Your company here — click to reach over 10,000 unique daily visitors

sq-wot - Man Page

An implementation of OpenPGP's web of trust.


sequoia-wot [--gpg] [-k|--keyring] [--gpg-keyring] [--network] [--keyserver] [-r|--trust-root] [-f|--format] [--gpg-ownertrust] [--gossip] [--certification-network] [-a|--trust-amount] [--partial] [--full] [--double] [--time] [--known-notation] [-h|--help] [-V|--version] <subcommands>


An implementation of OpenPGP's web of trust.



Uses gpg's keyring and gpg's trust roots.

When this option is set, `sq-wot` reads gpg's keyring and gpg's ownertrust.  This is equivalent to passing `--gpg-keyring` and `--gpg-ownertrust`.

-k,  --keyring=FILE

Adds KEYRING to the list of keyrings

The keyrings are read at start up and used to build a web of trust network.  Note: if a certificate occurs multiple times, the first version is taken; they are not currently merged.


Adds GnuPG's keyring to the list of keyrings.

This option causes `sq-wot` to read gpg's keyring, by parsing the output of `gpg --export --export-options export-local-sigs`.


Looks up missing certificates over the network.

This causes `sq-wot` to look up missing certificates on a key server.  The default key server can be overridden using the `--keyserver` option.

Certificates fetched from a key server are cached locally in the default cert-d.  The default cert-d is also checked prior to fetching a certificate from the key server.

--keyserver=KEYSERVER [default: hkps://keyserver.ubuntu.com]

Sets the keyserver to use to KEYSERVER.

This option only makes sense when used in conjunction with the `--network` option.  Currently, it is only possible to set a single keyserver.

-r,  --trust-root=FINGERPRINT|KEYID

Treats the specified certificate as a trust root.

It is possible to have multiple trust roots.  All trust roots are treated equivalently.  This can be combined with `--gpg-ownertrust`.

-f,  --format=FORMAT [default: human-readable]

Render the output in a specific format

Choosing a different output format allows for further post processing of the data using external tools.

Possible values:

  • human-readable: output in human readable format

Causes `sq-wot` to use gpg's trust roots as the trust roots.

`sq-wot` reads the output of `gpg --export-ownertrust`.  It treats gpg's ultimately trusted certificates as fully trust roots.  Similar to gpg, it also treats certificates marked as fully and marginally trusted as fully and marginally trusted roots, if a self-signed User ID can be authenticated by an ultimately trusted root.

It is possible to set additional trust roots using the `--trust-root` option.


Treats all certificates as unreliable trust roots.

This option is useful for figuring out what others think about a certificate (i.e., gossip or hearsay).  In other words, this finds arbitrary paths to a particular certificate.

Gossip is useful in helping to identify alternative ways to authenticate a certificate.  For instance, imagine Ed wants to authenticate Laura's certificate, but asking her directly is inconvenient.  Ed discovers that Micah has certified Laura's certificate, but Ed hasn't yet authenticated Micah's certificate.  If Ed is willing to rely on Micah as a trusted introducer, and authenticating Micah's certificate is easier than authenticating Laura's certificate, then Ed has learned about an easier way to authenticate Laura's certificate.


# Get gossip about a certificate.{n} $ sq-wot --keyring keyring.pgp \\{n} --gossip identify 3217C509292FC67076ECD75C7614269BDDF73B36


Treats the network as a certification network.

Normally, `sq-wot` treats the web-of-trust network as an authentication network where a certification only means that the binding is correct, not that the target should be treated as a trusted introducer.  In a certification network, the targets of certifications are treated as trusted introducers with infinite depth, and any regular expressions are ignored. Note: The trust amount remains unchanged.  This is how most so-called pgp path-finding algorithms work.

-a,  --trust-amount=TRUST_AMOUNT

The required amount of trust.

120 indicates full authentication; values less than 120 indicate partial authentication.  When `--certification-network` is passed, this defaults to 1200, i.e., sq-wot tries to find 10 paths.


Require partial authentication.

This is the same as passing `--trust-amount 40`.


Require full authentication.

This is the same as passing `--trust-amount 120`.


Require double authentication.

This is the same as passing `--trust-amount 240`.


Sets the reference time to TIME.

TIME is interpreted as an ISO 8601 timestamp.  To set the reference time to July 21, 2013 at midnight UTC, you can do:

$ sq-wot --time 20130721 CMD ...

To include a time, add a T, the time and optionally the timezone (the default timezone is UTC):

$ sq-wot --time 20130721T0550+0200 CMD ...


Adds NOTATION to the list of known notations

This is used when validating signatures.  Signatures that have unknown notations with the critical bit set are considered invalid.

-h,  --help

Print help (see a summary with '-h')

-V,  --version

Print version



Authenticate a binding


Lookup the certificates associated with a User ID


Identify a certificate


List all authenticated bindings (User ID and certificate pairs)


Verify the specified path


Print this message or the help of the given subcommand(s)




Neal H. Walfield <neal@sequoia-pgp.org>


sequoia-wot 0.12.0