1sequoia-keyring-linter(1) General Commands Manual sequoia-keyring-linter(1)
2
6 sequoia-keyring-linter - A linter for keyrings
7
9 sequoia-keyring-linter [-t|--time] [-q|--quiet] [-f|--fix] [-e|--ex‐
10 port-secret-keys] [-p|--password] [-k|--list-keys] [-h|--help]
11 [-V|--version] [FILE]
12
14 A linter for keyrings
15
17 -t, --time=TIME
18 Sets the reference time to TIME.
19 TIME is interpreted as an ISO 8601 timestamp. To set the refer‐
21 ence time to July 21, 2013 at midnight UTC, you can do:
22 $ sq-keyring-linter --time 20130721 ...
24 To include a time, add a T, the time and optionally the timezone
26 (the default timezone is UTC):
27 $ sq-keyring-linter --time 20130721T0550+0200 ...
29 -q, --quiet
31 Quiet; does not output any diagnostics
32 -f, --fix
34 Attempts to fix certificates, when possible
35 -e, --export-secret-keys
37 When fixing a certificate, the fixed certificate is exported
38 without any secret key material. Using this switch causes any
39 secret key material to also be exported.
40 -p, --password=PASSWORD
42 A key's password. Normally this is not needed: if stdin is con‐
43 nected to a tty, the linter will ask for a password when needed.
44 -k, --list-keys
46 If set, outputs a list of fingerprints, one per line, of cer‐
47 tificates that have issues. This output is intended for use by
48 scripts.
49 This option implies "--quiet". If you also specify "--fix", er‐
51 rors will still be printed to stderr, and fixed certificates
52 will still be emitted to stdout.
53 -h, --help
55 Print help (see a summary with '-h')
56 -V, --version
58 Print version
59 [FILE] A list of OpenPGP keyrings to process. If none are specified, a
61 keyring is read from stdin.
62
64 `sq-keyring-linter` checks the supplied certificates for the following
65 SHA-1-related issues:
66 - Whether a certificate revocation uses SHA-1.
68 - Whether the current self signature for a non-revoked User ID uses
70 SHA-1.
71 - Whether the current subkey binding signature for a non-revoked,
73 live subkey uses SHA-1.
74 - Whether a primary key binding signature ("backsig") for a
76 non-revoked, live subkey uses SHA-1.
77 Diagnostics are printed to stderr. At the end, some statistics are
79 shown. This is useful when examining a keyring. If `--fix` is speci‐
80 fied and at least one issue could be fixed, the fixed certificates are
81 printed to stdout.
82 This tool does not currently support smart cards. But, if only the
84 subkeys are on a smart card, this tool may still be able to partially
85 repair the certificate. In particular, it will be able to fix any is‐
86 sues with User ID self signatures and subkey binding signatures for en‐
87 cryption-capable subkeys, but it will not be able to generate new pri‐
88 mary key binding signatures for any signing-capable subkeys.
89 EXIT STATUS:
91 If `--fix` is not specified:
93 2 if any issues were found,
94 1 if not issues were found, but there were errors reading the input,
95 0 if there were no issues.
96 If `--fix` is specified:
98 3 if any issues could not be fixed,
99 1 if not issues were found, but there were errors reading the input,
100 0 if all issues were fixed or there were no issues.
101 EXAMPLES:
103 # To gather statistics, simply run:
105 $ sq-keyring-linter keyring.pgp
106 # To fix a key:
108 $ gpg --export-secret-keys FPR | sq-keyring-linter --fix -p passw0rd
109 -p password123 | gpg --import
110 # To get a list of keys with issues:
112 $ sq-keyring-linter --list-keys keyring.pgp | while read FPR; do
113 something; done
114 SEE ALSO:
116 sq-keyring-linter's homepage: <https://gitlab.com/se‐
118 quoia-pgp/keyring-linter>
119
121 v1.0.1
122
124 Neal Walfield <neal@sequoia-pgp.org>
125 sequoia-keyring-linter 1.0.1sequoia-keyring-linter(1)