Provided by: sq_1.3.1-2_amd64 bug

NAME
       sq-pki-link-add - Link a certificate and a user ID


SYNOPSIS
       sq pki link add [OPTIONS]


DESCRIPTION
       Link a certificate and a user ID.

       This  causes  `sq` to consider the certificate and user ID binding to be authentic.  You would do this if
       you are confident that a particular certificate should be associated with Alice, for example.  Note: this
       does not consider the certificate to be a trusted  introducer;  it  only  considers  the  binding  to  be
       authentic.  To authorize a certificate to be a trusted introducer use `sq pki link authorize`.

       A link can be retracted using `sq pki link retract`.

       This  command  is  similar  to  `sq  pki  vouch  add`, but the certifications it makes are done using the
       certificate directory's trust root, not an arbitrary  key.   Further,  the  certificates  are  marked  as
       non-exportable.   The  former  makes  it  easier  to  manage  certifications,  especially when the user's
       certification key is offline.  And the latter improves the user's privacy, by reducing  the  chance  that
       parts of the user's social graph is leaked when a certificate is shared.

       By default a link never expires.  This can be overridden using `--expiration` argument.

       `sq  pki link add` respects the reference time set by the top-level `--time` argument. It sets the link's
       creation time to the reference time.


OPTIONS
   Subcommand options
       --add-email=EMAIL
              Use a user ID with the specified email address

              The user ID consists of just the email address.  The email address does not have to  appear  in  a
              self-signed user ID.

       --add-userid=USERID
              Use the specified user ID

              The specified user ID does not need to be self signed.

              Because using a user ID that is not self-signed is often a mistake, you need to use this option to
              explicitly opt in.

       --all  Use all self-signed user IDs

       --allow-non-canonical-userids
              Don't reject new user IDs that are not in canonical form

              Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

       --amount=AMOUNT
              Set the amount of trust

              Values  between  1 and 120 are meaningful. 120 means fully trusted.  Values less than 120 indicate
              the degree of trust.  60 is usually used for partially trusted.

              [default: full]

       --cert=FINGERPRINT|KEYID
              Use certificates with the specified fingerprint or key ID

       --cert-special=SPECIAL
              Use certificates identified by the special name

              [possible values: public-directories, keys.openpgp.org, keys.mailvelope.com, proton.me, wkd, dane,
              autocrypt, web]

       --email=EMAIL
              Use a user ID consisting of just the email address, if the email address occurs in  a  self-signed
              user ID

       --expiration=EXPIRATION
              Sets the expiration time

              EXPIRATION  is  either  an  ISO 8601 formatted date with an optional time or a custom duration.  A
              duration takes the form `N[ymwds]`, where the letters stand for years, months,  weeks,  days,  and
              seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.

              [default: never]

       --recreate
              Recreate signature even if the parameters did not change

              If  the  link parameters did not change, and thus creating a signature should not be necessary, we
              omit the operation.  This flag can be given to force the signature to be re-created anyway.

       --signature-notation NAME VALUE
              Add a notation to the signature

              A user-defined notation's name  must  be  of  the  form  `name@a.domain.you.control.org`.  If  the
              notation's  name  starts with a `!`, then the notation is marked as being critical.  If a consumer
              of a signature doesn't understand a critical notation, then it will  ignore  the  signature.   The
              notation is marked as being human readable.

       --temporary
              Temporarily accepts the binding

              Creates a fully trust link between a certificate and one or more User IDs for a week.  After that,
              the link is automatically downgraded to a partially trusted link (trust = 40).

       --userid=USERID
              Use the specified self-signed user ID

              The specified user ID must be self signed.

       --userid-by-email=EMAIL
              Use the self-signed user ID with the specified email address

   Global options
       See sq(1) for a description of the global options.


EXAMPLES
       Link the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with the email address alice@example.org.

              sq pki link add \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --email=alice@example.org

       First, examine the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0.

              sq inspect --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0

       Then,  temporarily  accept  the  certificate  EB28F26E2739A4870ECC47726F0073F60FD0CBF0  with  all  of its
       self-signed user IDs for a week.

              sq pki link add --expiration=1w \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all

       Once satisfied, permanently accept the certificate EB28F26E2739A4870ECC47726F0073F60FD0CBF0 with  all  of
       its self-signed user IDs.

              sq pki link add \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --all


SEE ALSO
       sq(1), sq-pki(1), sq-pki-link(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.


VERSION
       1.3.1

Sequoia PGP                                           1.3.1                                                SQ(1)