[−][src]Crate sq
A command-line frontend for Sequoia.
Usage
Sequoia is an implementation of OpenPGP. This is a command-line frontend.
USAGE:
sq [FLAGS] [OPTIONS] <SUBCOMMAND>
FLAGS:
-f, --force Overwrite existing files
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
--home <DIRECTORY> Sets the home directory to use
--known-notation <NOTATION>... The notation name is considered known. This is used when validating
signatures. Signatures that have unknown notations with the critical bit set
are considered invalid.
-m, --mapping <MAPPING> Sets the realm and mapping to use [default: org.sequoia-pgp.contacts/default]
-p, --policy <NETWORK-POLICY> Sets the network policy to use
SUBCOMMANDS:
decrypt Decrypts an OpenPGP message
encrypt Encrypts a message
sign Signs a message
verify Verifies a message
mapping Interacts with key mappings
merge-signatures Merges two signatures
keyserver Interacts with keyservers
autocrypt Autocrypt support
certring Manipulates certificate rings
dearmor Removes ASCII Armor from a file
enarmor Applies ASCII Armor to a file
help Prints this message or the help of the given subcommand(s)
inspect Inspects a sequence of OpenPGP packets
key Manipulates keys
list Lists key mappings and known keys
packet OpenPGP Packet manipulation
wkd Interacts with Web Key Directories
Subcommand decrypt
Decrypts an OpenPGP message
USAGE:
sq decrypt [FLAGS] [OPTIONS] [--] [FILE]
FLAGS:
--dump Print a packet dump to stderr
--dump-session-key Prints the session key to stderr
-h, --help Prints help information
-x, --hex Print a hexdump (implies --dump)
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
--secret-key-file <TSK-FILE>... Secret key to decrypt with, given as a file (can be given multiple times)
--sender-cert-file <CERT-FILE>... The sender's certificate to verify signatures with, given as a file (can be
given multiple times)
-n, --signatures <N> The number of valid signatures required. Default: 0
ARGS:
<FILE> Sets the input file to use
Subcommand encrypt
Encrypts a message
USAGE:
sq encrypt [FLAGS] [OPTIONS] [--] [FILE]
FLAGS:
-B, --binary Don't ASCII-armor encode the OpenPGP data
-h, --help Prints help information
-s, --symmetric Encrypt with a password (can be given multiple times)
--use-expired-subkey If a certificate has only expired encryption-capable subkeys, fall back to using the one
that expired last
-V, --version Prints version information
OPTIONS:
--compression <KIND>
Selects compression scheme to use [default: pad] [possible values: none, pad, zip, zlib, bzip2]
--mode <MODE>
Selects what kind of keys are considered for encryption. Transport select subkeys marked as suitable for
transport encryption, rest selects those for encrypting data at rest, and all selects all encryption-capable
subkeys [default: all] [possible values: transport, rest, all]
-o, --output <FILE> Sets the output file to use
-r, --recipient <LABEL>... Recipient to encrypt for (can be given multiple times)
--recipients-cert-file <CERTS-FILE>...
Recipients to encrypt for, given as a file (can be given multiple times)
--signer-key-file <TSK-FILE>... Secret key to sign with, given as a file (can be given multiple times)
-t, --time <TIME>
Chooses keys valid at the specified time and sets the signature's creation time
ARGS:
<FILE> Sets the input file to use
Subcommand sign
Signs a message
USAGE:
sq sign [FLAGS] [OPTIONS] [--] [FILE]
FLAGS:
-a, --append Append signature to existing signature
-B, --binary Don't ASCII-armor encode the OpenPGP data
--detached Create a detached signature
-h, --help Prints help information
-n, --notarize Signs a message and all existing signatures
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
--secret-key-file <TSK-FILE>... Secret key to sign with, given as a file (can be given multiple times)
-t, --time <TIME> Chooses keys valid at the specified time and sets the signature's creation
time
ARGS:
<FILE> Sets the input file to use
Subcommand verify
Verifies a message
USAGE:
sq verify [OPTIONS] [--] [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
--detached <SIG-FILE> Verifies a detached signature
-o, --output <FILE> Sets the output file to use
--sender-cert-file <CERT-FILE>... The sender's certificate to verify signatures with, given as a file (can be
given multiple times)
-n, --signatures <N> The number of valid signatures required. Default: 0
ARGS:
<FILE> Sets the input file to use
Subcommand mapping
Interacts with key mappings
USAGE:
sq mapping <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
add Add a key identified by fingerprint
delete Deletes bindings or mappings
export Exports a key
help Prints this message or the help of the given subcommand(s)
import Imports a key
list Lists keys in the mapping
log Lists the keystore log
stats Get stats for the given label
Subcommand mapping add
Add a key identified by fingerprint
USAGE:
sq mapping add <LABEL> <FINGERPRINT>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<LABEL> Label to use
<FINGERPRINT> Key to add
Subcommand mapping delete
Deletes bindings or mappings
USAGE:
sq mapping delete [FLAGS] [LABEL]
FLAGS:
-h, --help Prints help information
--the-mapping Delete the selected mapping (change with --mapping)
-V, --version Prints version information
ARGS:
<LABEL> Delete binding with this label
Subcommand mapping export
Exports a key
USAGE:
sq mapping export [FLAGS] [OPTIONS] <LABEL>
FLAGS:
-B, --binary Don't ASCII-armor encode the OpenPGP data
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
ARGS:
<LABEL> Label to use
Subcommand mapping import
Imports a key
USAGE:
sq mapping import <LABEL> [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<LABEL> Label to use
<FILE> Sets the input file to use
Subcommand mapping list
Lists keys in the mapping
USAGE:
sq mapping list
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
Subcommand mapping log
Lists the keystore log
USAGE:
sq mapping log [LABEL]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<LABEL> List messages related to this label
Subcommand mapping stats
Get stats for the given label
USAGE:
sq mapping stats <LABEL>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<LABEL> Label to use
Subcommand merge-signatures
Merges two signatures
USAGE:
sq merge-signatures [OPTIONS] [ARGS]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
ARGS:
<FILE> Sets the first input file to use
<FILE> Sets the second input file to use
Subcommand keyserver
Interacts with keyservers
USAGE:
sq keyserver [OPTIONS] <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-s, --server <URI> Sets the keyserver to use
SUBCOMMANDS:
get Retrieves a key
help Prints this message or the help of the given subcommand(s)
send Sends a key
Subcommand keyserver get
Retrieves a key
USAGE:
sq keyserver get [FLAGS] [OPTIONS] <QUERY>
FLAGS:
-B, --binary Don't ASCII-armor encode the OpenPGP data
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
ARGS:
<QUERY> Fingerprint, KeyID, or email address of the cert(s) to retrieve
Subcommand keyserver send
Sends a key
USAGE:
sq keyserver send [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<FILE> Sets the input file to use
Subcommand autocrypt
Autocrypt support
USAGE:
sq autocrypt <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
decode Converts Autocrypt-encoded keys to OpenPGP Certificates
encode-sender Encodes the sender's OpenPGP Certificates into an Autocrypt header
help Prints this message or the help of the given subcommand(s)
Subcommand autocrypt decode
Converts Autocrypt-encoded keys to OpenPGP Certificates
USAGE:
sq autocrypt decode [OPTIONS] [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
ARGS:
<FILE> Sets the input file to use
Subcommand autocrypt encode-sender
Encodes the sender's OpenPGP Certificates into an Autocrypt header
USAGE:
sq autocrypt encode-sender [OPTIONS] [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
--address <address> Select userid to use. [default: primary userid]
-o, --output <FILE> Sets the output file to use
--prefer-encrypt <prefer-encrypt> Sets the prefer-encrypt attribute [default: nopreference] [possible
values: nopreference, mutual]
ARGS:
<FILE> Sets the input file to use
Subcommand certring
Manipulates certificate rings
USAGE:
sq certring <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
SUBCOMMANDS:
filter Joins certs into a certring applying a filter
help Prints this message or the help of the given subcommand(s)
join Joins certs into a certring
list Lists certs in a certring
split Splits a certring into individual certs
Subcommand certring filter
If multiple predicates are given, they are or'ed, i.e. a certificate matches if any of the predicates match. To require
all predicates to match, chain multiple invocations of this command.
USAGE:
sq certring filter [FLAGS] [OPTIONS] [--] [FILE]...
FLAGS:
-B, --binary
Don't ASCII-armor the certring
-h, --help
Prints help information
-P, --prune-certs
Remove certificate components not matching the filter
-V, --version
Prints version information
OPTIONS:
--domain <FQDN>...
Match on this email domain name
--email <ADDRESS>...
Match on this email address
--name <NAME>...
Match on this name
-o, --output <FILE>
Sets the output file to use
ARGS:
<FILE>...
Sets the input files to use
Subcommand certring join
Joins certs into a certring
USAGE:
sq certring join [FLAGS] [OPTIONS] [FILE]...
FLAGS:
-B, --binary Don't ASCII-armor the certring
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
ARGS:
<FILE>... Sets the input files to use
Subcommand certring list
Lists certs in a certring
USAGE:
sq certring list [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<FILE> Sets the input file to use
Subcommand certring split
Splits a certring into individual certs
USAGE:
sq certring split [OPTIONS] [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-p, --prefix <FILE> Sets the prefix to use for output files (defaults to the input filename with a dash, or
'output' if certring is read from stdin)
ARGS:
<FILE> Sets the input file to use
Subcommand dearmor
Removes ASCII Armor from a file
USAGE:
sq dearmor [OPTIONS] [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
ARGS:
<FILE> Sets the input file to use
Subcommand enarmor
Applies ASCII Armor to a file
USAGE:
sq enarmor [OPTIONS] [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
--kind <KIND> Selects the kind of header line to produce [default: file] [possible values: message,
publickey, secretkey, signature, file]
-o, --output <FILE> Sets the output file to use
ARGS:
<FILE> Sets the input file to use
Subcommand inspect
Inspects a sequence of OpenPGP packets
USAGE:
sq inspect [FLAGS] [FILE]
FLAGS:
--certifications Print third-party certifications
-h, --help Prints help information
--keygrips Print keygrips of keys and subkeys
-V, --version Prints version information
ARGS:
<FILE> Sets the input file to use
Subcommand key
Manipulates keys
USAGE:
sq key <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
adopt Bind keys from one certificate to another.
generate Generates a new key
help Prints this message or the help of the given subcommand(s)
Subcommand key adopt
Bind keys from one certificate to another.
USAGE:
sq key adopt [FLAGS] [OPTIONS] <CERT> --key <KEY>...
FLAGS:
--allow-broken-crypto Allows adopting keys from certificates using broken cryptography.
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-k, --key <KEY>... Adds the specified key or subkey to the certificate.
-r, --keyring <KEYRING>... A keyring containing the keys specified in --key.
ARGS:
<CERT> The certificate to add keys to.
Subcommand key generate
Generates a new key
USAGE:
sq key generate [FLAGS] [OPTIONS] --export <OUTFILE>
FLAGS:
--can-sign The key has a signing-capable subkey (default)
--cannot-encrypt The key will not be able to encrypt data
--cannot-sign The key will not be able to sign data
-h, --help Prints help information
-V, --version Prints version information
--with-password Prompt for a password to protect the generated key with.
OPTIONS:
--can-encrypt <PURPOSE> The key has an encryption-capable subkey (default: universal) [possible values:
transport, storage, universal]
-c, --cipher-suite <CIPHER-SUITE> Cryptographic algorithms used for the key. [default: cv25519] [possible
values: rsa3k, rsa4k, cv25519]
--expires <TIME> Absolute time When the key should expire, or 'never'.
--expires-in <DURATION> Relative time when the key should expire. Either 'N[ymwd]', for N years,
months, weeks, or days, or 'never'.
-e, --export <OUTFILE> Exports the key instead of saving it in the store
--rev-cert <FILE or -> Sets the output file for the revocation certificate. Default is <OUTFILE>.rev,
mandatory if OUTFILE is '-'.
-u, --userid <EMAIL>... Add userid to the key (can be given multiple times)
Subcommand list
Lists key mappings and known keys
USAGE:
sq list <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
bindings Lists all bindings in all key mappings
help Prints this message or the help of the given subcommand(s)
keys Lists all keys in the common key pool
log Lists the server log
mappings Lists key mappings
Subcommand list bindings
Lists all bindings in all key mappings
USAGE:
sq list bindings [PREFIX]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<PREFIX> List only bindings from mappings with the given realm prefix
Subcommand list keys
Lists all keys in the common key pool
USAGE:
sq list keys
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
Subcommand list log
Lists the server log
USAGE:
sq list log
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
Subcommand list mappings
Lists key mappings
USAGE:
sq list mappings [PREFIX]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<PREFIX> List only mappings with the given realm prefix
Subcommand packet
OpenPGP Packet manipulation
USAGE:
sq packet <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
decrypt Decrypts an OpenPGP message, dumping the content of the encryption container without further
processing
dump Lists OpenPGP packets
help Prints this message or the help of the given subcommand(s)
join Joins OpenPGP packets split across files
split Splits a message into OpenPGP packets
Subcommand packet decrypt
Decrypts an OpenPGP message, dumping the content of the encryption container without further processing
USAGE:
sq packet decrypt [FLAGS] [OPTIONS] [--] [FILE]
FLAGS:
-B, --binary Don't ASCII-armor encode the OpenPGP data
--dump-session-key Prints the session key to stderr
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
--secret-key-file <TSK-FILE>... Secret key to decrypt with, given as a file (can be given multiple times)
ARGS:
<FILE> Sets the input file to use
Subcommand packet dump
Lists OpenPGP packets
USAGE:
sq packet dump [FLAGS] [OPTIONS] [FILE]
FLAGS:
-h, --help Prints help information
-x, --hex Print a hexdump
--mpis Print MPIs
-V, --version Prints version information
OPTIONS:
-o, --output <FILE> Sets the output file to use
--session-key <SESSION-KEY> Session key to decrypt encryption containers
ARGS:
<FILE> Sets the input file to use
Subcommand packet join
Joins OpenPGP packets split across files
USAGE:
sq packet join [FLAGS] [OPTIONS] [FILE]...
FLAGS:
-B, --binary Don't ASCII-armor encode the OpenPGP data
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
--kind <KIND> Selects the kind of header line to produce [default: file] [possible values: message,
publickey, secretkey, signature, file]
-o, --output <FILE> Sets the output file to use
ARGS:
<FILE>... Sets the input files to use
Subcommand packet split
Splits a message into OpenPGP packets
USAGE:
sq packet split [OPTIONS] [FILE]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-p, --prefix <FILE> Sets the prefix to use for output files (defaults to the input filename with a dash, or
'output')
ARGS:
<FILE> Sets the input file to use
Subcommand wkd
Interacts with Web Key Directories
USAGE:
sq wkd <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
generate Generates a Web Key Directory for the given domain and keys. If the WKD exists, the new keys will
be inserted and it is updated and existing ones will be updated.
get Writes to the standard output the Cert retrieved from a Web Key Directory, given an email address
help Prints this message or the help of the given subcommand(s)
url Prints the Web Key Directory URL of an email address.
Subcommand wkd generate
Generates a Web Key Directory for the given domain and keys. If the WKD exists, the new keys will be inserted and it is
updated and existing ones will be updated.
USAGE:
sq wkd generate [FLAGS] <WEB-ROOT> <DOMAIN> [KEYRING]
FLAGS:
-d, --direct_method Use the direct method. [default: advanced method]
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<WEB-ROOT> The location to write the WKD to. This must be the directory the webserver is serving the '.well-
known' directory from.
<DOMAIN> The domain for the WKD.
<KEYRING> The keyring file with the keys to add to the WKD.
Subcommand wkd get
Writes to the standard output the Cert retrieved from a Web Key Directory, given an email address
USAGE:
sq wkd get [FLAGS] <EMAIL_ADDRESS>
FLAGS:
-B, --binary Don't ASCII-armor encode the OpenPGP data
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<EMAIL_ADDRESS> The email address from which to obtain the Cert from a WKD.
Subcommand wkd url
Prints the Web Key Directory URL of an email address.
USAGE:
sq wkd url <EMAIL_ADDRESS>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<EMAIL_ADDRESS> The email address from which to obtain the WKD URI.
Modules
| commands | |
| sq_cli |
Functions
| create_or_stdout | |
| create_or_stdout_pgp | |
| decrypt_key | |
| help_warning | Prints a warning if the user supplied "help" or "-help" to an positional argument. |
| list_bindings | |
| load_certs | Loads one or more certs from every given file. |
| load_keys | Loads one TSK from every given file. |
| main | |
| open_or_stdin | |
| parse_armor_kind | |
| parse_iso8601 | Parses the given string depicting a ISO 8601 timestamp. |
| print_log | |
| serialize_keyring | Serializes a keyring, adding descriptive headers if armored. |