sq pki link add - Link a certificate and a user ID
sq pki link add [OPTIONS]
Link a certificate and a user ID.
This causes `sq` to consider the certificate and user ID binding
to be authentic. You would do this if you are confident that a particular
certificate should be associated with Alice, for example. Note: this does
not consider the certificate to be a trusted introducer; it only considers
the binding to be authentic. To authorize a certificate to be a trusted
introducer use `sq pki link authorize`.
A link can be retracted using `sq pki link retract`.
This command is similar to `sq pki vouch certify`, but the
certifications it makes are done using the certificate directory's trust
root, not an arbitrary key. Further, the certificates are marked as
non-exportable. The former makes it easier to manage certifications,
especially when the user's certification key is offline. And the latter
improves the user's privacy, by reducing the chance that parts of the user's
social graph is leaked when a certificate is shared.
By default a link never expires. This can be overridden using
`--expiration` argument.
`sq pki link add` respects the reference time set by the top-level
`--time` argument. It sets the link's creation time to the reference
time.
- --all
- Use all self-signed user IDs
- --allow-non-canonical-userids
- Don't reject new user IDs that are not in canonical form.
- Canonical user IDs are of the form `Name (Comment)
<localpart@example.org>`.
- --amount=AMOUNT
- Set the amount of trust. Values between 1 and 120 are meaningful. 120
means fully trusted. Values less than 120 indicate the degree of trust. 60
is usually used for partially trusted.
- [default: full]
- --cert=FINGERPRINT|KEYID
- Use certificates with the specified fingerprint or key ID
- --email=EMAIL
- Use the self-signed user ID with the specified email address
- --email-or-add=EMAIL
- Use a user ID with the specified email address.
- This first searches for a matching self-signed user ID. If there is no
self-signed user ID with the specified email address, it uses a new user
ID with the specified email address, and no display name.
- --expiration=EXPIRATION
- Sets the expiration time.
- EXPIRATION is either an ISO 8601 formatted date with an optional time or a
custom duration. A duration takes the form `N[ymwds]`, where the letters
stand for years, months, weeks, days, and seconds, respectively.
Alternatively, the keyword `never` does not set an expiration time.
- [default: never]
- --recreate
- Recreate signature even if the parameters did not change
- If the link parameters did not change, and thus creating a signature
should not be necessary, we omit the operation. This flag can be given to
force the signature to be re-created anyway.
- --signature-notation
NAME VALUE
- Add a notation to the certification. A user-defined notation's name must
be of the form `name@a.domain.you.control.org`. If the notation's name
starts with a `!`, then the notation is marked as being critical. If a
consumer of a signature doesn't understand a critical notation, then it
will ignore the signature. The notation is marked as being human
readable.
- --temporary
- Temporarily accepts the binding. Creates a fully
trust link between a certificate and one or more
User IDs for a week. After that, the link is
automatically downgraded to a partially trusted link
(trust = 40).
- --userid=USERID
- Use the specified self-signed user ID.
- The specified user ID must be self signed.
- --userid-or-add=USERID
- Use the specified user ID.
- The specified user ID does not need to be self signed.
- Because using a user ID that is not self-signed is often a mistake, you
need to use this option to explicitly opt in. That said, certifying a user
ID that is not self-signed is useful. For instance, you can associate an
alternate email address with a certificate, or you can add a petname,
i.e., a memorable, personal name like "mom".
See sq(1) for a description of the global options.
Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with
the email address alice@example.org.
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--email=alice@example.org
First, examine the certificate
EB28F26E2739A4870ECC47726F0073F60FD0CBF0.
sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0
Then, temporarily accept the certificate
EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user
IDs for a week.
sq pki link add --expiration=1w \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
Once satisfied, permanently accept the certificate
EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with all of its self-signed user
IDs.
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all
sq(1), sq-pki(1), sq-pki-link(1).
For the full documentation see
<https://book.sequoia-pgp.org>.
0.40.0 (sequoia-openpgp 1.21.2)