sqv - a verifying tool

sqv is a standalone tool for verifying signatures. Its main use case is for verifying the integrity and authenticity of downloaded files.

Installation

Linux

Install sqv by using your Linux distribution's package manager.

Debian

sqv has been part of the Debian distribution since "bookworm" (Debian 12). Up-to-date versions are part of "trixie" (Debian 13) and later.

$ sudo apt install sqv

macOS

There is a package for sqv in homebrew:

$ brew install sequoia-sqv

Windows

The easiest way to get sqv on Windows is via the Windows Subsystem for Linux (WSL). By default, this installs Ubuntu Linux, which is based on Debian, so after installing WSL, follow the instructions for Debian above.

Install from source

sqv is written in Rust. To compile it, you will need a recent Rust toolchain. Your Linux distribution very likely already has the relevant packages. If you don't want to use it or can't (because it's too old, or you are not using Linux), there is also the option to get the toolchain from the Rust project directly. See the rust tools documentation for further information.

Install the dependencies (Debian 12 "bookworm" / Ubuntu 24.04):

$ sudo apt install clang nettle-dev pkg-config libssl-dev capnproto libsqlite3-dev

Install the dependencies (macOS):

If you are using homebrew, install the dependencies with:

% brew install pkgconfig nettle openssl capnp

Install using cargo

After installing the dependencies, sqv can be installed using cargo. Cargo will take care of downloading the source code and its dependencies (only the crates). Cargo will then compile and install the resulting binary.

$ cargo install --locked sequoia-sqv

Usage

sqv is stateless—it doesn't use the certificate store or the key store. Everything needed for verification has to be passed via the command line. sqv does, however, use the configured cryptographic policy. Similar to sq, sqv supports the --policy-as-of parameter to change the reference time of the policy compliance test.

$ sqv --signature-file Qubes-R4.2.3-x86_64.iso.asc Qubes-R4.2.3-x86_64.iso --keyring qubes-release-4.2-signing-key.asc
9C884DF3F81064A569A4A9FAE022E58F8E34D89F

This example verifies a file called Qubes-R4.2.3-x86_64.iso, using the detached signature in Qubes-R4.2.3-x86_64.iso.asc, the certificate for the signature is in qubes-release-4.2-signing-key.asc.

sqv returns exit code 0 on success; anything else signifies a failure. Its output contains the fingerprints of the certificates for which verification succeeded.

Further conditions can be added to the signature check:

  • --not-after checks that the signature was made before the given date.
  • --not-before checks that the signature was made after the given date.

The keyring passed via --keyring can contain more than one certificate, so you can use a collection of trusted certificates. If you want to ensure that several signatures are valid at once (for example, if you need to corroborate a file's integrity from several independent sources), use --signatures together with the number of necessary valid signatures required to pass the test.

$ sqv --keyring my_trusted_certs.asc --signatures 3 --signature-file ...

This example only succeeds if three valid signatures made with certificates from my_trusted_certs.asc are found.

Besides detached signatures, sqv can also verify inline signed and cleartext-signed messages.

$ sqv --keyring my_trusted_certs.asc --message $FILE --output $OUTPUT_FILE

or

$ sqv --keyring my_trusted_certs.asc --cleartext $FILE --output $OUTPUT_FILE

When using --message or --cleartext you must specify an output file, which will contain the original message without a signature on success.

If sqv reports Error: Malformed Message: Malformed OpenPGP message, then you might have passed an encrypted message to sqv. The usual procedure when creating signed and encrypted messages is to first sign and then encrypt both the message and the signature. As sqv doesn't try to decrypt a message, the signature is thus invisible to sqv.