Strange trust problem

Mark Pettit pettit@yahoo-inc.com
Sat Feb 2 18:38:01 2002


>* On Fri, Feb 01, 2002 at 07:43:14PM -0800,
>* Mark Pettit <pettit@yahoo-inc.com> wrote:
>> Notice that the validity is "q".  Why is this?  The key "2222" has
>> been signed by user "1111".  I'm telling gpg that user "1111" is the
>> trusted-key.  Why is the key for "2222" not valid?
>
>I had a similar problem. I discovered an option to gnupg which showed
>me an error in my trustdb. Try "gpg --check-trustdb", perhaps your
>trustdb is broken. I solved the problem with deleting my trustdb and
>making a new one. This was ok to me, because I have only about three
>keys I trust (at the moment). Perhaps exporting, deleting and
>re-importing the trustdb could help, but I don't know. There seems to
>be another (in the manpage) undocumented option "--fix-trustdb" but I
>don't know its purpose.

The 'check-trustdb' didn't show me anything useful.  The first time I
ran it, it said:

  gpg: 10 keys processed
  gpg:    8 due to new pubkeys
  gpg:    2 keys skipped

Then I ran it again, and it said:

  gpg: 10 keys processed
  gpg:    10 keys skipped

But the validity for the key "2222" was still "q".

So I deleted the trustdb.gpg file, and re-ran the "--list-keys
--with-colons".  That fixed the problem.

I tried running "--fix-trustdb", but it said this:

  gpg: this command is not yet implemented.
  gpg: A workaround is to use "--export-ownertrust", remove
  gpg: the trustdb file and do an "--import-ownertrust".

So my next question is, what's a reliable way of using gpg for this
kind of automated authentication?  Should I just delete trustdb.gpg at
the beginning of every run?  There isn't any "assigned" trust in the
system, because I'm strictly relying on signatures on keys.

-- 
Mark K. Pettit          "Ragged lines of ragged grey
pettit@yahoo-inc.com     Skeletons they shuffle away"
Technical Yahoo
Yahoo!, Inc., 701 First Avenue, Sunnyvale, CA 94089