sq-key-revoke - Man Page

Revoke a certificate

Synopsis

sq key revoke [Options] REASON MESSAGE

Description

Revoke a certificate.

Creates a revocation certificate for a certificate.

If `--revoker` or `--revoker-file` is provided, then that key is used to create the revocation certificate.  If that key is different from the certificate that is being revoked, this results in a third-party revocation.  This is normally only useful if the owner of the certificate designated the key to be a designated revoker.

`sq key revoke` respects the reference time set by the top-level `--time` argument.  When set, it uses the specified time instead of the current time when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time.

Options

Subcommand options

--binary

Emit binary data

--cert=FINGERPRINT|KEYID

The certificate to revoke

--cert-file=CERT_FILE

The certificate to revoke.

Read the certificate to revoke from FILE or stdin, if `-`.  It is an error for the file to contain more than one certificate.

--notation NAME VALUE

Add a notation to the certification.

A user-defined notation's name must be of the form `name@a.domain.you.control.org`.  If the notation's name starts with a `!`, then the notation is marked as being critical.  If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature.  The notation is marked as being human readable.

--output=FILE

Write to the specified FILE.

If not specified, and the certificate was read from the certificate store, imports the modified certificate into the cert store.  If not specified, and the certificate was read from a file, writes the modified certificate to stdout.

--revoker=FINGERPRINT|KEYID

The certificate that issues the revocation.

Sign the revocation certificate using the specified key.  By default, the certificate being revoked is used.  Using this option, it is possible to create a third-party revocation.

--revoker-file=KEY_FILE

The certificate that issues the revocation.

Sign the revocation certificate using the specified key.  By default, the certificate being revoked is used.  Using this option, it is possible to create a third-party revocation.

Read the certificate from KEY_FILE or stdin, if `-`.  It is an error for the file to contain more than one certificate.

REASON

The reason for the revocation.

If the reason happened in the past, you should specify that using the `--time` argument.  This allows OpenPGP implementations to more accurately reason about artifacts whose validity depends on the validity of the certificate.

[possible values: compromised, superseded, retired, unspecified]

MESSAGE

A short, explanatory text.

The text is shown to a viewer of the revocation certificate, and explains why the certificate has been revoked.  For instance, if Alice has created a new key, she would generate a `superseded` revocation certificate for her old key, and might include the message `I've created a new certificate, $FINGERPRINT, please use that in the future.`

Global options

See sq(1) for a description of the global options.

Examples

Revoke Alice's key, indicating that there is a new certificate.

    sq key revoke --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
    superseded \

"My new cert is C5999E8191BF7B503653BE958B1F7910D01F86E5"

Revoke the key, indicating that the secret key material was compromised.

    sq key revoke --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
    compromised \

"Computer attacked, secret key material compromised"

See Also

sq(1), sq-key(1).

For the full documentation see <https://book.sequoia-pgp.org>.

Version

0.38.0 (sequoia-openpgp 1.21.2)

Referenced By

sq-key(1).

0.38.0 Sequoia PGP