sq-certify - Certifies a User ID for a Certificate
Using a certification a keyholder may vouch for the fact that
another certificate legitimately belongs to a user id. In the context of
emails this means that the same entity controls the key and the email
address. These kind of certifications form the basis for the Web Of
Trust.
This command emits the certificate with the new certification. The
updated certificate has to be distributed, preferably by sending it to the
certificate holder for attestation. See also "sq key
attest-certification".
sq certify [FLAGS] [OPTIONS] <CERTIFIER-KEY>
<CERTIFICATE> <USERID>
- -h, --help
- Prints help information
- -B, --binary
- Emits binary data
- -l, --local
- Makes the certification a local certification. Normally, local
certifications are not exported.
- --non-revocable
- Marks the certification as being non-revocable. That is, you cannot later
revoke this certification. This should normally only be used with an
expiration.
- -o, --output
FILE
- Writes to FILE or stdout if omitted
- -d, --depth
TRUST_DEPTH
- Sets the trust depth (sometimes referred to as the trust level). 0 means a
normal certification of <CERTIFICATE, USERID>. 1 means CERTIFICATE
is also a trusted introducer, 2 means CERTIFICATE is a meta-trusted
introducer, etc. The default is 0.
- -a, --amount
TRUST_AMOUNT
- Sets the amount of trust. Values between 1 and 120 are meaningful. 120
means fully trusted. Values less than 120 indicate the degree of trust. 60
is usually used for partially trusted. The default is 120.
- -r, --regex
REGEX
- Adds a regular expression to constrain what a trusted introducer can
certify. The regular expression must match the certified User ID in all
intermediate introducers, and the certified certificate. Multiple regular
expressions may be specified. In that case, at least one must match.
- --notation
NAME
- Adds a notation to the certification. A user-defined notation's name must
be of the form "name@a.domain.you.control.org". If the
notation's name starts with a !, then the notation is marked as being
critical. If a consumer of a signature doesn't understand a critical
notation, then it will ignore the signature. The notation is marked as
being human readable.
- --expires
TIME
- Makes the certification expire at TIME (as ISO 8601). Use
"never" to create certifications that do not expire.
- --expires-in
DURATION
- Makes the certification expire after DURATION. Either "N[ymwd]",
for N years, months, weeks, or days, or "never". [default:
5y]
- # Juliet certifies that Romeo controls romeo.pgp and
romeo@example.org
- $ sq certify juliet.pgp romeo.pgp
"<romeo@example.org>"
For the full documentation see
<https://docs.sequoia-pgp.org/sq/>.
sq(1), sq-armor(1), sq-autocrypt(1), sq-certify(1), sq-dearmor(1),
sq-decrypt(1), sq-encrypt(1), sq-inspect(1), sq-key(1), sq-keyring(1),
sq-packet(1), sq-sign(1), sq-verify(1)
Azul <azul@sequoia-pgp.org>
Igor Matuszewski <igor@sequoia-pgp.org>
Justus Winter <justus@sequoia-pgp.org>
Kai Michaelis <kai@sequoia-pgp.org>
Neal H. Walfield <neal@sequoia-pgp.org>
Nora Widdecke <nora@sequoia-pgp.org>
Wiktor Kwapisiewicz <wiktor@sequoia-pgp.org>