Understanding the "--refresh-keys" output

[David Shaw]

On Jun 16, 2011, at 8:18 AM, Jerry wrote:

> This is probably a really dumb question; however, I am hoping that
> someone can answer it for me.
> 
> On a FreeBSD-8.2 system, running "/usr/local/bin/gpg2 --refresh-keys"
> ends with the following output.
> 
> 
> gpg: Total number processed: 396
> gpg:              unchanged: 395
> gpg:         new signatures: 35
> gpg: public key E6602099 is 129863409 seconds newer than the signature
> gpg: public key E6602099 is 129863409 seconds newer than the signature
> gpg: public key E6602099 is 129863409 seconds newer than the signature
> gpg: public key E6602099 is 129863409 seconds newer than the signature
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0  valid:  17  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 17u
> 
> 
> Why is the same line repeated four times and what do lines 8 and 9
> mean? I have been reading through the documentation but have not been
> able to ascertain that information.

The repeated line is a warning that the key itself has a timestamp that is *after* one of the signatures on it.  This indicates that either the key or the signature in question has a wonky timestamp.

Line 8 means you are using the PGP trust model, and you have configured it so that it takes 3 marginal signatures or one complete signature to treat a key as valid.  See the manual options --trust-model, --marginals-needed, and --completes-needed.  Briefly, these are the terms that GPG will follow when building the web of trust, to decide what keys are valid and what are not.

Line 9 is just a key count.  You have 17 valid keys.  All of them ("u") are ultimately trusted, which suggests that you have 17 keys that you have generated as ultimate trust is generally used for people's own keys.  (If you can't trust yourself, who can you trust?)

David