Managing the WoT with GPG

Wouter Verhelst w at
Thu Jun 29 09:52:02 CEST 2017

On Tue, Jun 20, 2017 at 03:34:44PM +0200, martin f krafft wrote:
> 2. I've also tried running --update-trustdb, but it seems that this
>    process is *endless*. I have no idea how many keys remain, and
>    I also got the impression that I keep seeing keys I already
>    processed. How do you approach this? Or does everyone just use
>    tofu these days?

This is only true the first time around. GnuPG will store the answers
you enter, and retain them for future use.

I did so on my keyring, and now it asks me to run update-trustdb once
every few months. When I do, I need to answer on only a handful of keys

> 3. Is there a way to run --check-trustdb or --update-trustdb not
>    over the entire key graph, but only traversing to a certain depth
>    starting from a specific key?

--update-trustdb only asks about keys that are already trusted. It
starts with keys that you yourself signed, then checks which keys are
signed by those and therefore trusted, and asks about them. Etc, etc,
until you've got everything.

> 5. Has anyone come up with a smart way to keep pubring/trustdb
>    synchronised between multiple workstations?

You can export the values you've input into --update-trustdb with
--export-ownertrust (and then import them into another machine with

This is, in fact, a good idea to do for backup purposes every once in a

Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008

More information about the Gnupg-users mailing list