1SQ-CERTIFY(1) USER COMMANDS SQ-CERTIFY(1)
2
6 sq-certify - Certifies a User ID for a Certificate
7 Using a certification a keyholder may vouch for the fact that another
9 certificate legitimately belongs to a user id. In the context of
10 emails this means that the same entity controls the key and the email
11 address. These kind of certifications form the basis for the Web Of
12 Trust.
13 This command emits the certificate with the new certification. The up‐
15 dated certificate has to be distributed, preferably by sending it to
16 the certificate holder for attestation. See also "sq key attest-certi‐
17 fication".
18
21 sq certify [FLAGS] [OPTIONS] <CERTIFIER-KEY> <CERTIFICATE> <USERID>
22
24 -h, --help
25 Prints help information
26 -B, --binary
29 Emits binary data
30 -l, --local
33 Makes the certification a local certification. Normally, local
34 certifications are not exported.
35 --non-revocable
38 Marks the certification as being non-revocable. That is, you
39 cannot later revoke this certification. This should normally
40 only be used with an expiration.
41
43 -o, --output FILE
44 Writes to FILE or stdout if omitted
45 -d, --depth TRUST_DEPTH
48 Sets the trust depth (sometimes referred to as the trust level).
49 0 means a normal certification of <CERTIFICATE, USERID>. 1
50 means CERTIFICATE is also a trusted introducer, 2 means CERTIFI‐
51 CATE is a meta-trusted introducer, etc. The default is 0.
52 -a, --amount TRUST_AMOUNT
55 Sets the amount of trust. Values between 1 and 120 are meaning‐
56 ful. 120 means fully trusted. Values less than 120 indicate the
57 degree of trust. 60 is usually used for partially trusted. The
58 default is 120.
59 -r, --regex REGEX
62 Adds a regular expression to constrain what a trusted introducer
63 can certify. The regular expression must match the certified
64 User ID in all intermediate introducers, and the certified cer‐
65 tificate. Multiple regular expressions may be specified. In
66 that case, at least one must match.
67 --notation NAME
70 Adds a notation to the certification. A user-defined notation's
71 name must be of the form "name@a.domain.you.control.org". If the
72 notation's name starts with a !, then the notation is marked as
73 being critical. If a consumer of a signature doesn't understand
74 a critical notation, then it will ignore the signature. The no‐
75 tation is marked as being human readable.
76 --expires TIME
79 Makes the certification expire at TIME (as ISO 8601). Use
80 "never" to create certifications that do not expire.
81 --expires-in DURATION
84 Makes the certification expire after DURATION. Either "N[ymwd]",
85 for N years, months, weeks, or days, or "never". [default: 5y]
86
88 CERTIFIER-KEY
89 Creates the certificate using CERTIFIER-KEY.
90 CERTIFICATE
93 Certifies CERTIFICATE.
94 USERID Certifies USERID for CERTIFICATE.
97
99 # Juliet certifies that Romeo controls romeo.pgp and romeo@example.org
100 $ sq certify juliet.pgp romeo.pgp "<romeo@example.org>"
101
104 For the full documentation see <https://docs.sequoia-pgp.org/sq/>.
105 sq(1), sq-armor(1), sq-autocrypt(1), sq-certify(1), sq-dearmor(1),
107 sq-decrypt(1), sq-encrypt(1), sq-inspect(1), sq-key(1), sq-keyring(1),
108 sq-keyserver(1), sq-packet(1), sq-sign(1), sq-verify(1), sq-wkd(1)
109
113 Azul <azul@sequoia-pgp.org>
114 Igor Matuszewski <igor@sequoia-pgp.org>
115 Justus Winter <justus@sequoia-pgp.org>
116 Kai Michaelis <kai@sequoia-pgp.org>
117 Neal H. Walfield <neal@sequoia-pgp.org>
118 Nora Widdecke <nora@sequoia-pgp.org>
119 Wiktor Kwapisiewicz <wiktor@sequoia-pgp.org>
1200.24.0 (SEQUOIA-OPENPGP 1.0.0) MARCH 2021 SQ-CERTIFY(1)