key not trusted when secret main key missing
mailinglisten at hauke-laging.de
Sat Oct 30 01:12:10 CEST 2010
I have (had) a strange problem which I cannot even reproduce. To make it
worse, I use version 2.0.15.
I have created a key on a secure system, exportet the public keys, the secret
keys and the secret subkeys to three files and imported the public and subkeys
on another system.
I could not configure this key for the use in KMail (without any error
message). Thus I tried to make a signature. Verifying the signature led to
this output (in German and as I cannot reproduce the problem...):
start cmd:> gpg --verify test.html.BBEA218E.sig test.html
gpg: Signatur vom Fr 29 Okt 2010 22:31:49 CEST
gpg: mittels RSA-Schlüssel 0x95C20EF1
gpg: Korrekte Signatur von "Hauke Laging (Offline-Hauptschlüssel) ...
gpg: Beglaubigungsrichtlinie: http://www.hauke-laging.de/openpgp/policy.html
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem
vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = AFF8 7529 66BE F70C A514 9618 650F 4F91 BBEA 218E
Unter-Fingerabdruck = A65D A538 6A73 21E0 01F3 C2BF F78C 4FD6 95C2 0EF1
It says: This key has no trustworthy signature. There is no hint that the
signature belongs to the claimed owner.
Then I read the comments in the config file which says:
"GnuPG ultimately trusts all keys in the secret keyring."
I have the secret keys – except for the main key. I can create a signature
with this key.
I then put both this key and the one which has signed it in the config file:
After that the warning disappeared (and KMail accepted the key). I thought
that the reason was the missing secret main key (which would not make sense
and would be considered by me as a bug). Just for fun I removed the "trusted-
key" entries. And even though this should be the same configuration as before
the warning did not appear again. Thus I cannot (easily) reproduce it.
There are other keys without secret main key which do not cause this problem.
The reason may be that my normal key is configured as default key and the
other ones are signed by it.
However, I do not understand why the problem is "solved" now. Does gpg note
anywhere (trustdb?) that a key was valid so that the secret main key checking
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 555 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users