1. Manuals
  2. Tumbleweed
  3. sequoia-sq
  4. sq-pki-link-add(1)

Scroll to navigation

SQ(1) User Commands SQ(1)

NAME

sq pki link add - Link a certificate and a user ID

SYNOPSIS

sq pki link add [OPTIONS]

DESCRIPTION

Link a certificate and a user ID.

This causes `sq` to consider the certificate and user ID binding to be authentic. You would do this if you are confident that a particular certificate should be associated with Alice, for example. Note: this does not consider the certificate to be a trusted introducer; it only considers the binding to be authentic. To authorize a certificate to be a trusted introducer use `sq pki link authorize`.

A link can be retracted using `sq pki link retract`.

This command is similar to `sq pki vouch add`, but the certifications it makes are done using the certificate directory's trust root, not an arbitrary key. Further, the certificates are marked as non-exportable. The former makes it easier to manage certifications, especially when the user's certification key is offline. And the latter improves the user's privacy, by reducing the chance that parts of the user's social graph is leaked when a certificate is shared.

By default a link never expires. This can be overridden using `--expiration` argument.

`sq pki link add` respects the reference time set by the top-level `--time` argument. It sets the link's creation time to the reference time.

OPTIONS

Subcommand options

Use a user ID with the specified email address
The user ID consists of just the email address. The email address does not have to appear in a self-signed user ID.
Use the specified user ID
The specified user ID does not need to be self signed.
Because using a user ID that is not self-signed is often a mistake, you need to use this option to explicitly opt in.
Use all self-signed user IDs
Don't reject new user IDs that are not in canonical form
Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.
Set the amount of trust
Values between 1 and 120 are meaningful. 120 means fully trusted. Values less than 120 indicate the degree of trust. 60 is usually used for partially trusted.
[default: full]
Use certificates with the specified fingerprint or key ID
Use certificates identified by the special name
[possible values: public-directories, keys.openpgp.org, keys.mailvelope.com, proton.me, wkd, dane, autocrypt, web]
Use a user ID consisting of just the email address, if the email address occurs in a self-signed user ID
Sets the expiration time
EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration. A duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
[default: never]
Recreate signature even if the parameters did not change
If the link parameters did not change, and thus creating a signature should not be necessary, we omit the operation. This flag can be given to force the signature to be re-created anyway.
Add a notation to the signature
A user-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a `!`, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable.
Temporarily accepts the binding
Creates a fully trust link between a certificate and one or more User IDs for a week. After that, the link is automatically downgraded to a partially trusted link (trust = 40).
Use the specified self-signed user ID
The specified user ID must be self signed.
Use the self-signed user ID with the specified email address

Global options

See sq(1) for a description of the global options.

EXAMPLES

Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.

sq pki link add \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org




First, examine the certificate
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0.






sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0








Then, temporarily accept the certificate
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user
    IDs for a week.






sq pki link add --expiration=1w \








--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all










Once satisfied, permanently accept the certificate
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user
    IDs.






sq pki link add \








--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all












SEE ALSO


sq(1), sq-pki(1), sq-pki-link(1).


For the full documentation see
    <https://book.sequoia-pgp.org>.






VERSION


1.0.0 (sequoia-openpgp 1.22.0)







  

    1.0.0
    Sequoia PGP