Trust GPG Primary Key Manually
After importing a key, trust element is automatically handled if you certified it in the past. Otherwise, you have to validate the source of the key, the integrity of key, etc. before trusting the key manually. How to do those is outside of this guide. This section guides you on how to trusting a key manually.
Import The Key
Firstly, you would need to import the key into your keyring. Go ahead and import the keyfile:
Trusting The Key Manually
Now is to trust the key manually.
Identify Target Primary Key ID
The next step is to identify the target primary key ID. This is done through the following command:
gpg --list-keys
Example:
$ gpg --list-keys
...
---------------------------
...
sec rsa4096 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ unknown] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [S]
In the example above,
- The primary key ID is:
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
. Make sure this is the target key with unknown trust level.
Edit the Key
Use --edit-key <key-ID>
command to edit it. Based on the example ID above, it is:
$ gpg --edit-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/445AC05FC0F56EA9
created: 2018-09-23 expires: never usage: SC
trust: unknown validity: unknown
ssb rsa4096/E0F5C6ECC87BF4FB
created: 2018-09-23 expires: never usage: E
ssb rsa4096/226B3ACC3859EF97
created: 2018-09-23 expires: never usage: E
ssb rsa4096/DFF009F42B8F65F1
created: 2018-09-23 expires: never usage: S
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
gpg>
Trust The Key
Type in "trust
" command to begin the trust process. Follows the instruction based on your own trust level. Example,
- Say I know this key is originated from my offline secure storage, I can trust it "ultimately".
- Say the key is trusted by 2 fully trusted key already, I can trust it "fully" or "marginally" depending on your case.
- Say you know the key source was from a compromised location, you set it "not to trust".
Place the number of your decision and re-confirm it. Keep in mind that the display is not updated upon edit. You'll need to quit this session and check again later. Type quit
to exit.
IMPORTANT NOTE
You do not simply trust key with ultimate trust. Use it sparingly and only to 1 primary secret key which is your key.
Managing others' keys would only reaches as high as fully trusted.
Example:
gpg> trust
sec rsa4096/445AC05FC0F56EA9
created: 2018-09-23 expires: never usage: SC
trust: unknown validity: unknown
ssb rsa4096/E0F5C6ECC87BF4FB
created: 2018-09-23 expires: never usage: E
ssb rsa4096/226B3ACC3859EF97
created: 2018-09-23 expires: never usage: E
ssb rsa4096/DFF009F42B8F65F1
created: 2018-09-23 expires: never usage: S
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Quit and Save It
Once you're done, you can proceed to save and quit. As presented by the notice, you may ignore the "unknown" trust label for now. Example:
sec rsa4096/445AC05FC0F56EA9
created: 2018-09-23 expires: never usage: SC
trust: ultimate validity: unknown
ssb rsa4096/E0F5C6ECC87BF4FB
created: 2018-09-23 expires: never usage: E
ssb rsa4096/226B3ACC3859EF97
created: 2018-09-23 expires: never usage: E
ssb rsa4096/DFF009F42B8F65F1
created: 2018-09-23 expires: never usage: S
[ unknown] (1). Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
Verify Trust Changes
You can verify it using --list-keys
command:
$ gpg --list-keys
You should get something like this, notice the unknown has changed to ultimate / your choice of trust:
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ full ] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [S]
That's all about trusting a key manually in GnuPG.