Trust signature domain

John Lane gnupg at
Wed Jan 18 15:51:02 CET 2017

On 18/01/17 03:03, David Shaw wrote:

> Can you post the actual user IDs of the keys you are testing with (or a similar set) so I can try them as well?

Hi David,

I have written a test shell script to experiment with trust signatures.
The script is at

There are six participants: 'myself', who knows 'introducer' who knows
'alice' and 'blake'. 'blake' knows 'chloe' and 'david'

'introducer' signs 'alice' and trust-signs 'blake', who signs 'chloe'
and 'david'

'myself' trust-signs 'introducer'

I'm working on the belief that:

(a) by trust-signing introducer at level 1, any keys certified by
introducer (i.e. alice and blake) become valid for me.
(b) by trust signing introducer at level 2 I extend (a) so that any keys
certified by a key trust-certified by introducer (blake) also become
valid for me (chloe and david).
(c) by trust signing with a domain restriction I limit the scope of (a)
and (b) but it is not clear to me how this applies.

I think things look ok up to step 9 and point (a) and (b) appear to work
as I expect but (c) doesn't. I'd really appreciate some feedback about
what is happening in:
step 10 (trust level 1 restricted to
step 14 (trust level 2 restricted to
step 16 (trust level 2 restricted to

It would appear that any domain restriction disables trust completely!

My test output is at

Much appreciated.

More information about the Gnupg-users mailing list