gpg --batch --yes --edit-key trust
mark at proseconsulting.co.uk
mark at proseconsulting.co.uk
Mon Jul 26 10:01:51 CEST 2010
> On Fri 23/07/10 3:51 PM , Daniel Kahn Gillmor dkg at fifthhorseman.net sent:
>>>> I need to be able to ultimately trust a public key in batch mode, that I have downloaded
>>>> automatically with wget from an internal server over HTTPS.
>>>
>>> I think that you might be confusing "trust" with "validity".
>>
>> I don't think I'm confused. I need this for verifying digital signatures only. I'm not encrypting.
>
> If i understand you correctly, I think you want --import-ownertrust.
>
> feed it the equivalent of the output of gpg --export-ownertrust, and
> you should be able to do what you're looking for.
>
> You'll need to know the key's full fingerprint, though.
>
> --dkg
Perfect, that'll do me just fine! I've scripted this suggestion:
#!/bin/ksh
#
# Set trust level for a given GPG key
#
AWK=/bin/gawk
[ -x /bin/nawk ] && AWK=/bin/nawk
[ $# -ne 2 ] && echo "Syntax: $0 key trust-level" && exit 1
gpg --fingerprint --list-keys "$1" |\
$AWK -v tmpfile="$TMPFILE" -v trustlevel="$2" '
/fingerprint/ { for (i=4; i<=NF; i++) fpr=fpr $i }
END {
FS=":"
cmd="gpg --export-ownertrust"
while (cmd | getline) if ($1!=fpr) print
close(cmd)
print fpr ":" trustlevel ":"
}
' | gpg --import-ownertrust
Here's an example of the script in use:
# gpg --import swrepo.pub
gpg: key 61404A7B: public key "swrepo server <root at testhost>" imported
gpg: Total number processed: 1
gpg: imported: 1
# ./set-gpg-trust "swrepo server" 6
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: setting ownertrust to 6
More information about the Gnupg-users
mailing list