1SQ-KEYRING-LINTER(1) User Commands SQ-KEYRING-LINTER(1)
2
6 sq-keyring-linter - sq-keyring-linter
7
9 sq-keyring-linter 0.5.0
10 "sq-keyring-linter" checks for and optionally repairs OpenPGP certifi‐
12 cates that use SHA-1.
13 USAGE:
15 sq-keyring-linter [FLAGS] [OPTIONS] [--] [FILES]...
16 FLAGS:
18 -e, --export-secret-keys
19 When fixing a certificate, the fixed certificate is exported
21 without any secret key material. Using this switch causes any
22 secret key material to also be exported.
23 -f, --fix
25 Attempts to fix certificates, when possible
27 -h, --help
29 Prints help information
31 -k, --list-keys
33 If set, outputs a list of fingerprints, one per line, of cer‐
35 tificates that have issues. This output is intended for use by
36 scripts.
37 This option implies "--quiet". If you also specify "--fix", er‐
39 rors will still be printed to stderr, and fixed certificates
40 will still be emitted to stdout.
41 -q, --quiet
43 Quiet; does not output any diagnostics
45 -V, --version
47 Prints version information
49 OPTIONS:
51 -p, --password <password>...
52 A key's password.
54 Normally this is not needed: if stdin is
55 connected to a tty, the linter will ask for a password when
57 needed.
58 ARGS:
60 <FILES>...
61 A list of OpenPGP keyrings to process.
63 If none are
64 specified, a keyring is read from stdin.
66 "sq-keyring-linter" checks the supplied certificates for the following
68 SHA-1-related issues:
69 - Whether a certificate revocation uses SHA-1.
71 - Whether the current self signature for a non-revoked User ID
73 uses
74 SHA-1.
76 - Whether the current subkey binding signature for a non-re‐
78 voked,
79 live subkey uses SHA-1.
81 - Whether a primary key binding signature (a "backsig") for a
83 non-revoked, live subkey uses SHA-1.
85 Diagnostics are printed to stderr. At the end, some statistics are
87 shown. This is useful when examining a keyring. If "--fix" is speci‐
88 fied and at least one issue could be fixed, the fixed certificates are
89 printed to stdout.
90 This tool does not currently support smart cards. But, if only the
92 subkeys are on a smart card, this tool may still be able to partially
93 repair the certificate. In particular, it will be able to fix any is‐
94 sues with User ID self signatures and subkey binding signatures for en‐
95 cryption-capable subkeys, but it will not be able to generate new pri‐
96 mary key binding signatures for any signing-capable subkeys.
97 EXIT STATUS:
99 If --fix" is not specified:"
101 2 if any issues were found,
102 1 if not issues were found, but there were errors reading the in‐
104 put,
105 0 if there were no issues.
107 If --fix" is specified:"
109 3 if any issues could not be fixed,
110 1 if not issues were found, but there were errors reading the in‐
112 put,
113 0 if all issues were fixed or there were no issues.
115 EXAMPLES:
117 # To gather statistics, simply run: $ sq-keyring-linter
119 keyring.pgp
120 # To fix a key: $ gpg --export-secret-keys FPR | sq-keyring-lin‐
122 ter --fix -p passw0rd
123 -p password123 | gpg --import
125 # To get a list of keys with issues: $ sq-keyring-linter
127 --list-keys keyring.pgp | while read FPR; do
128 something; done
130 SEE ALSO:
132 sq-keyring-linter's homepage: <https://gitlab.com/se‐
134 quoia-pgp/keyringlinter>
135sq-keyring-linter 0.5.0 October 2022 SQ-KEYRING-LINTER(1)