output of --check-trustdb

Ingo Klöcker kloecker at kde.org
Tue Aug 21 23:24:48 CEST 2012 

On Sunday 19 August 2012, Hauke Laging wrote:
> Hello,
> 
> I am trying to understand how the trust calculations work and I think
> I have made serious progress in that... ;-)
> 
> There are at least two things I have not understood yet:
> 
> 1) Is it possible to have the ownertrust value shown with
> --list-keys? Validity can be shown. I had expected a parameter like
> show-ownertrust for ‑‑list-options.
> 
> 2) I do not understand the "signed" column in the output of
> --check-trustdb. I read something about that but it doesn't make
> sense to me. It seems generally difficult to find good information
> about that.
> 
> start cmd:> LC_ALL=C gpg --check-trustdb
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0  valid:  17  signed:  26  trust: 0-, 0q, 0n, 0m, 0f,
> 17u
> gpg: depth: 1  valid:  26  signed:   3  trust: 0-, 0q, 10n, 8m,
> 8f, 0u
> gpg: depth: 2  valid:   3  signed:   0  trust: 0-, 0q, 0n,
> 1m, 2f, 0u

Just looking at the numbers I'd say that "signed" is the number of keys 
signed by the valid keys. In your example, there are 26 keys that are 
signed in depth 0. And there are 26 keys that are valid in depth 1 
(because they are validated by the ultimately trusted keys from depth 
0). The same pattern repeats for signed keys in depth 1 and valid keys 
in depth 2.

In my keyring I only see this pattern for signed keys in depth 0 and 
valid keys in depth 1. OTOH, for depth 1 I get signed: 206, but in depth 
2 I only get valid: 37. My guess is that "signed" counts the number of 
all keys in the keyring that are signed by any of the valid keys in the 
corresponding depth. In particular, this number also includes keys that 
are valid in the same depth or a lower depth. If your test keyring is a 
tree (or a set of unconnected trees) then this would support my 
hypothesis.

Of course, I could be completely wrong and the "signed" number is 
something entirely different. :-)


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120821/9d0eff62/attachment.pgp>

More information about the Gnupg-users mailing list