1.3.1
sq-key-revoke - Revoke a certificate
sq key revoke
[OPTIONS]
Revoke a certificate.
Creates a revocation certificate for a certificate.
If --revoker or --revoker-file is provided,
then that key is used to create the revocation certificate. If that key
is different from the certificate that is being revoked, this results in
a third-party revocation. This is normally only useful if the owner of
the certificate designated the key to be a designated revoker.
sq key revoke respects the
reference time set by the top-level --time argument. When
set, it uses the specified time instead of the current time when
determining what keys are valid, and it sets the revocation
certificate's creation time to the reference time instead of the current
time.
Revoke the key with the specified fingerprint or key ID
Revoke the key where a user ID includes the specified email address
Revoke the key read from PATH
Revoke the key with the specified user ID
A short, explanatory text
The text is shown to a viewer of the revocation certificate, and
explains why the certificate has been revoked. For instance, if Alice
has created a new key, she would generate a superseded
revocation certificate for her old key, and might include the message
I've created a new certificate, $FINGERPRINT, please use that in the future.
Write to the specified FILE
If not specified, and the certificate was read from the certificate store, imports the modified certificate into the cert store. If not specified, and the certificate was read from a file, writes the modified certificate to stdout.
The reason for the revocation
If the reason happened in the past, you should specify that using the
--time argument. This allows OpenPGP implementations to
more accurately reason about artifacts whose validity depends on the
validity of the certificate.
[possible values: compromised, superseded, retired, unspecified]
Use key with the specified fingerprint or key ID to create the revocation certificate
Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.
Use key where a user ID includes the specified email address to create the revocation certificate
Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.
Read key from PATH to create the revocation certificate
Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.
Use key with the specified user ID to create the revocation certificate
Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.
Add a notation to the signature
A user-defined notation's name must be of the form
name@a.domain.you.control.org. If the notation's name
starts with a !, then the notation is marked as being
critical. If a consumer of a signature doesn't understand a critical
notation, then it will ignore the signature. The notation is marked as
being human readable.
See sq(1) for a description of the global options.
Revoke Alice's key, indicating that there is a new certificate.
sq key revoke --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--reason superseded --message \
"My new cert is C5999E8191BF7B503653BE958B1F7910D01F86E5"
Revoke the key, indicating that the secret key material was compromised.
sq key revoke --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--reason compromised --message \
"Computer attacked, secret key material compromised"For the full documentation see <https://book.sequoia-pgp.org/>.
1.3.1