sq-keyring-linter(1)

1SQ-KEYRING-LINTER(1)             User Commands            SQ-KEYRING-LINTER(1)
2
3
4

NAME

6       sq-keyring-linter - sq-keyring-linter
7

DESCRIPTION

9       sq-keyring-linter 0.4.0
10
11       `sq-keyring-linter'  checks for and optionally repairs OpenPGP certifi‐
12       cates that use SHA-1.
13
14   USAGE:
15              sq-keyring-linter [FLAGS] [OPTIONS] [--] [inputs]...
16
17   FLAGS:
18       -e, --export-secret-keys
19
20              When fixing a certificate, the  fixed  certificate  is  exported
21              without  any  secret key material.  Using this switch causes any
22              secret key material to also be exported
23
24       -f, --fix
25
26              Attempts to fix certificates, when possible
27
28       -h, --help
29
30              Prints help information
31
32       -k, --list-keys
33
34              If set, outputs a list of fingerprints, one per  line,  of  cer‐
35              tificates  that have issues.  This output is intended for use by
36              scripts.
37
38              This option implies `--quiet'. If you also specify `--fix',  er‐
39              rors  will  still  be  printed to stderr, and fixed certificates
40              will still be emitted to stdout.
41
42       -q, --quiet
43
44              Quiet; does not output any diagnostics
45
46       -V, --version
47
48              Prints version information
49
50   OPTIONS:
51       -p, --password <password>...
52
53       A key's password.
54              Normally this is not needed: if stdin is
55
56              connected to a tty, the linter will  ask  for  a  password  when
57              needed
58
59   ARGS:
60              <inputs>...
61
62       A list of OpenPGP keyrings to process.
63              If none are
64
65              specified, a keyring is read from stdin
66
67       `sq-keyring-linter'  checks the supplied certificates for the following
68       SHA-1-related issues:
69
70              - Whether a certificate revocation uses SHA-1.
71
72              - Whether the current self signature for a non-revoked  User  ID
73              uses
74
75              SHA-1.
76
77              -  Whether  the  current  subkey binding signature for a non-re‐
78              voked,
79
80              live subkey uses SHA-1.
81
82              - Whether a primary key binding signature (a `backsig') for a
83
84              non-revoked, live subkey uses SHA-1.
85
86       Diagnostics are printed to stderr.  At the  end,  some  statistics  are
87       shown.   This is useful when examining a keyring.  If `--fix' is speci‐
88       fied and at least one issue could be fixed, the fixed certificates  are
89       printed to stdout.
90
91       This  tool  does  not  currently support smart cards.  But, if only the
92       subkeys are on a smart card, this tool may still be able  to  partially
93       repair  the certificate.  In particular, it will be able to fix any is‐
94       sues with User ID self signatures and subkey binding signatures for en‐
95       cryption-capable  subkeys, but it will not be able to generate new pri‐
96       mary key binding signatures for any signing-capable subkeys.
97

EXIT STATUS

99       If `--fix' is not specified, then the exit status is 2, if  any  issues
100       are  found,  and  0  otherwise.  If `--fix' is specified, then the exit
101       status is 3, if any issues could not be fixed, and 0 if there  were  no
102       issues or all issues were fixed.
103

EXAMPLES

105       To gather statistics, simply run:
106
107              $ sq-keyring-linter keyring.pgp
108
109       To fix a key:
110
111              $  gpg  --export-secret-keys  FPR  |  sq-keyring-linter --fix -p
112              passw0rd
113
114       -p password123 | gpg --import
115
116       To get a list of keys with issues:
117
118              $ sq-keyring-linter --list-keys keyring.pgp | while read FPR; do
119
120       something; done
121

NAME

DESCRIPTION

EXIT STATUS

EXAMPLES

SEE ALSO