sq-verify - Man Page

Verifies signed messages or detached signatures

Synopsis

sq verify [Options] FILE

Description

Verifies signed messages or detached signatures.

When verifying signed messages, the message is written to stdout or the file given to `--output`.

When a detached message is verified, no output is produced.  Detached signatures are often used to sign software packages.

Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the `--signatures` parameter.  If the verification fails, the program terminates with an exit status indicating failure. In addition to that, the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25 MiB, no output is produced, and if it is larger, then the output will be truncated.

A signature is considered to have been authenticated if the signer can be authenticated.  If the signer is provided via `--signer-file`, then the signer is considered authenticated.  Otherwise, the signer is looked up and authenticated using the Web of Trust.  If at least one User ID can be fully authenticated, then the signature is considered to have been authenticated.  If the signature includes a Signer User ID subpacket, then only that User ID is considered.  Note: the User ID need not be self signed.

The converse operation is `sq sign`.

If you are looking for a standalone program to verify detached signatures, consider using sequoia-sqv.

`sq verify` respects the reference time set by the top-level `--time` argument.  When set, it verifies the message as of the reference time instead of the current time.

Options

Subcommand options

--detached=SIG

Verifies a detached signature

-n, --signatures=N

Sets the threshold of valid signatures to N. If this threshold is not reached, the message will not be considered verified.

-o, --output=FILE

Writes to FILE or stdout if omitted

--signer-cert=FINGERPRINT|KEYID

Verifies signatures using the specified certificate.  This reads the certificate from the certificate store, and considers it to be authenticated.  When this option is not provided, the certificate is still read from the certificate store, if it exists, but it is not considered authenticated.

--signer-file=CERT_FILE

Verifies signatures using the certificate in CERT_FILE

FILE

Reads from FILE or stdin if omitted

Global options

See sq(1) for a description of the global options.

Examples

Verify a signed message

    sq verify signed-message.pgp

Verify a detached message

    sq verify --detached message.sig message.txt

Verify a message as of June 9, 2011 at midnight UTC:

    sq verify --time 20130721 msg.pgp

See Also

sq(1).

For the full documentation see <https://book.sequoia-pgp.org>.

Version

0.34.0 (sequoia-openpgp 1.19.0)

Referenced By

sq(1).

0.34.0 Sequoia PGP