key not trusted when secret main key missing

Hauke Laging mailinglisten at
Sat Oct 30 01:12:10 CEST 2010


I have (had) a strange problem which I cannot even reproduce. To make it 
worse, I use version 2.0.15.

I have created a key on a secure system, exportet the public keys, the secret 
keys and the secret subkeys to three files and imported the public and subkeys 
on another system.

I could not configure this key for the use in KMail (without any error 
message). Thus I tried to make a signature. Verifying the signature led to 
this output (in German and as I cannot reproduce the problem...):

start cmd:> gpg --verify test.html.BBEA218E.sig test.html
gpg: Signatur vom Fr 29 Okt 2010 22:31:49 CEST           
gpg:                mittels RSA-Schlüssel 0x95C20EF1     
gpg: Korrekte Signatur von "Hauke Laging (Offline-Hauptschlüssel) ...
gpg: Beglaubigungsrichtlinie:                 

gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem 
vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = AFF8 7529 66BE F70C A514  9618 650F 4F91 BBEA 218E                        
Unter-Fingerabdruck  = A65D A538 6A73 21E0 01F3  C2BF F78C 4FD6 95C2 0EF1

It says: This key has no trustworthy signature. There is no hint that the 
signature belongs to the claimed owner.

Then I read the comments in the config file which says:
"GnuPG ultimately trusts all keys in the secret keyring."

I have the secret keys – except for the main key. I can create a signature 
with this key.

I then put both this key and the one which has signed it in the config file:

trusted-key 650F4F91BBEA218E

After that the warning disappeared (and KMail accepted the key). I thought 
that the reason was the missing secret main key (which would not make sense 
and would be considered by me as a bug). Just for fun I removed the "trusted-
key" entries. And even though this should be the same configuration as before 
the warning did not appear again. Thus I cannot (easily) reproduce it.

There are other keys without secret main key which do not cause this problem. 
The reason may be that my normal key is configured as default key and the 
other ones are signed by it.

However, I do not understand why the problem is "solved" now. Does gpg note 
anywhere (trustdb?) that a key was valid so that the secret main key checking 
is skipped?


PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101030/383d601c/attachment-0001.pgp>

More information about the Gnupg-users mailing list