feature request: always-trust [<keyring>]

Michael Young mwy-gpg41 at the-youngs.org
Thu May 2 06:43:01 CEST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Breidenbach <jab at debian.org> asked for:
> What: ability to specify that everything in a specific
>       keyring will trusted by default.

This sounds like a reasonable request to me.  As you note, there
is already an "--always-trust" switch -- it's just global.
But I'm not one of the people you need to convince.

> Why:  In Debian, I can have a list of hundreds of developer=20
>       keys stored  in locally in /usr/share/keyrings/debian-keyring.gpg.
>       This file is trusted by me, dynamic, and is maintained by the
>       Debian Project. So I use the file as one of my keyrings.

I know you didn't ask for workarounds, but in case your request
isn't filled in a timely manner...

Could you convince whoever is maintaining the keyring to sign the keys
using some well-known "Debian Project" key?  Then, you could use the
existing trust mechanisms (up to and including the "--trusted-key"
switch).  This would also let you (or others) pick up keys from
keyservers, rather than rely purely on secure delivery of the shared
keyring file.

Failing that, you could automatically generate (local) signatures for
everything on the trusted keyring.  I would use a local key specific
to this purpose.  This requires some trickery: the "--batch" switch
disallows signing; the "--yes" switch has no effect.  It seems that
you need to use the "--command-fd" gadgetry (and in theory use the
"--status-fd" switch to know what to feed it), as in (using csh syntax):

    foreach x (`gpg --with-colons --list-keys | awk -F: '/^pub/{print $5}'`)
 echo YES | \
 gpg -u your_project_key --command-fd 0 --lsign-key $x
    end


While we're asking for features, I'll repeat my plea for one that
would help out on this workaround.  I'd sorely like to be able to use
the "--edit-key" commands (of which "--lsign" is a special case)
without having to deal with all of the questions.  It would be fine to
reuse an existing switch (like "--batch" or "--expert") or grow a new
one ("--just-do-it" or "--really-yes") to carry this meaning.
The same principle could be applied to disable the questions
about key size :-).

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPNC1xFMkvpTT8vCGEQLqGQCgqMt4mcmi0OZOv543gBEwuY7H/8sAoOBV
0ESwD3C1sgvl99gAShvD9O3m
=tZW3
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list