Trust GPG Primary Key Manually

After importing a key, trust element is automatically handled if you certified it in the past. Otherwise, you have to validate the source of the key, the integrity of key, etc. before trusting the key manually. How to do those is outside of this guide. This section guides you on how to trusting a key manually.

Import The Key

Firstly, you would need to import the key into your keyring. Go ahead and import the keyfile:

Trusting The Key Manually

Now is to trust the key manually.

Identify Target Primary Key ID

The next step is to identify the target primary key ID. This is done through the following command:

gpg --list-keys

Example:

$ gpg --list-keys
...
---------------------------
...

sec   rsa4096 2018-09-23 [SC]
      1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid           [ unknown] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb   rsa4096 2018-09-23 [E]
ssb   rsa4096 2018-09-23 [E]
ssb   rsa4096 2018-09-23 [S]

In the example above,

  1. The primary key ID is: 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9. Make sure this is the target key with unknown trust level.


Edit the Key

Use --edit-key <key-ID> command to edit it. Based on the example ID above, it is:

$ gpg --edit-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/445AC05FC0F56EA9
     created: 2018-09-23  expires: never       usage: SC  
     trust: unknown       validity: unknown
ssb  rsa4096/E0F5C6ECC87BF4FB
     created: 2018-09-23  expires: never       usage: E   
ssb  rsa4096/226B3ACC3859EF97
     created: 2018-09-23  expires: never       usage: E   
ssb  rsa4096/DFF009F42B8F65F1
     created: 2018-09-23  expires: never       usage: S   
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>

gpg>


Trust The Key

Type in "trust" command to begin the trust process. Follows the instruction based on your own trust level. Example,

  1. Say I know this key is originated from my offline secure storage, I can trust it "ultimately".
  2. Say the key is trusted by 2 fully trusted key already, I can trust it "fully" or "marginally" depending on your case.
  3. Say you know the key source was from a compromised location, you set it "not to trust".

Place the number of your decision and re-confirm it. Keep in mind that the display is not updated upon edit. You'll need to quit this session and check again later. Type quit to exit.

IMPORTANT NOTE
You do not simply trust key with ultimate trust. Use it sparingly and only to 1 primary secret key which is your key.

Managing others' keys would only reaches as high as fully trusted.

Example:

gpg> trust
sec  rsa4096/445AC05FC0F56EA9
     created: 2018-09-23  expires: never       usage: SC  
     trust: unknown       validity: unknown
ssb  rsa4096/E0F5C6ECC87BF4FB
     created: 2018-09-23  expires: never       usage: E   
ssb  rsa4096/226B3ACC3859EF97
     created: 2018-09-23  expires: never       usage: E   
ssb  rsa4096/DFF009F42B8F65F1
     created: 2018-09-23  expires: never       usage: S   
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y


Quit and Save It

Once you're done, you can proceed to save and quit. As presented by the notice, you may ignore the "unknown" trust label for now. Example:

sec  rsa4096/445AC05FC0F56EA9
     created: 2018-09-23  expires: never       usage: SC  
     trust: ultimate      validity: unknown
ssb  rsa4096/E0F5C6ECC87BF4FB
     created: 2018-09-23  expires: never       usage: E   
ssb  rsa4096/226B3ACC3859EF97
     created: 2018-09-23  expires: never       usage: E   
ssb  rsa4096/DFF009F42B8F65F1
     created: 2018-09-23  expires: never       usage: S   
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit


Verify Trust Changes

You can verify it using --list-keys command:

$ gpg --list-keys

You should get something like this, notice the unknown has changed to ultimate / your choice of trust:

/home/jane/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096 2018-09-23 [SC]
      1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid           [ full ] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb   rsa4096 2018-09-23 [E]
ssb   rsa4096 2018-09-23 [E]
ssb   rsa4096 2018-09-23 [S]

That's all about trusting a key manually in GnuPG.