certify - Certifies a User ID for a Certificate
certify [-o|--output]
[-B|--binary] [--time] [-d|--depth]
[-a|--amount] [-r|--regex]
[-l|--local] [--non-revocable] [--notation]
[--expires] [--expires-in]
[--allow-not-alive-certifier] [--allow-revoked-certifier]
[--private-key-store] [-h|--help]
<CERTIFIER-KEY> <CERTIFICATE>
<USERID>
Certifies a User ID for a Certificate
Using a certification a keyholder may vouch for the fact that
another certificate legitimately belongs to a user id. In the context of
emails this means that the same entity controls the key and the email
address. These kind of certifications form the basis for the Web Of
Trust.
This command emits the certificate with the new certification. The
updated certificate has to be distributed, preferably by sending it to the
certificate holder for attestation. See also "sq key
attest-certification".
- -o,
--output=FILE
- Writes to FILE or stdout if omitted
- -B, --binary
- Emits binary data
- --time=TIME
- Sets the certification time to TIME. TIME is interpreted as an ISO 8601
timestamp. To set the certification time to June 9, 2011 at midnight UTC,
you can do:
$ sq certify --time 20130721 neal.pgp ada.pgp ada
To include a time, add a T, the time and optionally the
timezone (the default timezone is UTC):
$ sq certify --time 20130721T0550+0200 neal.pgp ada.pgp
ada
- -d,
--depth=TRUST_DEPTH [default: 0]
- Sets the trust depth (sometimes referred to as the trust level). 0 means a
normal certification of <CERTIFICATE, USERID>. 1 means CERTIFICATE
is also a trusted introducer, 2 means CERTIFICATE is a meta-trusted
introducer, etc.
- -a,
--amount=TRUST_AMOUNT [default: 120]
- Sets the amount of trust. Values between 1 and 120 are meaningful. 120
means fully trusted. Values less than 120 indicate the degree of trust. 60
is usually used for partially trusted.
- -r,
--regex=REGEX
- Adds a regular expression to constrain what a trusted introducer can
certify. The regular expression must match the certified User ID in all
intermediate introducers, and the certified certificate. Multiple regular
expressions may be specified. In that case, at least one must match.
- -l, --local
- Makes the certification a local certification. Normally, local
certifications are not exported.
- --non-revocable
- Marks the certification as being non-revocable. That is, you cannot later
revoke this certification. This should normally only be used with an
expiration.
- --notation=NAME
VALUE
- Adds a notation to the certification. A user-defined notation's name must
be of the form "name@a.domain.you.control.org". If the
notation's name starts with a !, then the notation is marked as being
critical. If a consumer of a signature doesn't understand a critical
notation, then it will ignore the signature. The notation is marked as
being human readable.
- --expires=TIME
- Makes the certification expire at TIME (as ISO 8601). Use
"never" to create certifications that do not expire.
- --expires-in=DURATION
- Makes the certification expire after DURATION. Either
"N[ymwds]", for N years, months, weeks, days, seconds, or
"never". [default: 5y]
- --allow-not-alive-certifier
- Allows the key to make a certification even if the current time is prior
to its creation time or the current time is at or after its expiration
time.
- --allow-revoked-certifier
- Don't fail if the certificate making the certification is revoked.
- --private-key-store=KEY_STORE
- Provides parameters for private key store
- -h, --help
- Print help information
- <CERTIFIER-KEY>
- Creates the certification using CERTIFIER-KEY.
- <CERTIFICATE>
- Certifies CERTIFICATE.
- <USERID>
- Certifies USERID for CERTIFICATE.
Juliet certifies that Romeo controls romeo.pgp and
romeo@example.org
sq certify juliet.pgp romeo.pgp "<romeo@example.org>"