Quick start

This is an overview over operations concerning authenticity. It is by no means complete, but might give you a first orientation.

Getting a certificate from the internet

$ sq network search $QUERY

Search default keyservers, WKDs and DNS servers for certificates with User IDs or fingerprints matching $QUERY.

Publish a certificate

$ sq network keyserver publish --cert $FINGERPRINT

Publish the certificate with fingerprint $FINGERPRINT on the default keyservers.

Authenticate a certificate

sq only uses authenticated certificates. That means that certificates can only be designated by a User ID if the binding between this User ID and a certificate is marked as valid. This doesn't apply if you select a certificate by fingerprint (or use from a file), as fingerprints are regarded as self-authenticated. To mark a binding as authenticated use:

$ sq pki link add --cert $FINGERPRINT --userid $USERID

This only authenticates this specific User ID, other User IDs of the certificate are not effected. Use:

$ sq pki link add --cert $FINGERPRINT --all

as a convenience to authenticate all User IDs in a certificate in one go.

Retract authentication from a certificate

To reverse an authentication use:

$ sq pki link retract --cert $FINGERPRINT --userid $USERID

or the following to retract any associated links of a certificate:

$ sq pki link retract --cert $FINGERPRINT

Import a certificate from a file

$ sq cert import $FILE

Export a certificate to a file

$ sq cert export --cert $FINGERPRINT

Certifying a certificate

also known as "signing a key":

$ sq pki vouch certify --certifier $MY_FINGERPRINT --cert $OTHER_FINGERPRINT --userid $USERID

This way the binding between $OTHER_FINGERPRINT and $USERID is certified as authentic by the certificate $MY_FINGERPRINT. Don't forget to publish your newly created certification.

Approving a certification

To avoid flooding of certificates with bogus certifications, keyservers might insist on an approval by the keyholder of the certified certificate. To approve all pending certifications:

$ sq key approvals update --add-all --cert $FINGERPRINT

Verify a data signature

To verify a detached signature use:

$ sq verify --signature-file $DETACHED_SIGNATURE_FILE $FILE

To verify a signed message use:

$ sq verify $FILE

Please note that for a successful verification the signing certificate has to be authenticated.

Sign files and messages

$ sq sign --signer $FINGERPRINT $FILE

Sign a file using the key with fingerprint $FINGERPRINT.

Sign with detached signature

$ sq sign --signature-file --signer $FINGERPRINT $FILE

The detached signature will be printed to STDOUT.