GnuPG 1.0.7: Undocumented calculated trust in --with-colon output

Ingo Klöcker
Wed May 1 00:57:01 2002

Hash: SHA1


after compiling and installing GnuPG 1.0.7, running 'gpg 
- --rebuild-keydb-caches', making my keys ultimately trusted and running 
'gpg --check-trustdb' I noticed that a lot of keys in the 'gpg 
- --list-keys --with-colon --fixed-list-mode' output have a '-' as 
calculated trust. Example:

uid:-::::::::Werner Koch (gnupg sig) <>:

Unfortunately the meaning of the '-' is not documented in doc/DETAILS:
 2. Field:  A letter describing the calculated trust. This is a single
            letter, but be prepared that additional information may 
            in some future versions. (not used for secret keys)
                o = Unknown (this key is new to the system)
                i = The key is invalid (e.g. due to a missing 
                d = The key has been disabled
                r = The key has been revoked
                e = The key has expired
                q = Undefined (no value assigned)
                n = Don't trust this key at all
                m = There is marginal trust in this key
                f = The key is full trusted.
                u = The key is ultimately trusted; this is only used for
                    keys for which the secret key is also available.

I'm mainly asking because programs which parse the --with-colon output 
need to be updated to take the '-' into account.

The '-' probably means that no trust path (from one of my ultimately 
trusted keys) leads to this key and therefore the trust can't be 
calculated. Is this correct?

If yes, then why isn't 'q' used? Or does 'q' mean there is a path from 
an u.t. key to this key but at least one key on the path lacks the 
owner trust value.

If this is the case, then why 'o' isn't used? Is 'o' still used? I never 
saw it on a key.

Last but not least, the description of 'u' in doc/DETAILS is outdated as 
'u' is no longer automatically used for complete key pairs.


Version: GnuPG v1.0.7 (GNU/Linux)