sq: Sequoia PGP Encrypt, Sign, Verify
sq is a modern OpenPGP tool that encrypts, signs, and verifies using Sequoia, an alternative to gpg with an explicit, scriptable interface.
Where gpg carries decades of keyring state, sq takes certs and keys as explicit file arguments, which suits ephemeral CI runners. Flag names differ slightly across sq versions, so pin the version.
What it does
sq encrypt encrypts a file to one or more recipient certificates. sq sign makes a signature with a secret key. sq verify checks a signature against a signer certificate. Keys and certs are passed as files, not pulled from an implicit keyring.
Common usage
sq encrypt --recipient-file alice.cert -o msg.pgp msg.txt
sq sign --signer-file release.key -o app.tar.gz.sig app.tar.gz
sq verify --signer-file release.cert --signature-file app.tar.gz.sig app.tar.gzOptions
| Flag | What it does |
|---|---|
| encrypt --recipient-file <cert> | Encrypt to a recipient certificate |
| sign --signer-file <key> | Sign with a secret key |
| verify --signer-file <cert> | Verify against a signer certificate |
| --signature-file <file> | Detached signature to check with verify |
| -o, --output <file> | Write output to a file |
In CI
Because sq takes explicit key/cert files, it avoids the "no secret key" keyring surprises common with gpg on fresh runners. Pin the sq version in a setup step, as flag spellings (for example --recipient-file) have shifted between releases.
Common errors in CI
"No key supplied" or "Missing recipient" means you forgot --recipient-file/--signer-file. "Signature verification failed" or "No known signature" means the wrong cert or a modified file. "unexpected argument" typically means the running sq version spells a flag differently than your script; check sq --version and the subcommand help.