After importing a key, trust element is automatically handled if you certified it in the past. Otherwise, you have to validate the source of the key, the integrity of key, etc. before trusting the key manually. How to do those is outside of this guide. This section guides you on how to trusting a key manually.
Firstly, you would need to import the key into your keyring. Go ahead and import the keyfile:
Now is to trust the key manually.
The next step is to identify the target primary key ID. This is done through the following command:
gpg --list-keys
Example:
$ gpg --list-keys
...
---------------------------
...
sec rsa4096 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ unknown] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [S]
In the example above,
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
. Make sure this is the target key with unknown trust level.Use --edit-key <key-ID>
command to edit it. Based on the example ID above, it is:
$ gpg --edit-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/445AC05FC0F56EA9
created: 2018-09-23 expires: never usage: SC
trust: unknown validity: unknown
ssb rsa4096/E0F5C6ECC87BF4FB
created: 2018-09-23 expires: never usage: E
ssb rsa4096/226B3ACC3859EF97
created: 2018-09-23 expires: never usage: E
ssb rsa4096/DFF009F42B8F65F1
created: 2018-09-23 expires: never usage: S
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
gpg>
Type in "trust
" command to begin the trust process. Follows the instruction based on your own trust level. Example,
Place the number of your decision and re-confirm it. Keep in mind that the display is not updated upon edit. You'll need to quit this session and check again later. Type quit
to exit.
IMPORTANT NOTE
You do not simply trust key with ultimate trust. Use it sparingly and only to 1 primary secret key which is your key.
Managing others' keys would only reaches as high as fully trusted.
Example:
gpg> trust
sec rsa4096/445AC05FC0F56EA9
created: 2018-09-23 expires: never usage: SC
trust: unknown validity: unknown
ssb rsa4096/E0F5C6ECC87BF4FB
created: 2018-09-23 expires: never usage: E
ssb rsa4096/226B3ACC3859EF97
created: 2018-09-23 expires: never usage: E
ssb rsa4096/DFF009F42B8F65F1
created: 2018-09-23 expires: never usage: S
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Once you're done, you can proceed to save and quit. As presented by the notice, you may ignore the "unknown" trust label for now. Example:
sec rsa4096/445AC05FC0F56EA9
created: 2018-09-23 expires: never usage: SC
trust: ultimate validity: unknown
ssb rsa4096/E0F5C6ECC87BF4FB
created: 2018-09-23 expires: never usage: E
ssb rsa4096/226B3ACC3859EF97
created: 2018-09-23 expires: never usage: E
ssb rsa4096/DFF009F42B8F65F1
created: 2018-09-23 expires: never usage: S
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
You can verify it using --list-keys
command:
$ gpg --list-keys
You should get something like this, notice the unknown has changed to ultimate / your choice of trust:
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ full ] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [S]
That's all about trusting a key manually in GnuPG.