Verify the signature for a UID using a certificate (before attestation)
When Alice gets a signature certificate for her UID alice@foo.com from Bob, she wants to verify, that Bob's key 0xBob was indeed used for creating the signature. Only afterwards she wants to create an attestation certificate, which allows the distribution of Bob's signature.
Alice currently has no way of using a command to directly check that the PGP certificate is really created using Bob's key (e.g. sq inspect --certifications <certificate> only shows Alleged certifier: 0xBob and adds Note: Certifications have NOT been verified!).
Similar to how sq verify is able to verify signed messages and detached signatures, it would be helpful for Alice to be able to verify the signature she received against a public key.
Using the existing interface one could envision:
sq verify --signer-cert=CERT --uid=UID FILE
Here --signer-cert=CERT denotes the PGP public key that Alice has of Bob, --uid=UID the target UID for the verification (alice@foo.com) and FILE the signature certificate that Alice got (from Bob, allegedly).
Similar to the current sq verify output, one could envision:
Good signature from XXXXXXXXXXXXXXXX
1 good signature.If FILE contains more than one certification, they could be listed using timestamps:
Good signatures from XXXXXXXXXXXXXXXX
2 good signatures:
2022-12-09 12:00:00 UTC
2022-12-09 12:10:00 UTCIf the certificate does not match:
No key to check checksum from XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1 unknown checksum.
Error: Verification failedIf FILE contains more than one certification, of which at least one fails to verify:
No key to check checksum from XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1 unknown checksum in 2 signatures.
Error: Verification failedIn addition to the changes to sq verify, one could extend sq inspect with a --signer-cert=CERT option, to verify the certifications when providing --certifications, so that the output may state Verified certifier: 0xBob and Note: Certifications have been verified!.