[0.4.5] no chained trust possible?

Roland Rosenfeld roland at spinnaker.rhein.de
Wed Dec 9 12:25:11 CET 1998


I have some trouble to get a chain of trust with GPG 0.4.4 and 0.4.5.
As far as I can remember, 0.4.3 (and the CVS snapshot I got at
98-11-10) didn't have this problem.

Here's what happened: I signed the key of Thomas Roessler and fully
trust it as an introducer (this trust was imported from my PGP 2.*
keyring, but it worked with 0.4.3, too). If I read a message by
someone, whose key is signed by Thomas, her key should be trusted,
too.

But when I try this, I get:

gpg: Signature made Sun Mar  1 14:44:26 1998 CET using RSA key ID A9B8829D
gpg: Good signature from "Bettina Fink <laura at krell.snafu.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

But now let's have a look at the keys (I manually removed the
signatures from the list, that aren't needed here):

$ gpg -kvv 0xA9B8829D

pub  1024R/A9B8829D 1996-03-07 Bettina Fink <laura at krell.snafu.de>
sig        A9B8829D 1997-05-27  Bettina Fink <laura at krell.snafu.de>
uid                            Bettina Fink <laura at caissa.franken.de>
sig        A9B8829D 1997-05-11  Bettina Fink <laura at krell.snafu.de>
sig        593238E1 1996-11-21  Thomas Roessler <roessler at guug.de>
uid                            Bettina Fink <laura at sisyphus.franken.de>
sig        A9B8829D 1996-08-21  Bettina Fink <laura at krell.snafu.de>
uid                            Bettina Fink <laura at oops.franken.de>
sig        A9B8829D 1997-05-10  Bettina Fink <laura at krell.snafu.de>
uid                            Bettina Fink <laura at caissa.mayn.de>
sig        A9B8829D 1997-05-11  Bettina Fink <laura at krell.snafu.de>
sig        593238E1 1996-11-25  Thomas Roessler <roessler at guug.de>

So Thomas signed two of her uids with his 0x593238E1 key which looks
this way (again all irrelevant signatures manually removed):

pub  1280R/593238E1 1996-01-19 Thomas Roessler <roessler at guug.de>
sig        593238E1 1997-05-19  Thomas Roessler <roessler at guug.de>
uid                            Thomas Roessler <Thomas.Roessler at Sobolev.Rhein.DE>
sig        FCF20B7D 1997-01-06  Ulf Moeller <um at c2.net>
sig        A9B8829D 1996-11-21  Bettina Fink <laura at krell.snafu.de>
sig        593238E1 1996-01-21  Thomas Roessler <roessler at guug.de>
sig        DD08DD6D 1996-01-21  Roland Rosenfeld <roland at spinnaker.rhein.de>

So you can see, that I myself signed his key and I completely trust
his key in the keyring imported from PGP 2. But I was unsure, so I run 
gpg --edit-key 0x593238E1

This shows me:
pub  1280R/593238E1  created: 1996-01-19 expires: never      trust: -/f
(1)  Thomas Roessler <roessler at guug.de>
(2)  Thomas Roessler <Thomas.Roessler at Sobolev.Rhein.DE>

(BTW: "trust: -/f" isn't very intuitive, maybe the output should be
more verbose?)

I entered the command "trust" and asked for more information using
"s". This is the answer of gpg:

Certificates leading to an ultimately trusted key:
1280R/593238E1.5472 1996-01-19 "Thomas Roessler <roessler at guug.de>"
  1024R/FCF20B7D.7767 1994-03-22 "Ulf Moeller <um at c2.net>"
     512R/F0841B11.4303 1994-04-23 "Arno Eigenwillig <arno at yaps.rhein.de>"
      1024R/DD08DD6D.4215 1995-01-15 "Roland Rosenfeld <roland at spinnaker.rhein.de>"

This isn't incorrect, but it also isn't the short path (I myself
signed 0x593238E1 directly using 0xDD08DD6D) I expected. I ignored
this funny path and selected "4 = I trust fully". After "save"
I tried again to check Bettina's signature, but I still get the
message, that it isn't trusted.

After this I run gpgm --update-trustdb and gpgm --check-trustdb but
this didn't change the trust of Bettina's key, too.

Just for the notes:
gpg --edit-key 0xA9B8829D
gives the following output:

pub  1024R/A9B8829D  created: 1996-03-07 expires: never      trust: -/q
(1)  Bettina Fink <laura at krell.snafu.de>
(2)  Bettina Fink <laura at caissa.franken.de>
(3)  Bettina Fink <laura at sisyphus.franken.de>
(4)  Bettina Fink <laura at oops.franken.de>
(5)  Bettina Fink <laura at caissa.mayn.de>

But I don't know, what "-/q" exactly means...


Many open questions, but Werner told me, that he gets to less bug
reports, so here's a very confused one. I fear, that the biggest
problem is sitting in front of my keyboard, but I don't see my
mistakes...

Ciao

        Roland

-- 
  * Internet: roland at spinnaker.rhein.de * Fido: 2:2450/42 *
 PGP: 1024/DD08DD6D   2D E7 CC DE D5 8D 78 BE  3C A0 A4 F1 4B 09 CE AF




More information about the Gnupg-devel mailing list