1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
.TH SQ "1" "MARCH 2021" "0.24.0 (SEQUOIA-OPENPGP 1.0.0)" "USER COMMANDS" 5
.SH NAME
sq \- A command\-line frontend for Sequoia, an implementation of OpenPGP
Functionality is grouped and available using subcommands. Currently,
this interface is completely stateless. Therefore, you need to supply
all configuration and certificates explicitly on each invocation.
OpenPGP data can be provided in binary or ASCII armored form. This
will be handled automatically. Emitted OpenPGP data is ASCII armored
by default.
We use the term "certificate", or cert for short, to refer to OpenPGP
keys that do not contain secrets. Conversely, we use the term "key"
to refer to OpenPGP keys that do contain secrets.
.SH SYNOPSIS
\fBsq\fR [FLAGS] [OPTIONS] <SUBCOMMAND>
.SH FLAGS
.TP
\fB\-h\fR, \fB\-\-help\fR
Prints help information
.TP
\fB\-V\fR, \fB\-\-version\fR
Prints version information
.TP
\fB\-f\fR, \fB\-\-force\fR
Overwrites existing files
.SH OPTIONS
.TP
\fB\-\-known\-notation\fR NOTATION
Adds NOTATION to the list of known notations. This is used when validating signatures. Signatures that have unknown notations with the critical bit set are considered invalid.
.SH SUBCOMMANDS
.TP
\fBhelp\fR
Prints this message or the help of the given subcommand(s)
.TP
\fBdecrypt\fR
Decrypts a message
Decrypts a message using either supplied keys, or by prompting for a
password. If message tampering is detected, an error is returned.
See below for details.
If certificates are supplied using the "\-\-signer\-cert" option, any
signatures that are found are checked using these certificates.
Verification is only successful if there is no bad signature, and the
number of successfully verified signatures reaches the threshold
configured with the "\-\-signatures" parameter.
If the signature verification fails, or if message tampering is
detected, the program terminates with an exit status indicating
failure. In addition to that, the last 25 MiB of the message are
withheld, i.e. if the message is smaller than 25 MiB, no output is
produced, and if it is larger, then the output will be truncated.
The converse operation is "sq encrypt".
.TP
\fBencrypt\fR
Encrypts a message
Encrypts a message for any number of recipients and with any number of
passwords, optionally signing the message in the process.
The converse operation is "sq decrypt".
.TP
\fBsign\fR
Signs messages or data files
Creates signed messages or detached signatures. Detached signatures
are often used to sign software packages.
The converse operation is "sq verify".
.TP
\fBverify\fR
Verifies signed messages or detached signatures
When verifying signed messages, the message is written to stdout or
the file given to \-\-output.
When a detached message is verified, no output is produced. Detached
signatures are often used to sign software packages.
Verification is only successful if there is no bad signature, and the
number of successfully verified signatures reaches the threshold
configured with the "\-\-signatures" parameter. If the verification
fails, the program terminates with an exit status indicating failure.
In addition to that, the last 25 MiB of the message are withheld,
i.e. if the message is smaller than 25 MiB, no output is produced, and
if it is larger, then the output will be truncated.
The converse operation is "sq sign".
.TP
\fBarmor\fR
Converts binary to ASCII
To make encrypted data easier to handle and transport, OpenPGP data
can be transformed to an ASCII representation called ASCII Armor. sq
emits armored data by default, but this subcommand can be used to
convert existing OpenPGP data to its ASCII\-encoded representation.
The converse operation is "sq dearmor".
.TP
\fBdearmor\fR
Converts ASCII to binary
To make encrypted data easier to handle and transport, OpenPGP data
can be transformed to an ASCII representation called ASCII Armor. sq
transparently handles armored data, but this subcommand can be used to
explicitly convert existing ASCII\-encoded OpenPGP data to its binary
representation.
The converse operation is "sq armor".
.TP
\fBinspect\fR
Inspects data, like file(1)
It is often difficult to tell from cursory inspection using cat(1) or
file(1) what kind of OpenPGP one is looking at. This subcommand
inspects the data and provides a meaningful human\-readable description
of it.
.TP
\fBkey\fR
Manages keys
We use the term "key" to refer to OpenPGP keys that do contain
secrets. This subcommand provides primitives to generate and
otherwise manipulate keys.
Conversely, we use the term "certificate", or cert for short, to refer
to OpenPGP keys that do not contain secrets. See "sq keyring" for
operations on certificates.
.TP
\fBkeyring\fR
Manages collections of keys or certs
Collections of keys or certficicates (also known as "keyrings" when
they contain secret key material, and "certrings" when they don't) are
any number of concatenated certificates. This subcommand provides
tools to list, split, join, merge, and filter keyrings.
Note: In the documentation of this subcommand, we sometimes use the
terms keys and certs interchangeably.
.TP
\fBcertify\fR
Certifies a User ID for a Certificate
Using a certification a keyholder may vouch for the fact that another
certificate legitimately belongs to a user id. In the context of
emails this means that the same entity controls the key and the email
address. These kind of certifications form the basis for the Web Of
Trust.
This command emits the certificate with the new certification. The
updated certificate has to be distributed, preferably by sending it to
the certificate holder for attestation. See also "sq key
attest\-certification".
.TP
\fBpacket\fR
Low\-level packet manipulation
An OpenPGP data stream consists of packets. These tools allow working
with packet streams. They are mostly of interest to developers, but
"sq packet dump" may be helpful to a wider audience both to provide
valuable information in bug reports to OpenPGP\-related software, and
as a learning tool.
.TP
\fBautocrypt\fR
Communicates certificates using Autocrypt
Autocrypt is a standard for mail user agents to provide convenient
end\-to\-end encryption of emails. This subcommand provides a limited
way to produce and consume headers that are used by Autocrypt to
communicate certificates between clients.
See https://autocrypt.org/
.SH SEE ALSO
For the full documentation see <https://docs.sequoia\-pgp.org/sq/>.
.ad l
.nh
sq(1), sq\-armor(1), sq\-autocrypt(1), sq\-certify(1), sq\-dearmor(1), sq\-decrypt(1), sq\-encrypt(1), sq\-inspect(1), sq\-key(1), sq\-keyring(1), sq\-packet(1), sq\-sign(1), sq\-verify(1)
.SH AUTHORS
.P
.RS 2
.nf
Azul <azul@sequoia\-pgp.org>
Igor Matuszewski <igor@sequoia\-pgp.org>
Justus Winter <justus@sequoia\-pgp.org>
Kai Michaelis <kai@sequoia\-pgp.org>
Neal H. Walfield <neal@sequoia\-pgp.org>
Nora Widdecke <nora@sequoia\-pgp.org>
Wiktor Kwapisiewicz <wiktor@sequoia\-pgp.org>
|
