sq-pki-link-authorize - Man Page

--add-email=EMAIL

Use a user ID with the specified email address

The user ID consists of just the email address.  The email address does not have to appear in a self-signed user ID.

--add-userid=USERID

Use the specified user ID

The specified user ID does not need to be self signed.

Because using a user ID that is not self-signed is often a mistake, you need to use this option to explicitly opt in.

--all

Use all self-signed user IDs

--allow-non-canonical-userids

Don't reject new user IDs that are not in canonical form

Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

--amount=AMOUNT

Set the amount of trust

Values between 1 and 120 are meaningful. 120 means fully trusted.  Values less than 120 indicate the degree of trust.  60 is usually used for partially trusted.

[default: full]

--cert=FINGERPRINT|KEYID

Use certificates with the specified fingerprint or key ID

--cert-special=SPECIAL

Use certificates identified by the special name

[possible values: public-directories, keys.openpgp.org, keys.mailvelope.com, proton.me, wkd, dane, autocrypt, web]

--depth=TRUST_DEPTH

Set the trust depth

This is sometimes referred to as the trust level.  1 means CERTIFICATE is a trusted introducer (default), 2 means CERTIFICATE is a meta-trusted introducer and can authorize another trusted introducer, etc.

[default: 255]

--domain=DOMAIN

Add a domain constraint to the introducer

Add a domain to constrain what certifications are respected.  A certification made by the certificate is only respected if it is over a user ID with an email address in the specified domain.  Multiple domains may be specified.  In that case, one must match.

--email=EMAIL

Use a user ID consisting of just the email address, if the email address occurs in a self-signed user ID

--expiration=EXPIRATION

Sets the expiration time

EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration.  A duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.

[default: never]

--recreate

Recreate the signature even if the parameters did not change

If the link parameters did not change, and thus creating a signature should not be necessary, we omit the operation.  This flag can be given to force the signature to be recreated anyway.

--regex=REGEX

Add a regular expression to constrain the introducer

Add a regular expression to constrain what certifications are respected.  A certification made by the certificate is only respected if it is over a user ID that matches one of the specified regular expression.  Multiple regular expressions may be specified.  In that case, at least one must match.

--signature-notation NAME VALUE

Add a notation to the signature

A user-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a `!`, then the notation is marked as being critical.  If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature.  The notation is marked as being human readable.

--unconstrained

Don't constrain the introducer

Normally an introducer is constrained so that only certain user IDs are respected, e.g., those that have an email address for a certain domain name.  This option authorizes an introducer without constraining it in this way.  Because this grants the introducer a lot of power, you have to opt in to this behavior explicitly.

--userid=USERID

Use the specified self-signed user ID

The specified user ID must be self signed.

--userid-by-email=EMAIL

Use the self-signed user ID with the specified email address

See sq(1) for a description of the global options.