GPGSM how to set key to "alwais trust"?

Werner Koch wk at
Fri Feb 13 16:41:42 CET 2009

On Fri, 13 Feb 2009 15:11, db111 at said:

> I would like to set "fully trusted" a certificate. I imported my
> friend certificate but GPGSM cant encrypt the message because "Missing
> certificate. Can somebody help me how do i set the "alwais trust" mode?

There is nothing like this with X.509 (i.e. gpgsm).  You need to trust
the Root CA's certificate and then all certificates issue from the CA or
its Intermediate CAs are all trusted and usable.  This is much the same
as with Web browsers, where you can add other Root CA certificates (or
better remove a whole bunch of them).

With GPGSM there is a distinction between having a certificate in your
local ~/.gnupg/keyring.kbx file and marking it as trusted.  To make it
work you need to do both: Import the Root certificate and mark it
trusted.  Import is done using something like "gpgsm --import
rootca.der".  Marking it has trusted can be done by manually editing the
file ~/.gnupg/trustlist.txt (there are instructions on the top) or by
putting a line "allow-mark-trusted" into ~/.gnupg/gpg-agent.conf" and
giving gpg-agent a HUP.  With allow-mark-trusted active, gpg-agent will
ask you whether you trust that root certificate and insert it for you
into the trustlist.txt.

Note that you need to import intermediate certificates as well in case
you don't have them.  That might be the reason for a "Missing
certificate" error too.  See the log file should show you information
about the required certificates (try GPGSM's --verbose option).

Also note that GPGSM asks the Dirmngr to check the CRL and Dirmngr also
needs a set of certificates.  The Dirmngr manuals tells how to install
them.  The latest version of the Dirmngr is a bit more relaxed in this
regard and able to ask gpgsm for missing certificates and whether a root
certificate is trusted.  You may use the GPGSM option
--disable-crl-checks of course.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list