to create the signature. If that key is different from the certificate being revoked, this creates a third\-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker.
.PP
If "\-\-revocation\-file" is not provided, then the certificate must include a certification\-capable key.
.SS "sq revoke userid"
Revokes a User ID.
.PP
Creates a revocation certificate for a User ID.
.PP
If "\-\-revocation\-key" is provided, then that key is used to create the signature. If that key is different from the certificate being revoked, this creates a third\-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker.
.PP
If "\-\-revocation\-key" is not provided, then the certificate must include a certification\-capable key.
.SS "sq sign"
Signs messages or data files.
.PP
Creates signed messages or detached signatures. Detached signatures
are often used to sign software packages.
.PP
The converse operation is "sq verify".
.PP
.SS "sq verify"
Verifies signed messages or detached signatures.
.PP
When verifying signed messages, the message is written to stdout or
the file given to \-\-output.
.PP
When a detached message is verified, no output is produced. Detached
signatures are often used to sign software packages.
.PP
Verification is only successful if there is no bad signature, and the
number of successfully verified signatures reaches the threshold
configured with the "\-\-signatures" parameter. If the verification
fails, the program terminates with an exit status indicating failure.
In addition to that, the last 25 MiB of the message are withheld,
i.e. if the message is smaller than 25 MiB, no output is produced, and
if it is larger, then the output will be truncated.
.PP
The converse operation is "sq sign".
.PP
If you are looking for a standalone program to verify detached
signatures, consider using sequoia\-sqv.
.PP
.SS "sq wkd direct-url"
Prints the direct Web Key Directory URL of an email address.
.SS "sq wkd generate"
Generates a Web Key Directory for the given domain and keys.
.PP
If the WKD exists, the new keys will be inserted and it is updated and existing ones will be updated.
.PP
A WKD is per domain, and can be queried using the advanced or the direct method. The advanced method uses a URL with a subdomain \*(Aqopenpgpkey\*(Aq. As per the specification, the advanced method is to be preferred. The direct method may only be used if the subdomain doesn\*(Aqt exist. The advanced method allows web key directories for several domains on one web server.
.PP
The contents of the generated WKD must be copied to a web server so that they are accessible under https://openpgpkey.example.com/.well\-known/openpgp/... for the advanced version, and https://example.com/.well\-known/openpgp/... for the direct version. sq does not copy files to the web server.
.PP
.SS "sq wkd get"
Queries for certs using Web Key Directory.
.SS "sq wkd url"
Prints the advanced Web Key Directory URL of an email address.
.SH EXAMPLES
.SS "sq armor"
.PP
.PP
Convert a binary certificate to ASCII
.PP
.nf
.RS
sq armor binary\-juliet.pgp
.RE
.fi
.PP
.PP
Convert a binary message to ASCII
.PP
.nf
.RS
sq armor binary\-message.pgp
.RE
.fi
.PP
.SS "sq autocrypt decode"
.PP
.PP
Extract all certificates from a mail
.PP
.nf
.RS
sq autocrypt decode autocrypt.eml
.RE
.fi
.PP
.SS "sq autocrypt encode-sender"
.PP
.PP
Encodes a certificate
.PP
.nf
.RS
sq autocrypt encode\-sender juliet.pgp
.RE
.fi
.PP
.PP
Encodes a certificate with an explicit sender address
.PP
.nf
.RS
sq autocrypt encode\-sender \-\-email juliet@example.org juliet.pgp
.RE
.fi
.PP
.PP
Encodes a certificate while indicating the willingness to encrypt
.PP
.nf
.RS
sq autocrypt encode\-sender \-\-prefer\-encrypt mutual juliet.pgp
.RE
.fi
.PP
.SS "sq certify"
.PP
.PP
Juliet certifies that Romeo controls romeo.pgp and romeo@example.org
.PP
.nf
.RS
sq certify juliet.pgp romeo.pgp "<romeo@example.org>"
.RE
.fi
.PP
.SS "sq dearmor"
.PP
.PP
Convert a ASCII certificate to binary
.PP
.nf
.RS
sq dearmor ascii\-juliet.pgp
.RE
.fi
.PP
.PP
Convert a ASCII message to binary
.PP
.nf
.RS
sq dearmor ascii\-message.pgp
.RE
.fi
.PP
.SS "sq decrypt"
.PP
.PP
Decrypt a file using a secret key
.PP
.nf
.RS
sq decrypt \-\-recipient\-file juliet.pgp ciphertext.pgp
.RE
.fi
.PP
.PP
Decrypt a file verifying signatures
.PP
.nf
.RS
sq decrypt \-\-recipient\-file juliet.pgp \-\-signer\-file romeo.pgp ciphertext.pgp
.RE
.fi
.PP
.PP
Decrypt a file using a password
.PP
.nf
.RS
sq decrypt ciphertext.pgp
.RE
.fi
.PP
.SS "sq encrypt"
.PP
.PP
Encrypt a file using a certificate
.PP
.nf
.RS
sq encrypt \-\-recipient\-file romeo.pgp message.txt
.RE
.fi
.PP
.PP
Encrypt a file creating a signature in the process
.PP
.nf
.RS
sq encrypt \-\-recipient\-file romeo.pgp \-\-signer\-file juliet.pgp message.txt
.RE
.fi
.PP
.PP
Encrypt a file using a password
.PP
.nf
.RS
sq encrypt \-\-symmetric message.txt
.RE
.fi
.PP
.SS "sq inspect"
.PP
.PP
Inspects a certificate
.PP
.nf
.RS
sq inspect juliet.pgp
.RE
.fi
.PP
.PP
Inspects a certificate ring
.PP
.nf
.RS
sq inspect certs.pgp
.RE
.fi
.PP
.PP
Inspects a message
.PP
.nf
.RS
sq inspect message.pgp
.RE
.fi
.PP
.PP
Inspects a detached signature
.PP
.nf
.RS
sq inspect message.sig
.RE
.fi
.PP
.SS "sq key adopt"
.PP
.PP
Adopt an subkey into the new cert
.PP
.nf
.RS
sq key adopt \-\-keyring juliet\-old.pgp \-\-key 0123456789ABCDEF \-\- juliet\-new.pgp
.RE
.fi
.PP
.SS "sq key attest-certifications"
.PP
.PP
Attest to all certifications present on the key
.PP
.nf
.RS
sq key attest\-certifications juliet.pgp
.RE
.fi
.PP
.PP
Retract prior attestations on the key
.PP
.nf
.RS
sq key attest\-certifications \-\-none juliet.pgp
.RE
.fi
.PP
.SS "sq key extract-cert"
.PP
.PP
First, this generates a key
.PP
.nf
.RS
sq key generate \-\-userid "<juliet@example.org>" \-\-export juliet.key.pgp
.RE
.fi
.PP
.PP
Then, this extracts the certificate for distribution
.PP
.nf
.RS
sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp
.RE
.fi
.PP
.SS "sq key generate"
.PP
.PP
First, this generates a key
.PP
.nf
.RS
sq key generate \-\-userid "<juliet@example.org>" \-\-export juliet.key.pgp
.RE
.fi
.PP
.PP
Then, this extracts the certificate for distribution
.PP
.nf
.RS
sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp
.RE
.fi
.PP
.PP
Generates a key protecting it with a password
.PP
.nf
.RS
sq key generate \-\-userid "<juliet@example.org>" \-\-with\-password
.RE
.fi
.PP
.PP
Generates a key with multiple userids
.PP
.nf
.RS
sq key generate \-\-userid "<juliet@example.org>" \-\-userid "Juliet Capulet"
.RE
.fi
.PP
.SS "sq key password"
.PP
.PP
First, generate a key
.PP
.nf
.RS
sq key generate \-\-userid "<juliet@example.org>" \-\-export juliet.key.pgp
.RE
.fi
.PP
.PP
Then, encrypt the secrets in the key with a password.
.PP
.nf
.RS
sq key password < juliet.key.pgp > juliet.encrypted_key.pgp
.RE
.fi
.PP
.PP
And remove the password again.
.PP
.nf
.RS
sq key password \-\-clear < juliet.encrypted_key.pgp > juliet.decrypted_key.pgp
.RE
.fi
.PP
.SS "sq key userid add"
.PP
.PP
First, this generates a key
.PP
.nf
.RS
sq key generate \-\-userid "<juliet@example.org>" \-\-export juliet.key.pgp
.RE
.fi
.PP
.PP
Then, this adds a User ID
.PP
.nf
.RS
sq key userid add \-\-userid "Juliet" juliet.key.pgp \\
.RE
.fi
.PP
\-\-output juliet\-new.key.pgp
.PP
.SS "sq key userid strip"
.PP
.PP
First, this generates a key
.PP
.nf
.RS
sq key generate \-\-userid "<juliet@example.org>" \-\-export juliet.key.pgp
.RE
.fi
.PP
.PP
Then, this strips a User ID
.PP
.nf
.RS
sq key userid strip \-\-userid "<juliet@example.org>" \\
.RE
.fi
.PP
\-\-output juliet\-new.key.pgp juliet.key.pgp
.PP
.SS "sq keyring filter"
.PP
.PP
Converts a key to a cert (i.e., remove any secret key material)
.PP
.nf
.RS
sq keyring filter \-\-to\-cert cat juliet.pgp
.RE
.fi
.PP
.PP
Gets the keys with a user id on example.org
.PP
.nf
.RS
sq keyring filter \-\-domain example.org keys.pgp
.RE
.fi
.PP
.PP
Gets the keys with a user id on example.org or example.net
.PP
.nf
.RS
sq keyring filter \-\-domain example.org \-\-domain example.net keys.pgp
.RE
.fi
.PP
.PP
Gets the keys with a user id with the name Juliet
.PP
.nf
.RS
sq keyring filter \-\-name Juliet keys.pgp
.RE
.fi
.PP
.PP
Gets the keys with a user id with the name Juliet on example.org
.PP
.nf
.RS
sq keyring filter \-\-domain example.org keys.pgp | \\
.RE
.fi
.PP
sq keyring filter \-\-name Juliet
.PP
.PP
Gets the keys with a user id on example.org, pruning other userids
.PP
.nf
.RS
sq keyring filter \-\-domain example.org \-\-prune\-certs certs.pgp
.RE
.fi
.PP
.SS "sq keyring join"
.PP
.PP
Collect certs for an email conversation
.PP
.nf
.RS
sq keyring join juliet.pgp romeo.pgp alice.pgp
.RE
.fi
.PP
.SS "sq keyring list"
.PP
.PP
List all certs
.PP
.nf
.RS
sq keyring list certs.pgp
.RE
.fi
.PP
.PP
List all certs with a userid on example.org
.PP
.nf
.RS
sq keyring filter \-\-domain example.org certs.pgp | sq keyring list
.RE
.fi
.PP
.SS "sq keyring merge"
.PP
.PP
Merge certificate updates
.PP
.nf
.RS
sq keyring merge certs.pgp romeo\-updates.pgp
.RE
.fi
.PP
.SS "sq keyring split"
.PP
.PP
Split all certs
.PP
.nf
.RS
sq keyring split certs.pgp
.RE
.fi
.PP
.PP
Split all certs, merging them first to avoid duplicates
.PP
.nf
.RS
sq keyring merge certs.pgp | sq keyring split
.RE
.fi
.PP
.SS "sq packet decrypt"
.PP
.PP
Unwraps the encryption revealing the signed message
.PP
.nf
.RS
sq packet decrypt \-\-recipient\-file juliet.pgp ciphertext.pgp
.RE
.fi
.PP
.SS "sq packet dump"
.PP
.PP
Prints the packets of a certificate
.PP
.nf
.RS
sq packet dump juliet.pgp
.RE
.fi
.PP
.PP
Prints cryptographic artifacts of a certificate
.PP
.nf
.RS
sq packet dump \-\-mpis juliet.pgp
.RE
.fi
.PP
.PP
Prints a hexdump of a certificate
.PP
.nf
.RS
sq packet dump \-\-hex juliet.pgp
.RE
.fi
.PP
.PP
Prints the packets of an encrypted message
.PP
.nf
.RS
sq packet dump \-\-session\-key AAAABBBBCCCC... ciphertext.pgp
.RE
.fi
.PP
.SS "sq packet join"
.PP
.PP
Split a certificate into individual packets
.PP
.nf
.RS
sq packet split juliet.pgp
.RE
.fi
.PP
.PP
Then join only a subset of these packets
.PP
.nf
.RS
sq packet join juliet.pgp\-[0\-3]*
.RE
.fi
.PP
.SS "sq packet split"
.PP
.PP
Split a certificate into individual packets
.PP
.nf
.RS
sq packet split juliet.pgp
.RE
.fi
.PP
.SS "sq sign"
.PP
.PP
Create a signed message
.PP
.nf
.RS
sq sign \-\-signer\-file juliet.pgp message.txt
.RE
.fi
.PP
.PP
Create a detached signature
.PP
.nf
.RS
sq sign \-\-detached \-\-signer\-file juliet.pgp message.txt
.RE
.fi
.PP
.SS "sq verify"
.PP
.PP
Verify a signed message
.PP
.nf
.RS
sq verify \-\-signer\-file juliet.pgp signed\-message.pgp
.RE
.fi
.PP
.PP
Verify a detached message
.PP
.nf
.RS
sq verify \-\-signer\-file juliet.pgp \-\-detached message.sig message.txt
.RE
.fi
.PP
.SS "sq wkd generate"
.PP
.PP
Generate a WKD in /tmp/wkdroot from certs.pgp for example.com.
.PP
.nf
.RS
sq wkd generate /tmp/wkdroot example.com certs.ppg
.RE
.fi
.PP
.SH "SEE ALSO"
.nh
\fBsq\-armor\fR(1), \fBsq\-autocrypt\-decode\fR(1), \fBsq\-autocrypt\-encode\-sender\fR(1), \fBsq\-certify\fR(1), \fBsq\-dane\-get\fR(1), \fBsq\-dearmor\fR(1), \fBsq\-decrypt\fR(1), \fBsq\-encrypt\fR(1), \fBsq\-inspect\fR(1), \fBsq\-key\-adopt\fR(1), \fBsq\-key\-attest\-certifications\fR(1), \fBsq\-key\-extract\-cert\fR(1), \fBsq\-key\-generate\fR(1), \fBsq\-key\-password\fR(1), \fBsq\-key\-userid\-add\fR(1), \fBsq\-key\-userid\-strip\fR(1), \fBsq\-keyring\-filter\fR(1), \fBsq\-keyring\-join\fR(1), \fBsq\-keyring\-list\fR(1), \fBsq\-keyring\-merge\fR(1), \fBsq\-keyring\-split\fR(1), \fBsq\-keyserver\-get\fR(1), \fBsq\-keyserver\-send\fR(1), \fBsq\-output\-versions\fR(1), \fBsq\-packet\-decrypt\fR(1), \fBsq\-packet\-dump\fR(1), \fBsq\-packet\-join\fR(1), \fBsq\-packet\-split\fR(1), \fBsq\-revoke\-certificate\fR(1), \fBsq\-revoke\-subkey\fR(1), \fBsq\-revoke\-userid\fR(1), \fBsq\-sign\fR(1), \fBsq\-verify\fR(1), \fBsq\-wkd\-direct\-url\fR(1), \fBsq\-wkd\-generate\fR(1), \fBsq\-wkd\-get\fR(1), \fBsq\-wkd\-url\fR(1).
.hy
.PP
For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
.SH VERSION
0.28.0 (sequoia\-openpgp 1.13.0, using Nettle)
Reference in New Issue View Git Blame Copy Permalink