Man page - sq-key-userid-revoke(1)

Packages contains this manual

Package:  sq
apt-get install sq

Manuals in package:
• sq-network-keyserver(1)
• sq-key-expire(1)
• sq-pki-link(1)
• sq-pki-link-authorize(1)
• sq-network-dane-generate(1)
• sq-config-inspect-network(1)
• sq-network-dane-search(1)
• sq-pki-vouch-list(1)
• sq-keyring-list(1)
• sq-pki-vouch(1)
• sq-packet-join(1)
• sq-key-subkey-bind(1)
• sq-key-userid-revoke(1)
• sq-packet-split(1)
• sq-config-inspect(1)
• sq-network-search(1)
• sq-pki-path(1)
• sq-keyring-split(1)
• sq-key-subkey-export(1)
• sq-sign(1)
• sq-network-wkd-publish(1)
• sq-key-delete(1)
• sq-packet-decrypt(1)
• sq-key-subkey-password(1)
• sq-cert-list(1)
• sq-key-userid(1)
• sq-network-wkd-search(1)
• sq-pki-link-retract(1)
• sq-keyring-merge(1)
• sq-key-subkey(1)
• sq-pki(1)
• sq-cert(1)
• sq-key-list(1)
• sq-pki-vouch-replay(1)
• sq-pki-authenticate(1)
• sq-pki-link-add(1)
• sq-key-password(1)
• sq-network-keyserver-publish(1)
• sq-config-get(1)
• sq-key-subkey-delete(1)
• sq-config-inspect-paths(1)
• sq-packet-dump(1)
• sq-key-rotate(1)
• sq-key-approvals-list(1)
• sq-download(1)
• sq-key-export(1)
• sq-keyring(1)
• sq-version(1)
• sq-key-userid-add(1)
• sq-pki-vouch-add(1)
• sq-packet-dearmor(1)
• sq-packet(1)
• sq-cert-import(1)
• sq-key-subkey-revoke(1)
• sq-key-approvals-update(1)
• sq-network-keyserver-search(1)
• sq-inspect(1)
• sq-pki-identify(1)
• sq-keyring-filter(1)
• sq-network(1)
• sq-pki-lookup(1)
• sq-pki-link-list(1)
• sq-cert-lint(1)
• sq-key-approvals(1)
• sq-cert-export(1)
• sq-network-wkd(1)
• sq-verify(1)
• sq-key-revoke(1)
• sq-config-inspect-policy(1)
• sq-decrypt(1)
• sq-network-dane(1)
• sq-key-generate(1)
• sq-key-import(1)
• sq(1)
• sq-config(1)
• sq-config-template(1)
• sq-pki-vouch-authorize(1)
• sq-key(1)
• sq-encrypt(1)
• sq-key-subkey-expire(1)
• sq-key-subkey-add(1)
• sq-packet-armor(1)
Documentations in package:
• sq

Manual

SQ

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
Subcommand options
Global options
EXAMPLES
SEE ALSO
VERSION

---

NAME

sq-key-userid-revoke - Revoke a user ID

SYNOPSIS

sq key userid revoke [ OPTIONS ]

DESCRIPTION

Revoke a user ID.

Creates a revocation certificate for a user ID.

If ‘--revoker‘ or ‘--revoker-file‘ is provided, then that key is used to create the revocation certificate. If that key is different from the certificate that is being revoked, this results in a third-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker.

To revoke a user ID, the certificate must be valid under the current policy. If the certificate is not valid under the current policy, consider revoking the whole certificate, or fixing it using ‘sq cert lint‘ after verifying the certificate’s integrity. If the certificate is valid under the current policy, but the user ID you want to revoke isn’t, you can still revoke the user ID using ‘--add-userid‘.

‘sq key userid revoke‘ respects the reference time set by the top-level ‘--time‘ argument. When set, it uses the specified time instead of the current time when determining what keys are valid, and it sets the revocation certificate’s creation time to the reference time instead of the current time.

OPTIONS

Subcommand options

--add-email = EMAIL

Use a user ID with the specified email address

The user ID consists of just the email address. The email address does not have to appear in a self-signed user ID.

--add-userid = USERID

Use the specified user ID

The specified user ID does not need to be self signed.

Because using a user ID that is not self-signed is often a mistake, you need to use this option to explicitly opt in.

--allow-non-canonical-userids

Don’t reject new user IDs that are not in canonical form

Canonical user IDs are of the form ‘Name (Comment) <localpart@example.org>‘.

--cert = FINGERPRINT|KEYID

Revoke the user ID from the key with the specified fingerprint or key ID

--cert-email = EMAIL

Revoke the user ID from the key where a user ID includes the specified email address

--cert-file = PATH

Revoke the user ID from the key read from PATH

--cert-userid = USERID

Revoke the user ID from the key with the specified user ID

--email = EMAIL

Use a user ID consisting of just the email address, if the email address occurs in a self-signed user ID

--message = MESSAGE

A short, explanatory text

The text is shown to a viewer of the revocation certificate, and explains why the certificate has been revoked. For instance, if Alice has left the organization, it might say who to contact instead.

--output = FILE

Write to the specified FILE

If not specified, and the certificate was read from the certificate store, imports the modified certificate into the cert store. If not specified, and the certificate was read from a file, writes the modified certificate to stdout.

--reason = REASON

The reason for the revocation

If the reason happened in the past, you should specify that using the ‘--time‘ argument. This allows OpenPGP implementations to more accurately reason about artifacts whose validity depends on the validity of the user ID.

[possible values: retired , unspecified ]

--revoker = FINGERPRINT|KEYID

Use key with the specified fingerprint or key ID to create the revocation certificate

Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.

--revoker-email = EMAIL

Use key where a user ID includes the specified email address to create the revocation certificate

Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.

--revoker-file = PATH

Read key from PATH to create the revocation certificate

Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.

--revoker-userid = USERID

Use key with the specified user ID to create the revocation certificate

Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third-party revocation.

--signature-notation NAME VALUE

Add a notation to the signature

A user-defined notation’s name must be of the form ‘name@a.domain.you.control.org‘. If the notation’s name starts with a ‘!‘, then the notation is marked as being critical. If a consumer of a signature doesn’t understand a critical notation, then it will ignore the signature. The notation is marked as being human readable.

--userid = USERID

Use the specified self-signed user ID

The specified user ID must be self signed.

--userid-by-email = EMAIL

Use the self-signed user ID with the specified email address

Global options

See sq (1) for a description of the global options.

EXAMPLES

Retire a user ID on Alice’s key.

sq key userid revoke --cert \

EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --userid \
"Alice <alice@example.org>" --reason retired --message \
"No longer at example.org."

SEE ALSO

sq (1), sq-key (1), sq-key-userid (1).

For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION

1.3.1

---