sq-cert-lint - Man Page

Check certificates for issues

Synopsis

sq cert lint [Options]  

Description

Check certificates for issues.

`sq cert lint` checks the supplied certificates for the following SHA-1-related issues:

 - Whether a certificate revocation uses SHA-1.

 - Whether the current self signature for a non-revoked User ID uses SHA-1.

 - Whether the current subkey binding signature for a non-revoked, live subkey uses SHA-1.

 - Whether a primary key binding signature ("backsig") for a non-revoked, live subkey uses SHA-1.

Diagnostics are printed to stderr.  At the end, some statistics are shown.  This is useful when examining a keyring.  If `--fix` is specified and at least one issue could be fixed, the fixed certificates are printed to stdout.

This tool does not currently support smart cards.  But, if only the subkeys are on a smart card, this tool may still be able to partially repair the certificate.  In particular, it will be able to fix any issues with User ID self signatures and subkey binding signatures for encryption-capable subkeys, but it will not be able to generate new primary key binding signatures for any signing-capable subkeys.

Options

Subcommand options

--binary

Emit binary data

--cert=FINGERPRINT|KEYID

Use certificates with the specified fingerprint or key ID

--domain=DOMAIN

Use certificates where a user ID includes an email address for the specified domain

--email=EMAIL

Use certificates where a user ID includes the specified email address

--export-secret-keys

When fixing a certificate, the fixed certificate is exported without any secret key material.  Using this switch causes any secret key material to also be exported

--file=PATH

Read certificates from PATH

--fix

Attempts to fix certificates, when possible

--grep=PATTERN

Use certificates with a user ID that matches the pattern, case insensitively

--list-keys

If set, outputs a list of fingerprints, one per line, of certificates that have issues.  This output is intended for use by scripts.

This option implies `--quiet`. If you also specify `--fix`, errors will still be printed to stderr, and fixed certificates will still be emitted to stdout.

--output=FILE

Write to the specified FILE.  If not specified, and the certificate was read from the certificate store, imports the modified certificate into the cert store.  If not specified, and the certificate was read from a file, writes the modified certificate to stdout.

--userid=USERID

Use certificates with the specified user ID

Global options

See sq(1) for a description of the global options.

Examples

Gather statistics on the certificates in a keyring.

    sq cert lint --file certs.pgp

Get a list of certificates with issues.

    sq cert lint --list-keys --file certs.pgp

Fix a key with known problems.

    sq key export --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
    | sq cert lint --fix --file=- \

| sq cert import

See Also

sq(1), sq-cert(1).

For the full documentation see <https://book.sequoia-pgp.org>.

Version

0.39.0 (sequoia-openpgp 1.21.2)

Referenced By

sq-cert(1).

0.39.0 Sequoia PGP