sq - Man Page

Name

sq — A command-line frontend for Sequoia, an implementation of OpenPGP

Functionality is grouped and available using subcommands.  Currently, this interface is completely stateless.  Therefore, you need to supply all configuration and certificates explicitly on each invocation.

OpenPGP data can be provided in binary or ASCII armored form.  This will be handled automatically.  Emitted OpenPGP data is ASCII armored by default.

We use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets.  Conversely, we use the term "key" to refer to OpenPGP keys that do contain secrets.

Synopsis

sq [Flags] [Options] <SUBCOMMAND>

Flags

-h,  --help

Prints help information

-V,  --version

Prints version information

-f,  --force

Overwrites existing files

Options

--known-notation NOTATION

Adds NOTATION to the list of known notations. This is used when validating signatures. Signatures that have unknown notations with the critical bit set are considered invalid.

Subcommands

help

Prints this message or the help of the given subcommand(s)

decrypt

Decrypts a message

Decrypts a message using either supplied keys, or by prompting for a password.  If message tampering is detected, an error is returned. See below for details.

If certificates are supplied using the "--signer-cert" option, any signatures that are found are checked using these certificates. Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "--signatures" parameter.

If the signature verification fails, or if message tampering is detected, the program terminates with an exit status indicating failure.  In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated.

The converse operation is "sq encrypt".

encrypt

Encrypts a message

Encrypts a message for any number of recipients and with any number of passwords, optionally signing the message in the process.

The converse operation is "sq decrypt".

sign

Signs messages or data files

Creates signed messages or detached signatures.  Detached signatures are often used to sign software packages.

The converse operation is "sq verify".

verify

Verifies signed messages or detached signatures

When verifying signed messages, the message is written to stdout or the file given to --output.

When a detached message is verified, no output is produced.  Detached signatures are often used to sign software packages.

Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the "--signatures" parameter.  If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated.

The converse operation is "sq sign".

armor

Converts binary to ASCII

To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor.  sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII-encoded representation.

The converse operation is "sq dearmor".

dearmor

Converts ASCII to binary

To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor.  sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII-encoded OpenPGP data to its binary representation.

The converse operation is "sq armor".

inspect

Inspects data, like file(1)

It is often difficult to tell from cursory inspection using cat(1) or file(1) what kind of OpenPGP one is looking at.  This subcommand inspects the data and provides a meaningful human-readable description of it.

key

Manages keys

We use the term "key" to refer to OpenPGP keys that do contain secrets.  This subcommand provides primitives to generate and otherwise manipulate keys.

Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets.  See "sq keyring" for operations on certificates.

keyring

Manages collections of keys or certs

Collections of keys or certficicates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates.  This subcommand provides tools to list, split, join, merge, and filter keyrings.

Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably.

certify

Certifies a User ID for a Certificate

Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to a user id.  In the context of emails this means that the same entity controls the key and the email address.  These kind of certifications form the basis for the Web Of Trust.

This command emits the certificate with the new certification.  The updated certificate has to be distributed, preferably by sending it to the certificate holder for attestation.  See also "sq key attest-certification".

packet

Low-level packet manipulation

An OpenPGP data stream consists of packets.  These tools allow working with packet streams.  They are mostly of interest to developers, but "sq packet dump" may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP-related software, and as a learning tool.

keyserver

Interacts with keyservers

wkd

Interacts with Web Key Directories

autocrypt

Communicates certificates using Autocrypt

Autocrypt is a standard for mail user agents to provide convenient end-to-end encryption of emails.  This subcommand provides a limited way to produce and consume headers that are used by Autocrypt to communicate certificates between clients.

See https://autocrypt.org/

See Also

For the full documentation see <https://docs.sequoia-pgp.org/sq/>.

sq(1), sq-armor(1), sq-autocrypt(1), sq-certify(1), sq-dearmor(1), sq-decrypt(1), sq-encrypt(1), sq-inspect(1), sq-key(1), sq-keyring(1), sq-keyserver(1), sq-packet(1), sq-sign(1), sq-verify(1), sq-wkd(1)

Authors

Azul <azul@sequoia-pgp.org>
Igor Matuszewski <igor@sequoia-pgp.org>
Justus Winter <justus@sequoia-pgp.org>
Kai Michaelis <kai@sequoia-pgp.org>
Neal H. Walfield <neal@sequoia-pgp.org>
Nora Widdecke <nora@sequoia-pgp.org>
Wiktor Kwapisiewicz <wiktor@sequoia-pgp.org>

Referenced By

sq(1), sq-armor(1), sq-autocrypt(1), sq-autocrypt-decode(1), sq-autocrypt-encode-sender(1), sq-certify(1), sq-dearmor(1), sq-decrypt(1), sq-encrypt(1), sq-inspect(1), sq-key(1), sq-key-adopt(1), sq-key-attest-certifications(1), sq-key-extract-cert(1), sq-key-generate(1), sq-keyring(1), sq-keyring-filter(1), sq-keyring-join(1), sq-keyring-list(1), sq-keyring-merge(1), sq-keyring-split(1), sq-keyserver(1), sq-keyserver-get(1), sq-keyserver-send(1), sq-packet(1), sq-packet-decrypt(1), sq-packet-dump(1), sq-packet-join(1), sq-packet-split(1), sq-sign(1), sq-verify(1), sq-wkd(1), sq-wkd-generate(1), sq-wkd-get(1), sq-wkd-url(1).

MARCH 2021 0.24.0 (SEQUOIA-OPENPGP 1.0.0) USER COMMANDS