SQV(1) User Commands SQV(1)
NAME
sqv - An OpenPGP signature verification tool
SYNOPSIS
sqv [OPTIONS] FILE
DESCRIPTION
An OpenPGP signature verification tool.
sqv is a simple signature verification tool. It checks that signatures
are valid, and correctly issued by one of the certificates in the speci-
fied keyring.
sqv can verify detached signatures, inline-signed messages, and messages
using the Cleartext Signature Framework.
To verify detached signatures, use the `--signature-file` argument fol-
lowed by the path to the detached signature file, and give the data file
as first positional argument:
$ sqv --keyring=... --signature-file=image.iso.sig image.iso
To verify an inline-signed message, use the `--message` argument, and
give the path to the inline-signed message as first positional argument.
When verifying an inline-signed `--output` has to be given:
$ sqv --keyring=... --output=authenticated.txt \
--message signed.pgp
To verify a message using the Cleartext Signature Framework, use the
`--cleartext` argument, and give the path to the message as first posi-
tional argument. When verifying an inline-signed `--output` has to be
given:
$ sqv --keyring=... --output=authenticated.txt \
--cleartext message.txt
Finally, there is a legacy way to verify detached signatures, where the
path to the signature file and the path to the data file are given as
positional arguments. This form is deprecated, prefer the explicit
`--signature-file` form.
By default, one signature must be valid. This can be changed using the
`--signatures` arguments.
A signature is valid if a signing-capable key can verify the signature.
The signing-capable key must be correctly bound to a certificate in the
keyring, and it must not be revoked, or expired. The certificate must
not be revoked or expired. The signature, the signing-capable key and
the certificate must all be valid according to the cryptographic policy.
By default, sqv configures the cryptographic policy using
</etc/crypto-policies/back-ends/sequoia.config>. That can be overwrit-
ten by setting the SEQUOIA_CRYPTO_POLICY environment variable to an al-
ternate file. The path must be absolute. The file's format is de-
scribed here: <https://docs.rs/sequoia-policy-config/>.
In some cases, the user expects signatures to be made within a certain
temporal window. This can be enforced using the `--not-before` and
`--not-after` arguments. The TIMESTAMPs must be given in ISO 8601 for-
mat (e.g. `2017-03-04T13:25:35Z`, `2017-03-04T13:25`,
`20170304T1325+0830`, `2017-03-04`, `2017031`, etc.). If no timezone is
specified, UTC is assumed.
Exits with a non-zero status if the specified number of signatures could
not be verified.
OPTIONS
-V, --version
Print version
--cleartext
Verify a cleartext-signed message
-h, --help
Print help (see a summary with '-h')
--keyring=FILE
A keyring
--message
Verify an inline signed message
-n, --signatures=N
The number of valid signatures to return success.
Note: this counts the number of certificates, not signatures.
Thus, if two signatures are issued by the same certificate, they
only count once.
[default: 1]
--not-after=TIMESTAMP
Consider signatures created after TIMESTAMP as invalid.
If only a date is given, 23:59:59 is used for the time. [default:
now]
--not-before=TIMESTAMP
Consider signatures created before TIMESTAMP as invalid.
If only a date is given, 00:00:00 is used for the time. [default:
no constraint]
--output=FILE
Write to FILE or stdout if omitted
--policy-as-of=TIMESTAMP
Select the cryptographic policy as of the specified time
The time is expressed as an ISO 8601 formatted timestamp. The
policy determines what cryptographic constructs are allowed.
If you are working with a message that sq rejects, because it is
protected by cryptographic constructs that are now considered
broken, you can use this option to select a different crypto-
graphic policy. If you are relying on the cryptography, e.g.,
you are verifying a signature, then you should only do this if
you are confident that the message hasn't been tampered with.
TIME is interpreted as an ISO 8601 timestamp. To set the policy
time to January 1, 2007 at midnight UTC, you can do:
$ sqv --policy-as-of 20070101 --message msg.pgp
Defaults to the current time.
--signature-file=SIG
Verify a detached signature file
-v, --verbose
Be verbose
FILE The inline-signed message, message using the Cleartext Signature
Framework, or data file
EXAMPLES
Verify a detached signature.
sqv --keyring=trusted.certs --signature-file=document.sig \
document.txt
Verify a detached signature, legacy interface.
sqv --keyring=trusted.certs document.sig document.txt
Verify a signed message.
sqv --keyring trusted.certs --message document.pgp
Verify a message using the Cleartext Signature Framework.
sqv --keyring trusted.certs --clearsign document.pgp
VERSION
1.3.0
Sequoia PGP 1.3.0 SQV(1)
Generated by dwww version 1.16 on Tue Dec 16 05:40:38 CET 2025.