gpg --batch --yes --edit-key trust

mark at proseconsulting.co.uk mark at proseconsulting.co.uk
Fri Jul 23 13:35:52 CEST 2010 

>  On Fri 23/07/10 11:48 AM , David Smith Dave.Smith at st.com sent:
> > I need to be able to ultimately trust a public key
> > in batch mode, that I have downloaded automatically with wget from an
> > internal server over HTTPS.
>
> I think that you might be confusing "trust" with "validity".
> 
> If you want it to blindly encrypt data using a key that it's downloaded
> from a keyserver without you having signed it (or without it being
> declared valid by the web-of-trust), then you can use "--always-trust"
> when doing the encryption.
> 

I don't think I'm confused.  I need this for verifying digital signatures only.  I'm not encrypting.  Let me demonstrate:

Attempt 1: this is no good for me ...

# gpg --import /tmp/swrepo.pub
gpg: key 61404A7B: public key "swrepo server <root at testhost>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# gpg --verify catalog
gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: Good signature from "swrepo server <root at testhost>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Attempt 2: this is also no good for me ...

# gpg --trust-model always --verify catalog
gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B
gpg: Good signature from "swrepo server <root at testhost>"
gpg: WARNING: Using untrusted key!

Attempt 3: this is what I'm after ...

# gpg --edit-key "swrepo server" trust quit
...
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
...
# gpg --verify catalog
gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "swrepo server <root at testhost>"

So I need to ultimately trust a public key non-interactively.  Which I can't do unless I have a way of telling gpg how far I trust the key in batch mode.

This doesn't work:

# gpg --batch --yes --edit-key "swrepo server" trust quit
...
gpg: Sorry, we are in batchmode - can't get input

If the option existed, I'd imagine this is how I would do it:

# gpg --batch --yes --trust-level 5 --edit-key "swrepo server" trust quit

or perhaps:

# gpg --trust-key "swrepo server" 5

but of course I've made those options up, they don't exist.

So the questions are a) is there already a way of achieving this?  and b) if not, I'm happy to submit a patch to add the option, which of the above options makes more sense?

Regards,
Mark.

More information about the Gnupg-users mailing list