sqv - Man Page

sqv [Options] FILE

An OpenPGP signature verification tool.

sqv is a simple signature verification tool.  It checks that signatures are valid, and correctly issued by one of the certificates in the specified keyring.

sqv can verify detached signatures, inline-signed messages, and messages using the Cleartext Signature Framework.

To verify detached signatures, use the `--signature-file` argument followed by the path to the detached signature file, and give the data file as first positional argument:

 $ sqv --keyring=... --signature-file=image.iso.sig image.iso

To verify an inline-signed message, use the `--message` argument, and give the path to the inline-signed message as first positional argument.  When verifying an inline-signed `--output` has to be given:

 $ sqv --keyring=... --output=authenticated.txt \
       --message signed.pgp

To verify a message using the Cleartext Signature Framework, use the `--cleartext` argument, and give the path to the message as first positional argument.  When verifying an inline-signed `--output` has to be given:

 $ sqv --keyring=... --output=authenticated.txt \
       --cleartext message.txt

Finally, there is a legacy way to verify detached signatures, where the path to the signature file and the path to the data file are given as positional arguments.  This form is deprecated, prefer the explicit `--signature-file` form.

By default, one signature must be valid.  This can be changed using the `--signatures` arguments.

A signature is valid if a signing-capable key can verify the signature.  The signing-capable key must be correctly bound to a certificate in the keyring, and it must not be revoked, or expired. The certificate must not be revoked or expired.  The signature, the signing-capable key and the certificate must all be valid according to the cryptographic policy.

By default, sqv configures the cryptographic policy using </etc/crypto-policies/back-ends/sequoia.config>.  That can be overwritten by setting the SEQUOIA_CRYPTO_POLICY environment variable to an alternate file.  The path must be absolute.  The file's format is described here: <https://docs.rs/sequoia-policy-config/>.

In some cases, the user expects signatures to be made within a certain temporal window.  This can be enforced using the `--not-before` and `--not-after` arguments.  The TIMESTAMPs must be given in ISO 8601 format (e.g. `2017-03-04T13:25:35Z`, `2017-03-04T13:25`, `20170304T1325+0830`, `2017-03-04`, `2017031`, etc.).  If no timezone is specified, UTC is assumed.

Exits with a non-zero status if the specified number of signatures could not be verified.

-V,  --version

Print version

--cleartext

Verify a cleartext-signed message

-h,  --help

Print help (see a summary with '-h')

--keyring=FILE

A keyring

--message

Verify an inline signed message

-n,  --signatures=N

The number of valid signatures to return success.

Note: this counts the number of certificates, not signatures. Thus, if two signatures are issued by the same certificate, they only count once.

[default: 1]

--not-after=TIMESTAMP

Consider signatures created after TIMESTAMP as invalid.

If only a date is given, 23:59:59 is used for the time. [default: now]

--not-before=TIMESTAMP

Consider signatures created before TIMESTAMP as invalid.

If only a date is given, 00:00:00 is used for the time. [default: no constraint]

--output=FILE

Write to FILE or stdout if omitted

--policy-as-of=TIMESTAMP

Select the cryptographic policy as of the specified time

The time is expressed as an ISO 8601 formatted timestamp.  The policy determines what cryptographic constructs are allowed.

If you are working with a message that sq rejects, because it is protected by cryptographic constructs that are now considered broken, you can use this option to select a different cryptographic policy.  If you are relying on the cryptography, e.g., you are verifying a signature, then you should only do this if you are confident that the message hasn't been tampered with.

TIME is interpreted as an ISO 8601 timestamp.  To set the policy time to January 1, 2007 at midnight UTC, you can do:

$ sqv --policy-as-of 20070101 --message msg.pgp

Defaults to the current time.

--signature-file=SIG

Verify a detached signature file

-v,  --verbose

Be verbose

FILE

The inline-signed message, message using the Cleartext Signature Framework, or data file

Verify a detached signature.

    sqv --keyring=trusted.certs --signature-file=document.sig \
    document.txt

Verify a detached signature, legacy interface.

    sqv --keyring=trusted.certs document.sig document.txt

Verify a signed message.

    sqv --keyring trusted.certs --message document.pgp

Verify a message using the Cleartext Signature Framework.

    sqv --keyring trusted.certs --clearsign document.pgp

1.3.0