sqv
- a verifying tool
sqv
is a standalone tool for verifying signatures. Its main use case is for verifying the integrity and authenticity of downloaded files.
Installation
Linux
Install sqv
by using your Linux distribution's package manager.
Debian
sqv
has been part of the Debian distribution since "bookworm" (Debian 12). Up-to-date versions are part of "trixie" (Debian 13) and later.
$ sudo apt install sqv
macOS
There is a package for sqv
in homebrew:
$ brew install sequoia-sqv
Windows
The easiest way to get sqv
on Windows is via the Windows Subsystem for Linux (WSL). By default, this installs Ubuntu Linux, which is based on Debian, so after installing WSL, follow the instructions for Debian above.
Install from source
sqv
is written in Rust. To compile it, you will need a recent Rust toolchain. Your Linux distribution very likely already has the relevant packages. If you don't want to use it or can't (because it's too old, or you are not using Linux), there is also the option to get the toolchain from the Rust project directly. See the rust tools documentation for further information.
Install the dependencies (Debian 12 "bookworm" / Ubuntu 24.04):
$ sudo apt install clang nettle-dev pkg-config libssl-dev capnproto libsqlite3-dev
Install the dependencies (macOS):
If you are using homebrew, install the dependencies with:
% brew install pkgconfig nettle openssl capnp
Install using cargo
After installing the dependencies, sqv
can be installed using cargo. Cargo will take care of downloading the source code and its dependencies (only the crates). Cargo will then compile and install the resulting binary.
$ cargo install --locked sequoia-sqv
Usage
sqv
is stateless—it doesn't use the certificate store or the key store. Everything needed for verification has to be passed via the command line. sqv
does, however, use the configured cryptographic policy. Similar to sq
, sqv
supports the --policy-as-of
parameter to change the reference time of the policy compliance test.
$ sqv --signature-file Qubes-R4.2.3-x86_64.iso.asc Qubes-R4.2.3-x86_64.iso --keyring qubes-release-4.2-signing-key.asc
9C884DF3F81064A569A4A9FAE022E58F8E34D89F
This example verifies a file called Qubes-R4.2.3-x86_64.iso
, using the detached signature in Qubes-R4.2.3-x86_64.iso.asc
, the certificate for the signature is in qubes-release-4.2-signing-key.asc
.
sqv
returns exit code 0
on success; anything else signifies a failure. Its output contains the fingerprints of the certificates for which verification succeeded.
Further conditions can be added to the signature check:
--not-after
checks that the signature was made before the given date.--not-before
checks that the signature was made after the given date.
The keyring passed via --keyring
can contain more than one certificate, so you can use a collection of trusted certificates. If you want to ensure that several signatures are valid at once (for example, if you need to corroborate a file's integrity from several independent sources), use --signatures
together with the number of necessary valid signatures required to pass the test.
$ sqv --keyring my_trusted_certs.asc --signatures 3 --signature-file ...
This example only succeeds if three valid signatures made with certificates from my_trusted_certs.asc
are found.
Besides detached signatures, sqv
can also verify inline signed and cleartext-signed messages.
$ sqv --keyring my_trusted_certs.asc --message $FILE --output $OUTPUT_FILE
or
$ sqv --keyring my_trusted_certs.asc --cleartext $FILE --output $OUTPUT_FILE
When using --message
or --cleartext
you must specify an output file, which will contain the original message without a signature on success.
If sqv
reports Error: Malformed Message: Malformed OpenPGP message
, then you might have passed an encrypted message to sqv
. The usual procedure when creating signed and encrypted messages is to first sign and then encrypt both the message and the signature. As sqv
doesn't try to decrypt a message, the signature is thus invisible to sqv
.