Quick start

This is an overview of operations relating to authenticity. It is by no means complete, but will help you get up to speed quickly.

Getting a certificate from the internet

Search default keyservers, WKDs, and DNS servers for certificates with User IDs or fingerprints matching $QUERY:

$ sq network search $QUERY

Publish a certificate

Publish the certificate with fingerprint $FINGERPRINT on the default keyservers:

$ sq network keyserver publish --cert $FINGERPRINT

Authenticate a certificate

sq only uses authenticated certificates. That means that certificates can only be identified by a User ID if the binding between this User ID and a certificate is marked as valid. This doesn't apply if you select a certificate by fingerprint (or provide it directly from a file), as fingerprints are regarded as self-authenticated. To mark a binding as authenticated, use:

$ sq pki link add --cert $FINGERPRINT --userid $USERID

This only authenticates this specific User ID; other User IDs of the certificate are not affected. For convenience, you can authenticate all User IDs in a certificate in one go:

$ sq pki link add --cert $FINGERPRINT --all

Retract authentication from a certificate

To reverse an authentication (removing a link between a user ID and a certificate), use:

$ sq pki link retract --cert $FINGERPRINT --userid $USERID

or the following to retract all of a certificate's associated links:

$ sq pki link retract --cert $FINGERPRINT

Import a certificate from a file

$ sq cert import $FILE

Export a certificate to a file

$ sq cert export --cert $FINGERPRINT > $FILE

Certify a certificate

Also known as "signing a key":

$ sq pki vouch certify --certifier $MY_FINGERPRINT --cert $OTHER_FINGERPRINT --userid $USERID

This way the binding between $OTHER_FINGERPRINT and $USERID is certified as authentic by the certificate $MY_FINGERPRINT. Don't forget to publish your newly created certification.

Approving a certification

To avoid flooding certificates with bogus certifications, keyservers might insist on an approval by the keyholder of the certified certificate. To approve all pending certifications:

$ sq key approvals update --add-all --cert $FINGERPRINT

Verify a data signature

To verify a detached signature (where the signature is stored in a separate file), use:

$ sq verify --signature-file $DETACHED_SIGNATURE_FILE $FILE

To verify a signed message use:

$ sq verify $FILE

To verify successfully, the signing certificate must be authenticated.

Sign files and messages

Sign a file using the key with fingerprint $FINGERPRINT:

$ sq sign --signer $FINGERPRINT $FILE

Sign with detached signature

$ sq sign --signature-file $DETACHED_SIGNATURE_FILE --signer $FINGERPRINT $FILE