Question about check command

Dirk Traulsen dirk.traulsen at
Fri Jun 22 08:52:10 CEST 2007

Am 4 Jun 2007 um 20:56 hat hs2412 at geschrieben:

> When I run the check command in edit-key mode, it shows me
> something like
> sig!
> or sig!1
> or sig!3
> What does this mean? 

Hi Hardeep,

there are two answers to your question: A simple one and a difficult 
It's easy to answer why these three differ, but not trivial to find 
the answer why they have the exclamation mark in common. 

1. Why are there signatures shown with nothing, 1 or 3 after the 
exclamation mark?

They are flags showing the certification check level or trust level 
the signer gave the UID and the key, while signing (certifying) it. 
1-3 should be clear and zero is shown as sig! (not sig!0).

You can find the solution in the manual:
     For  each  signature  listed, there are several flags in between
     the "sig" tag and keyid. These flags give additional information
     about  each  signature. From left to right, they are the numbers
     1-3 for certificate check level (see --ask-cert-level), "L"  for
     a local or non-exportable signature (see --lsign-key), "R" for a
     nonRevocable signature (see the  --edit-key  command  "nrsign"),
     "P"  for a signature that contains a policy URL (see --cert-pol-
     icy-url), "N" for a signature  that  contains  a  notation  (see
     --cert-notation),  "X" for an eXpired signature (see --ask-cert-
     expire), and the numbers 1-9 or "T" for 10 and above to indicate
     trust signature levels (see the --edit-key command "tsign").

--default-cert-level n
     The default to use for the check level when signing a key.
     0 means you make no particular claim as  to  how  carefully  you
     verified the key.
     1 means you believe the key is owned by the person who claims to
     own it but you could not, or did not verify the key at all. This
     is  useful  for a "persona" verification, where you sign the key
     of a pseudonymous user.
     2 means you did casual verification of  the  key.  For  example,
     this  could  mean that you verified that the key fingerprint and
     checked the user ID on the key against a photo ID.
     3 means you did extensive verification of the key. For  example,
     this  could  mean that you verified the key fingerprint with the
     owner of the key in person, and that you checked, by means of  a
     hard to forge document with a photo ID (such as a passport) that
     the name of the key owner matches the name in the user ID on the
     key,  and  finally that you verified (by exchange of email) that
     the email address on the key belongs to the key owner.
     Note that the examples given above for levels 2 and 3  are  just
     that:  examples. In the end, it is up to you to decide just what
     "casual" and "extensive" mean to you.
     This option defaults to 0 (no particular claim).

2. What meaning has the exclamation mark?

This is a question originally targeted to the developers of gnupg as 
it is not documented anywhere. At least I did not find it. It is not 
even documented in the DETAILS file. This made me so curious, that I 
downloaded the actual source code and began searching for the 
Well, here is what I found:

The signature list is put together by two different functions in
g10\keylist.c -> list_keyblock_print and list_keyblock_colon,
depending whether you used --with-colon as option or not.

The flag directly behind the sig gives the result of the signature 
It is one of the following flags: [ ],!,-,%,?.
empty = no signature check
!     = successful check = good signature
-     = bad signature
%     = other error during check

and only when using the --with-colon option (why?):

?     = no or unusable public key

So, this is my analysis of the source code and I'm really quite 
confident that it is correct, but it should be confirmed by a 
developer of gnupg.

And I think, as this is part of the output, it really should get 
documented in the manual and at least in the DETAILS file.


More information about the Gnupg-users mailing list