Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Quick start

This is an overview of operations relating to authenticity. It is by no means complete, but will help you get up to speed quickly.

Getting a certificate from the internet

Search default keyservers, WKDs, and DNS servers for certificates with User IDs or fingerprints matching $QUERY:

$ sq network search $QUERY

Publish a certificate

Publish the certificate with fingerprint $FINGERPRINT on the default keyservers:

$ sq network keyserver publish --cert $FINGERPRINT

Authenticate a certificate

sq only uses authenticated certificates. That means that certificates can only be identified by a User ID if the binding between this User ID and a certificate is marked as valid. This doesn’t apply if you select a certificate by fingerprint (or provide it directly from a file), as fingerprints are regarded as self-authenticated. To mark a binding as authenticated, use:

$ sq pki link add --cert $FINGERPRINT --userid $USERID

This only authenticates this specific User ID; other User IDs of the certificate are not affected. For convenience, you can authenticate all User IDs in a certificate in one go:

$ sq pki link add --cert $FINGERPRINT --all

Retract authentication from a certificate

To reverse an authentication (removing a link between a User ID and a certificate), use:

$ sq pki link retract --cert $FINGERPRINT --userid $USERID

or the following to retract all of a certificate’s associated links:

$ sq pki link retract --cert $FINGERPRINT

Import a certificate from a file

$ sq cert import $FILE

Export a certificate to a file

$ sq cert export --cert $FINGERPRINT > $FILE

Certify a certificate

Also known as “signing a key”:

$ sq pki vouch certify --certifier $MY_FINGERPRINT --cert $OTHER_FINGERPRINT --userid $USERID

This way the binding between $OTHER_FINGERPRINT and $USERID is certified as authentic by the certificate $MY_FINGERPRINT. Don’t forget to publish your newly created certification.

Approving a certification

To avoid flooding certificates with bogus certifications, keyservers might insist on an approval by the keyholder of the certified certificate. To approve all pending certifications:

$ sq key approvals update --add-all --cert $FINGERPRINT

Verify a data signature

To verify a detached signature (where the signature is stored in a separate file), use:

$ sq verify --signature-file $DETACHED_SIGNATURE_FILE $FILE

To verify a signed message use:

$ sq verify --message $FILE

To verify successfully, the signing certificate must be authenticated.

Sign files and messages

Sign a file using the key with fingerprint $FINGERPRINT:

$ sq sign --signer $FINGERPRINT $FILE

Sign with detached signature

$ sq sign --signature-file $DETACHED_SIGNATURE_FILE --signer $FINGERPRINT $FILE