trust value semantics

David Shaw dshaw at
Wed Nov 13 06:30:02 CET 2002

On Tue, Nov 12, 2002 at 09:35:12PM -0500, Joel N. Weber II wrote:

> What's less obvious is whether I need to care about the public key or
> subkey trust value.  The key question, I think, is whether there's a
> guarantee that any subkeys I see in the output of a command like the
> one below do in fact belong to the public key: whether the primary
> public key has signed the subkeys.  If that guarantee exists (and I
> *think* that the way --import works, that guarentee does exist), then
> I can just check the trust values on uids, and not worry about trust
> on public keys and subkeys; otherwise, I'm not entirely sure how to
> check that the subkeys I might want to use actually belong to that
> primary public key.

There is a guarantee.  You can't import a subkey that isn't signed by
the primary key.  If you manage to force it to import by manually
appending the key to your keyring, the subkey will have a validity of
"i" (for invalid).  Other than that, subkeys have the same validity as
the primary key, including "r" for revoked, and "e" for expired.


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list