Sequoia PGP Manual Pages

1.3.1

NAME

sq-verify - Verify signed messages or detached signatures

SYNOPSIS


sq verify [OPTIONS] FILE

DESCRIPTION

Verify signed messages or detached signatures.

When verifying signed messages, the message is written to stdout or the file given to --output.

When a detached message is verified, no output is produced. Detached signatures are often used to sign software packages.

Verification is only successful if there is no bad signature, and the number of successfully verified signatures reaches the threshold configured with the --signatures parameter. If the verification fails, the program terminates with an exit status indicating failure, and the output file is deleted. If the output was sent to stdout, then the last 25 MiB of the message are withheld (consequently, if the message is smaller than 25 MiB, no output is produced).

A signature is considered to have been authenticated if the signer can be authenticated. If the signer is provided via --signer-file, then the signer is considered authenticated. Otherwise, the signer is looked up and authenticated using the Web of Trust. If at least one User ID can be fully authenticated, then the signature is considered to have been authenticated. If the signature includes a Signer User ID subpacket, then only that User ID is considered. Note: the User ID need not be self signed.

The converse operation is sq sign.

If you are looking for a standalone program to verify detached signatures, consider using sequoia-sqv.

sq verify respects the reference time set by the top-level --time argument. When set, it verifies the message as of the reference time instead of the current time.

OPTIONS

Subcommand options

--cleartext

Verify a cleartext-signed message

--message

Verify an inline signed message

--output=FILE

Write to FILE or stdout if omitted

[default: -]

--signature-file=SIG

Verify a detached signature file

--signatures=N

Set the threshold of valid signatures to N

If this threshold is not reached, the message will not be considered verified.

[default: 1]

--signer=FINGERPRINT|KEYID

Require a signature from a certificate with the specified fingerprint or key ID

--signer-domain=DOMAIN

Require a signature from a certificate where a user ID includes an email address for the specified domain

--signer-email=EMAIL

Require a signature from a certificate where a user ID includes the specified email address

--signer-file=PATH

Require a signature from a certificate read from PATH

--signer-userid=USERID

Require a signature from a certificate with the specified user ID

FILE

Read from FILE or stdin if FILE is '-'

[default: -]

Global options

See sq(1) for a description of the global options.

EXAMPLES

Verify a signed message.

sq verify --message document.pgp

Verify a detached signature.

sq verify --signature-file=document.sig document.txt

Verify a message as of June 19, 2024 at midnight UTC.

sq verify --time 2024-06-19 --message document.pgp

SEE ALSO

sq(1).

For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION

1.3.1