sq-keyring-linter - Man Page


sq-keyring-linter 0.4.0

`sq-keyring-linter' checks for and optionally repairs OpenPGP certificates that use SHA-1.


sq-keyring-linter [Flags] [Options] [--] [inputs]...


-e,  --export-secret-keys

When fixing a certificate, the fixed certificate is exported without any secret key material.  Using this switch causes any secret key material to also be exported

-f,  --fix

Attempts to fix certificates, when possible

-h,  --help

Prints help information

-k,  --list-keys

If set, outputs a list of fingerprints, one per line, of certificates that have issues.  This output is intended for use by scripts.

This option implies `--quiet'. If you also specify `--fix', errors will still be printed to stderr, and fixed certificates will still be emitted to stdout.

-q,  --quiet

Quiet; does not output any diagnostics

-V,  --version

Prints version information


-p, --password <password>...

A key's password.

Normally this is not needed: if stdin is

connected to a tty, the linter will ask for a password when needed



A list of OpenPGP keyrings to process.

If none are

specified, a keyring is read from stdin

`sq-keyring-linter' checks the supplied certificates for the following SHA-1-related issues:

- Whether a certificate revocation uses SHA-1.

- Whether the current self signature for a non-revoked User ID uses


- Whether the current subkey binding signature for a non-revoked,

live subkey uses SHA-1.

- Whether a primary key binding signature (a `backsig') for a

non-revoked, live subkey uses SHA-1.

Diagnostics are printed to stderr.  At the end, some statistics are shown.  This is useful when examining a keyring.  If `--fix' is specified and at least one issue could be fixed, the fixed certificates are printed to stdout.

This tool does not currently support smart cards.  But, if only the subkeys are on a smart card, this tool may still be able to partially repair the certificate.  In particular, it will be able to fix any issues with User ID self signatures and subkey binding signatures for encryption-capable subkeys, but it will not be able to generate new primary key binding signatures for any signing-capable subkeys.

Exit Status

If `--fix' is not specified, then the exit status is 2, if any issues are found, and 0 otherwise.  If `--fix' is specified, then the exit status is 3, if any issues could not be fixed, and 0 if there were no issues or all issues were fixed.


To gather statistics, simply run:

$ sq-keyring-linter keyring.pgp

To fix a key:

$ gpg --export-secret-keys FPR | sq-keyring-linter --fix -p passw0rd

-p password123 | gpg --import

To get a list of keys with issues:

$ sq-keyring-linter --list-keys keyring.pgp | while read FPR; do

something; done

See Also

sq-keyring-linter's homepage: <https://gitlab.com/sequoia-pgp/keyringlinter>


November 2020 sq-keyring-linter 0.4.0