If you have been messing around with the potential GPG replacement command-line tool Sequoia-PGP, you may have noticed that there doesn’t appear to be a way to delete ‘certs’ from the certificate store.
After spending some time digging in the manpages and documentation with no clarification, it appears that this isn’t a mistake but a matter of opinion. The developers treat the certificate store as a completely intentional append-only list, and an issue created about this has been left open for 3 years.
This means that if you were experimenting with creating/deleting keys and certs or importing external certs, your certificate store will become littered with unused or broken certs with no possibility to clean it up (this could even be considered a privacy risk, since the default stance is to automatically “hide” them from users).
Unfortunately, if you are at this point, the only solution is nuclear - wipe the entire certstore and start over. Before moving forwards however, be sure to back up your certs & keys.
backing up keys & certs
First, export your full keys, as they are also listed in the cert output. List them with:
1 | sq key list |
and then export them with:
1 | sq key export --cert KEYFINGERPRINT --output examplename.key.asc |
Next, export any certs that you want to keep and re-import. List them with:
1 | sq cert list |
and export with
1 | sq cert export --cert KEYFINGERPRINT --output examplename.cert.asc |
The original documentation for these steps can be found here:
wiping everything
To find where Sequoia-PGP is storing its configurations, run:
1 | sq config inspect paths |
On macOS, these will be in an entirely different location than indicated in the documentation.
Certificate Store:
1 | /Users/YOURUSERNAME/Library/Application Support/pgp.cert.d |
Keystore:
1 | /Users/YOURUSERNAME/Library/Application Support/org.Sequoia-PGP.sequoia/keystore |
Navigate to these directories and delete everything. You can confirm that this worked by running sq cert list and sq key list - no keys or certificates should show up.
Note: if you have GNUPG set up, Sequoia-PGP will automatically pick up keys in the ~/.gnupd/ directory
re-import keys & certs
Importing is straightforwards:
1 | sq key import examplename.key.asc |
workaround
A clunky workaround that was proposed in the above GitLab issue was creating a temporary configuration directory. By setting the SEQUOIA_HOME variable to this temporary directory (eg., with export SEQUOIA_HOME=$HOME/.tmp-sequoia-data), you can delete the directory later.
Ultimately however, this isn’t a real solution to proper certificate management, so GnuPG will remain my default choice for now.