summaryrefslogtreecommitdiffstats
path: root/sq/man-sq
diff options
context:
space:
mode:
Diffstat (limited to 'sq/man-sq')
-rw-r--r--sq/man-sq/sq-armor.156
-rw-r--r--sq/man-sq/sq-certify.198
-rw-r--r--sq/man-sq/sq-dearmor.153
-rw-r--r--sq/man-sq/sq-decrypt.177
-rw-r--r--sq/man-sq/sq-encrypt.185
-rw-r--r--sq/man-sq/sq-inspect.156
-rw-r--r--sq/man-sq/sq-key-adopt.166
-rw-r--r--sq/man-sq/sq-key-attest-certifications.168
-rw-r--r--sq/man-sq/sq-key-extract-cert.154
-rw-r--r--sq/man-sq/sq-key-generate.1100
-rw-r--r--sq/man-sq/sq-key.192
-rw-r--r--sq/man-sq/sq-keyring-filter.194
-rw-r--r--sq/man-sq/sq-keyring-join.151
-rw-r--r--sq/man-sq/sq-keyring-list.144
-rw-r--r--sq/man-sq/sq-keyring-merge.151
-rw-r--r--sq/man-sq/sq-keyring-split.154
-rw-r--r--sq/man-sq/sq-keyring.191
-rw-r--r--sq/man-sq/sq-packet-decrypt.159
-rw-r--r--sq/man-sq/sq-packet-dump.172
-rw-r--r--sq/man-sq/sq-packet-join.160
-rw-r--r--sq/man-sq/sq-packet-split.149
-rw-r--r--sq/man-sq/sq-packet.180
-rw-r--r--sq/man-sq/sq-sign.182
-rw-r--r--sq/man-sq/sq-verify.167
-rw-r--r--sq/man-sq/sq.1177
25 files changed, 1836 insertions, 0 deletions
diff --git a/sq/man-sq/sq-armor.1 b/sq/man-sq/sq-armor.1
new file mode 100644
index 00000000..1ccbfe66
--- /dev/null
+++ b/sq/man-sq/sq-armor.1
@@ -0,0 +1,56 @@
+.TH SQ-ARMOR "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-armor \- Converts binary to ASCII
+
+To make encrypted data easier to handle and transport, OpenPGP data
+can be transformed to an ASCII representation called ASCII Armor. sq
+emits armored data by default, but this subcommand can be used to
+convert existing OpenPGP data to its ASCII\-encoded representation.
+
+The converse operation is "sq dearmor".
+
+.SH SYNOPSIS
+\fBsq armor\fR [FLAGS] [OPTIONS] [\-\-] [FILE]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+.SH OPTIONS
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+
+.TP
+\fB\-\-label\fR LABEL
+Selects the kind of armor header [default: auto] [possible values: auto, message, cert, key, sig, file]
+.SH ARGS
+.TP
+FILE
+Reads from FILE or stdin if omitted
+.SH EXAMPLES
+.TP
+# Convert a binary certificate to ASCII
+\fB $ sq armor binary\-juliet.pgp\fR
+.TP
+# Convert a binary message to ASCII
+\fB $ sq armor binary\-message.pgp\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-certify.1 b/sq/man-sq/sq-certify.1
new file mode 100644
index 00000000..9fb988e8
--- /dev/null
+++ b/sq/man-sq/sq-certify.1
@@ -0,0 +1,98 @@
+.TH SQ-CERTIFY "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-certify \-
+Certifies a User ID for a Certificate
+
+Using a certification a keyholder may vouch for the fact that another
+certificate legitimately belongs to a user id. In the context of
+emails this means that the same entity controls the key and the email
+address. These kind of certifications form the basis for the Web Of
+Trust.
+
+This command emits the certificate with the new certification. The
+updated certificate has to be distributed, preferably by sending it to
+the certificate holder for attestation. See also "sq key
+attest\-certification".
+
+.SH SYNOPSIS
+\fBsq certify\fR [FLAGS] [OPTIONS] <CERTIFIER\-KEY> <CERTIFICATE> <USERID>
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+
+.TP
+\fB\-B\fR, \fB\-\-binary\fR
+Emits binary data
+
+.TP
+\fB\-l\fR, \fB\-\-local\fR
+Makes the certification a local certification. Normally, local certifications are not exported.
+
+.TP
+\fB\-\-non\-revocable\fR
+Marks the certification as being non\-revocable. That is, you cannot later revoke this certification. This should normally only be used with an expiration.
+.SH OPTIONS
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+
+.TP
+\fB\-d\fR, \fB\-\-depth\fR TRUST_DEPTH
+Sets the trust depth (sometimes referred to as the trust level). 0 means a normal certification of <CERTIFICATE, USERID>. 1 means CERTIFICATE is also a trusted introducer, 2 means CERTIFICATE is a meta\-trusted introducer, etc. The default is 0.
+
+.TP
+\fB\-a\fR, \fB\-\-amount\fR TRUST_AMOUNT
+Sets the amount of trust. Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted. The default is 120.
+
+.TP
+\fB\-r\fR, \fB\-\-regex\fR REGEX
+Adds a regular expression to constrain what a trusted introducer can certify. The regular expression must match the certified User ID in all intermediate introducers, and the certified certificate. Multiple regular expressions may be specified. In that case, at least one must match.
+
+.TP
+\fB\-\-notation\fR NAME
+Adds a notation to the certification. A user\-defined notation's name must be of the form "name@a.domain.you.control.org". If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable.
+
+.TP
+\fB\-\-expires\fR TIME
+Makes the certification expire at TIME (as ISO 8601). Use "never" to create certifications that do not expire.
+
+.TP
+\fB\-\-expires\-in\fR DURATION
+Makes the certification expire after DURATION. Either "N[ymwd]", for N years, months, weeks, or days, or "never". [default: 5y]
+.SH ARGS
+.TP
+CERTIFIER\-KEY
+Creates the certificate using CERTIFIER\-KEY.
+
+.TP
+CERTIFICATE
+Certifies CERTIFICATE.
+
+.TP
+USERID
+Certifies USERID for CERTIFICATE.
+.SH EXAMPLES
+.TP
+# Juliet certifies that Romeo controls romeo.pgp and romeo@example.org
+\fB $ sq certify juliet.pgp romeo.pgp "<romeo@example.org>"\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-dearmor.1 b/sq/man-sq/sq-dearmor.1
new file mode 100644
index 00000000..7b2f0923
--- /dev/null
+++ b/sq/man-sq/sq-dearmor.1
@@ -0,0 +1,53 @@
+.TH SQ-DEARMOR "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-dearmor \- Converts ASCII to binary
+
+To make encrypted data easier to handle and transport, OpenPGP data
+can be transformed to an ASCII representation called ASCII Armor. sq
+transparently handles armored data, but this subcommand can be used to
+explicitly convert existing ASCII\-encoded OpenPGP data to its binary
+representation.
+
+The converse operation is "sq armor".
+
+.SH SYNOPSIS
+\fBsq dearmor\fR [FLAGS] [OPTIONS] [\-\-] [FILE]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+.SH OPTIONS
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+.SH ARGS
+.TP
+FILE
+Reads from FILE or stdin if omitted
+.SH EXAMPLES
+.TP
+# Convert a ASCII certificate to binary
+\fB $ sq dearmor ascii\-juliet.pgp\fR
+.TP
+# Convert a ASCII message to binary
+\fB $ sq dearmor ascii\-message.pgp\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-decrypt.1 b/sq/man-sq/sq-decrypt.1
new file mode 100644
index 00000000..70ad34f8
--- /dev/null
+++ b/sq/man-sq/sq-decrypt.1
@@ -0,0 +1,77 @@
+.TH SQ-DECRYPT "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-decrypt \- Decrypts a message
+
+Decrypts a message using either supplied keys, or by prompting for a
+password. Any signatures are checked using the supplied certificates.
+
+The converse operation is "sq encrypt".
+
+.SH SYNOPSIS
+\fBsq decrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+
+.TP
+\fB\-\-dump\-session\-key\fR
+Prints the session key to stderr
+
+.TP
+\fB\-\-dump\fR
+Prints a packet dump to stderr
+
+.TP
+\fB\-x\fR, \fB\-\-hex\fR
+Prints a hexdump (implies \-\-dump)
+.SH OPTIONS
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+
+.TP
+\fB\-n\fR, \fB\-\-signatures\fR N
+Sets the threshold of valid signatures to N. If this threshold is not reached, the message will not be considered verified. [default: 0]
+
+.TP
+\fB\-\-signer\-cert\fR CERT
+Verifies signatures with CERT
+
+.TP
+\fB\-\-recipient\-key\fR KEY
+Decrypts with KEY
+.SH ARGS
+.TP
+FILE
+Reads from FILE or stdin if omitted
+.SH EXAMPLES
+.TP
+# Decrypt a file using a secret key
+\fB $ sq decrypt \-\-recipient\-key juliet.pgp ciphertext.pgp\fR
+.TP
+# Decrypt a file verifying signatures
+\fB $ sq decrypt \-\-recipient\-key juliet.pgp \-\-signer\-cert romeo.pgp ciphertext.pgp\fR
+.TP
+# Decrypt a file using a password
+\fB $ sq decrypt ciphertext.pgp\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-encrypt.1 b/sq/man-sq/sq-encrypt.1
new file mode 100644
index 00000000..2daca5e7
--- /dev/null
+++ b/sq/man-sq/sq-encrypt.1
@@ -0,0 +1,85 @@
+.TH SQ-ENCRYPT "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-encrypt \- Encrypts a message
+
+Encrypts a message for any number of recipients and with any number of
+passwords, optionally signing the message in the process.
+
+The converse operation is "sq decrypt".
+
+.SH SYNOPSIS
+\fBsq encrypt\fR [FLAGS] [OPTIONS] [\-\-] [FILE]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+
+.TP
+\fB\-B\fR, \fB\-\-binary\fR
+Emits binary data
+
+.TP
+\fB\-s\fR, \fB\-\-symmetric\fR
+Adds a password to encrypt with. The message can be decrypted with either one of the recipient's keys, or any password.
+
+.TP
+\fB\-\-use\-expired\-subkey\fR
+If a certificate has only expired encryption\-capable subkeys, falls back to using the one that expired last
+.SH OPTIONS
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+
+.TP
+\fB\-\-recipient\-cert\fR CERT\-RING
+Encrypts for all recipients in CERT\-RING
+
+.TP
+\fB\-\-signer\-key\fR KEY
+Signs the message with KEY
+
+.TP
+\fB\-\-mode\fR MODE
+Selects what kind of keys are considered for encryption. Transport select subkeys marked as suitable for transport encryption, rest selects those for encrypting data at rest, and all selects all encryption\-capable subkeys. [default: all] [possible values: transport, rest, all]
+
+.TP
+\fB\-\-compression\fR KIND
+Selects compression scheme to use [default: pad] [possible values: none, pad, zip, zlib, bzip2]
+
+.TP
+\fB\-t\fR, \fB\-\-time\fR TIME
+Chooses keys valid at the specified time and sets the signature's creation time
+.SH ARGS
+.TP
+FILE
+Reads from FILE or stdin if omitted
+.SH EXAMPLES
+.TP
+# Encrypt a file using a certificate
+\fB $ sq encrypt \-\-recipient\-cert romeo.pgp message.txt\fR
+.TP
+# Encrypt a file creating a signature in the process
+\fB $ sq encrypt \-\-recipient\-cert romeo.pgp \-\-signer\-key juliet.pgp message.txt\fR
+.TP
+# Encrypt a file using a password
+\fB $ sq encrypt \-\-symmetric message.txt\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-inspect.1 b/sq/man-sq/sq-inspect.1
new file mode 100644
index 00000000..701b07f2
--- /dev/null
+++ b/sq/man-sq/sq-inspect.1
@@ -0,0 +1,56 @@
+.TH SQ-INSPECT "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-inspect \- Inspects data, like file(1)
+
+It is often difficult to tell from cursory inspection using cat(1) or
+file(1) what kind of OpenPGP one is looking at. This subcommand
+inspects the data and provides a meaningful human\-readable description
+of it.
+
+.SH SYNOPSIS
+\fBsq inspect\fR [FLAGS] [\-\-] [FILE]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+
+.TP
+\fB\-\-certifications\fR
+Prints third\-party certifications
+.SH ARGS
+.TP
+FILE
+Reads from FILE or stdin if omitted
+.SH EXAMPLES
+.TP
+# Inspects a certificate
+\fB $ sq inspect juliet.pgp\fR
+.TP
+# Inspects a certificate ring
+\fB $ sq inspect certs.pgp\fR
+.TP
+# Inspects a message
+\fB $ sq inspect message.pgp\fR
+.TP
+# Inspects a detached signature
+\fB $ sq inspect message.sig\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-key-adopt.1 b/sq/man-sq/sq-key-adopt.1
new file mode 100644
index 00000000..c68d7f29
--- /dev/null
+++ b/sq/man-sq/sq-key-adopt.1
@@ -0,0 +1,66 @@
+.TH SQ-KEY-ADOPT "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-key\-adopt \-
+Binds keys from one certificate to another
+
+This command allows one to transfer primary keys and subkeys into an
+existing certificate. Say you want to transition to a new
+certificate, but have an authentication subkey on your current
+certificate. You want to keep the authentication subkey because it
+allows access to SSH servers and updating their configuration is not
+feasible.
+
+.SH SYNOPSIS
+\fBsq key adopt\fR [FLAGS] [OPTIONS] [TARGET\-KEY]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+
+.TP
+\fB\-\-allow\-broken\-crypto\fR
+Allows adopting keys from certificates using broken cryptography
+
+.TP
+\fB\-B\fR, \fB\-\-binary\fR
+Emits binary data
+.SH OPTIONS
+.TP
+\fB\-r\fR, \fB\-\-keyring\fR KEY\-RING
+Supplies keys for use in \-\-key.
+
+.TP
+\fB\-k\fR, \fB\-\-key\fR KEY
+Adds the key or subkey KEY to the TARGET\-KEY
+
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+.SH ARGS
+.TP
+TARGET\-KEY
+Adds keys to TARGET\-KEY
+.SH EXAMPLES
+.TP
+# Adopt an subkey into the new cert
+\fB $ sq key adopt \-\-keyring juliet\-old.pgp \-\-key 0123456789ABCDEF \-\- juliet\-new.pgp\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-key-attest-certifications.1 b/sq/man-sq/sq-key-attest-certifications.1
new file mode 100644
index 00000000..8268c7bc
--- /dev/null
+++ b/sq/man-sq/sq-key-attest-certifications.1
@@ -0,0 +1,68 @@
+.TH SQ-KEY-ATTEST-CERTIFICATIONS "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-key\-attest\-certifications \-
+Attests to third\-party certifications allowing for their distribution
+
+To prevent certificate flooding attacks, modern key servers prevent
+uncontrolled distribution of third\-party certifications on
+certificates. To make the key holder the sovereign over the
+information over what information is distributed with the certificate,
+the key holder needs to explicitly attest to third\-party
+certifications.
+
+After the attestation has been created, the certificate has to be
+distributed, e.g. by uploading it to a keyserver.
+
+.SH SYNOPSIS
+\fBsq key attest\-certifications\fR [FLAGS] [OPTIONS] [KEY]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+
+.TP
+\fB\-\-none\fR
+Removes all prior attestations
+
+.TP
+\fB\-\-all\fR
+Attests to all certifications [default]
+
+.TP
+\fB\-B\fR, \fB\-\-binary\fR
+Emits binary data
+.SH OPTIONS
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+.SH ARGS
+.TP
+KEY
+Changes attestations on KEY
+.SH EXAMPLES
+.TP
+# Attest to all certifications present on the key
+\fB $ sq key attest\-certifications juliet.pgp\fR
+.TP
+# Retract prior attestations on the key
+\fB $ sq key attest\-certifications \-\-none juliet.pgp\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-key-extract-cert.1 b/sq/man-sq/sq-key-extract-cert.1
new file mode 100644
index 00000000..d1224820
--- /dev/null
+++ b/sq/man-sq/sq-key-extract-cert.1
@@ -0,0 +1,54 @@
+.TH SQ-KEY-EXTRACT-CERT "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-key\-extract\-cert \- Converts a key to a cert
+
+After generating a key, use this command to get the certificate
+corresponding to the key. The key must be kept secure, while the
+certificate should be handed out to correspondents, e.g. by uploading
+it to a keyserver.
+
+.SH SYNOPSIS
+\fBsq key extract\-cert\fR [FLAGS] [OPTIONS] [\-\-] [FILE]
+.SH FLAGS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Prints help information
+
+.TP
+\fB\-B\fR, \fB\-\-binary\fR
+Emits binary data
+.SH OPTIONS
+.TP
+\fB\-o\fR, \fB\-\-output\fR FILE
+Writes to FILE or stdout if omitted
+.SH ARGS
+.TP
+FILE
+Reads from FILE or stdin if omitted
+.SH EXAMPLES
+.TP
+# First, this generates a key
+\fB $ sq key generate \-\-userid "<juliet@example.org>" \-\-export juliet.key.pgp\fR
+.TP
+# Then, this extracts the certificate for distribution
+\fB $ sq key extract\-cert \-\-output juliet.cert.pgp juliet.key.pgp\fR
+
+.SH SEE ALSO
+For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
+
+.ad l
+.nh
+sq(1), sq\-armor(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-key\-adopt(1), sq\-key\-attest\-certifications(1), sq\-key\-extract\-cert(1), sq\-key\-generate(1), sq\-keyring(1), sq\-keyring\-filter(1), sq\-keyring\-join(1), sq\-keyring\-list(1), sq\-keyring\-merge(1), sq\-keyring\-split(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
+
+
+.SH AUTHORS
+.P
+.RS 2
+.nf
+Azul <azul@sequoia\-pgp.org>
+Igor Matuszewski <igor@sequoia\-pgp.org>
+Justus Winter <justus@sequoia\-pgp.org>
+Kai Michaelis <kai@sequoia\-pgp.org>
+Neal H. Walfield <neal@sequoia\-pgp.org>
+Nora Widdecke <nora@sequoia\-pgp.org>
+Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
diff --git a/sq/man-sq/sq-key-generate.1 b/sq/man-sq/sq-key-generate.1
new file mode 100644
index 00000000..d86030e9
--- /dev/null
+++ b/sq/man-sq/sq-key-generate.1
@@ -0,0 +1,100 @@
+.TH SQ-KEY-GENERATE "1" "JANUARY 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
+.SH NAME
+sq\-key\-generate \- Generates a new key
+
+Generating a key is the prerequisite to receiving encrypted messages
+and creating signatures. There are a few parameters to this process,
+but we provide reasonable defaults for most users.
+
+When generating a key, we also generate a revocation certificate.
+This can be used in case the key is superseded, lost, or compromised.
+It is a good idea to keep a copy of this in a safe place.
+
+After generating a key, use "sq key extract\-cert" to get the
+certificate corresponding to the key. The key must be kept secure,
+while the certificate should be handed out to correspondents, e.g. by
+uploading