Troubleshooting authenticity issues
Can't find a specific certificate in my cert store
If you use sq cert list
—even with the option --cert-email=<EMAIL>
—you may find yourself in a situation where you don't get what your looking for. Some certificates may not be displayed because they are either unauthenticated or 'unusable'. 'Unusable' means either 'expired', 'revoked', or not conforming to the configured policy (like using deprecated hash algorithms). If so, there will be a hint at the end of the output like this:
$ sq cert list
[...]
226 bindings found.
Skipped 128 bindings, which are unusable.
Skipped 29 bindings, which could not be authenticated.
Pass `--gossip` to see the unauthenticated bindings.
Solutions
As proposed in the hint message, certificates with unauthenticated bindings can be found by using the same command with the--gossip
option:
$ sq cert list --gossip
[...]
226 bindings found.
Skipped 128 bindings, which are unusable.
Similarly, unusable bindings can be displayed by using the option --unusable
in combination with --gossip
, because they are also considered as 'unauthenticated'.
$ sq cert list --gossip --unusable
A certificate is unauthenticated
If a binding between a User ID and a certificate is unauthenticated, sq
will refuse to use the certificate, for example, to encrypt a file with your own certificate or another one if you access it via the cert store (which is recommended).
Solution
To turn an unauthenticated certificate into an authenticated one, you could—after checking its correctness—mark a binding as authenticated by using the command sq pki link add
like this:
$ sq pki link add --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --email=alice@example.org
Alternatively, you could use sq pki vouch add
to certify the binding with a trust root like so:
$ sq pki vouch add --certifier=$MY_FINGERPRINT --cert=$ALICES_FINGERPRINT --email=alice@example.org
If you are absolutely sure about the authenticity of a certificate's binding, it's also possible to use the certificate directly from a file instead from the cert store:
$ sq verify --signer-file alice.cert file.txt
My certificate has expired
If a certificate has expired, it is not usable. In this example, we try to encrypt a file with our own expired certificate, but the same would apply to encrypting a file with an expired third-party certificate:
$ sq encrypt --for=$FINGERPRINT --signer=$FINGERPRINT file.txt
Error: $FINGERPRINT was not considered because
it is: not alive
because: Found no suitable key on $FINGERPRINT
Now you can have a closer look at the certificate by using sq inspect
to see what is meant by 'not alive':
$ sq inspect --cert $FINGERPRINT
OpenPGP Certificate.
Fingerprint: xxx
Invalid: The primary key is not live: Expired on 2023-01-09T16:52:48Z
[...]
In this case, you could either use another—valid—certificate or make the old key valid again (e.g. by extending its expiry). This also works if the key has already expired.
$ sq key expire --expiration 1y --cert $FINGERPRINT
Hint: Imported updated cert into the cert store. To make the update effective, it has to be published so that others can find it, for example using:
$ sq network keyserver publish --cert=$FINGERPRINT
If you tried to encrypt with someone else's expired certificate, you could search for a new valid certificate for that fingerprint:
$ sq network search $FINGERPRINT
A certificate has been revoked
If a certificate has been revoked, first have a look at the revocation certificate message, which will (in the best case) include a reason for the revocation along with a follow-up certificate including a fingerprint. If so, you could then search for this specific certificate:
$ sq network search $FINGERPRINT
If there was no announcement, you could still search for a new certificate using, for example, an email address, keeping in mind that the search results might include false or inauthentic results:
$ sq network search alice@example.org
Certificate uses deprecated hash algorithms like SHA1
If you have a certificate for which you have access to the secret key material but is considered 'unusable' because it uses an SHA1 signature, you could update it by using the command sq cert lint
, described further in linting certificates.