Question about check command
dirk.traulsen at lypso.de
Fri Jun 22 08:52:10 CEST 2007
Am 4 Jun 2007 um 20:56 hat hs2412 at gmail.com geschrieben:
> When I run the check command in edit-key mode, it shows me
> something like
> or sig!1
> or sig!3
> What does this mean?
there are two answers to your question: A simple one and a difficult
It's easy to answer why these three differ, but not trivial to find
the answer why they have the exclamation mark in common.
1. Why are there signatures shown with nothing, 1 or 3 after the
They are flags showing the certification check level or trust level
the signer gave the UID and the key, while signing (certifying) it.
1-3 should be clear and zero is shown as sig! (not sig!0).
You can find the solution in the manual:
For each signature listed, there are several flags in between
the "sig" tag and keyid. These flags give additional information
about each signature. From left to right, they are the numbers
1-3 for certificate check level (see --ask-cert-level), "L" for
a local or non-exportable signature (see --lsign-key), "R" for a
nonRevocable signature (see the --edit-key command "nrsign"),
"P" for a signature that contains a policy URL (see --cert-pol-
icy-url), "N" for a signature that contains a notation (see
--cert-notation), "X" for an eXpired signature (see --ask-cert-
expire), and the numbers 1-9 or "T" for 10 and above to indicate
trust signature levels (see the --edit-key command "tsign").
The default to use for the check level when signing a key.
0 means you make no particular claim as to how carefully you
verified the key.
1 means you believe the key is owned by the person who claims to
own it but you could not, or did not verify the key at all. This
is useful for a "persona" verification, where you sign the key
of a pseudonymous user.
2 means you did casual verification of the key. For example,
this could mean that you verified that the key fingerprint and
checked the user ID on the key against a photo ID.
3 means you did extensive verification of the key. For example,
this could mean that you verified the key fingerprint with the
owner of the key in person, and that you checked, by means of a
hard to forge document with a photo ID (such as a passport) that
the name of the key owner matches the name in the user ID on the
key, and finally that you verified (by exchange of email) that
the email address on the key belongs to the key owner.
Note that the examples given above for levels 2 and 3 are just
that: examples. In the end, it is up to you to decide just what
"casual" and "extensive" mean to you.
This option defaults to 0 (no particular claim).
2. What meaning has the exclamation mark?
This is a question originally targeted to the developers of gnupg as
it is not documented anywhere. At least I did not find it. It is not
even documented in the DETAILS file. This made me so curious, that I
downloaded the actual source code and began searching for the
Well, here is what I found:
The signature list is put together by two different functions in
g10\keylist.c -> list_keyblock_print and list_keyblock_colon,
depending whether you used --with-colon as option or not.
The flag directly behind the sig gives the result of the signature
It is one of the following flags: [ ],!,-,%,?.
empty = no signature check
! = successful check = good signature
- = bad signature
% = other error during check
and only when using the --with-colon option (why?):
? = no or unusable public key
So, this is my analysis of the source code and I'm really quite
confident that it is correct, but it should be confirmed by a
developer of gnupg.
And I think, as this is part of the output, it really should get
documented in the manual and at least in the DETAILS file.
More information about the Gnupg-users