sqv - a verifying tool
sqv is a standalone tool for the verification of signatures over data. Its main use case is the verification of downloaded files.
Installation
Linux
Install sqv by using the package management of your linux distribution.
Debian
sqv is part of the debian distribution since bookworm (Debian 12). Up to date versions are part of trixie (Debian 13) and following.
$ sudo apt install sqv
MacOSX
There is a package for sqv from homebrew:
$ brew install sequoia-sqv
Using cargo
sqv is written in Rust. To compile it, you will need a recent rust toolchain. Your linux distribution very likely already has the relevant packages. If you don't want to use it or can't (because it's too old or you are not using linux), there is also the option to get the toolchain from the rust project directly. Look here for more information: https://www.rust-lang.org/tools/install
Install the dependencies (bookworm, Debian 12/ Ubuntu 24.04):
$ sudo apt install clang nettle-dev pkg-config libssl-dev capnproto libsqlite3-dev
Install the dependencies (MacOS):
If you are using homebrew, you can install the dependencies by
% brew install pkgconfig nettle openssl capnp
After installing the dependencies, sqv can be installed using cargo. Cargo will take care of downloading the source code and its dependencies (only the crates).
Then, cargo will compile and install the resulting binary.
$ cargo install --locked sequoia-sqv
Usage
sqv is stateless - it doesn't use the certificate store or the key store. Everything necessary for verification has to be passed via the command line. sqv however uses the configured cryptographic policy. Similar to sq, sqv supports the --policy-as-of parameter to change the reference time of the policy compliance test.
$ sqv --signature-file Qubes-R4.2.3-x86_64.iso.asc Qubes-R4.2.3-x86_64.iso --keyring qubes-release-4.2-signing-key.asc
9C884DF3F81064A569A4A9FAE022E58F8E34D89F
This example verifies Qubes-R4.2.3-x86_64.iso, using the detached signature in Qubes-R4.2.3-x86_64.iso.asc, the certificate of the signature is in qubes-release-4.2-signing-key.asc.
sqv returns exit code 0 on success, everything else signifies a failure. Its output contains the fingerprints of the certificates for which a successful verification was possible.
The conditions for the signature check can be further restricted, use:
--not-afterto pass a date which produces a failure, if the signature was made at a later point--not-beforeto pass a date to ensure that the signature was made after that time.
The keyring passed via --keyring can contain more than one certificate, so you can use a collection of trusted certificates. In case you want to ensure several valid signatures at once, use --signatures together with the number of necessary valid signatures to pass the test.
$ sqv --keyring my_trusted_certs.asc --signatures 3 --signature-file ...
This example only succeeds if 3 valid signatures made with certificates from my_trusted_certs.asc are found.
Besides detached signatures, sqv can also verify inline signed and cleartext-signed messages.
$ sqv --keyring my_trusted_certs.asc --message $FILE --output $OUTPUT_FILE
or
$ sqv --keyring my_trusted_certs.asc --cleartext $FILE --output $OUTPUT_FILE
When using --message or --cleartext an output file has to be given, which will contain the original message without signature on success.
If sqv reports Error: Malformed Message: Malformed OpenPGP message, then you might have passed an encrypted message to sqv. The usual procedure when creating signed and encrypted messages is to first sign and then encrypt both the message and the signature. As sqv doesn't try to decrypt a message, the signature is invisible to sqv.