gpg --batch --yes --edit-key trust

mark at mark at
Mon Jul 26 10:01:51 CEST 2010

> On Fri 23/07/10  3:51 PM , Daniel Kahn Gillmor dkg at sent:
>>>> I need to be able to ultimately trust a public key in batch mode, that I have downloaded
>>>> automatically with wget from an internal server over HTTPS.
>>> I think that you might be confusing "trust" with "validity".
>> I don't think I'm confused.  I need this for verifying digital signatures only.  I'm not encrypting.
> If i understand you correctly, I think you want --import-ownertrust.
> feed it the equivalent of the output of  gpg --export-ownertrust, and
> you should be able to do what you're looking for.
> You'll need to know the key's full fingerprint, though.
> --dkg

Perfect, that'll do me just fine!  I've scripted this suggestion:

# Set trust level for a given GPG key
[ -x /bin/nawk ] && AWK=/bin/nawk

[ $# -ne 2 ] && echo "Syntax: $0 key trust-level" && exit 1

gpg --fingerprint --list-keys "$1" |\
    $AWK -v tmpfile="$TMPFILE" -v trustlevel="$2" '
        /fingerprint/ { for (i=4; i<=NF; i++) fpr=fpr $i }
        END {
            cmd="gpg --export-ownertrust"
            while (cmd | getline) if ($1!=fpr) print
            print fpr ":" trustlevel ":"
    ' | gpg --import-ownertrust

Here's an example of the script in use:

# gpg --import
gpg: key 61404A7B: public key "swrepo server <root at testhost>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# ./set-gpg-trust "swrepo server" 6
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: setting ownertrust to 6

More information about the Gnupg-users mailing list