HOW to upgrade: 2.0.22 --> 2.3.3 ???

Mike Schleif mike at mdsresource.net
Wed Oct 9 20:55:15 CEST 2024 

OK, we are making progress. Thank you.

We used this page to rid ourselves of obsolete bad keys:
http://stuff-things.net/2015/04/22/gpg-public-key-of-ultimately-trusted-key-00000000-not-found/

We continue to have trust level problems. When adding _all_ new keys from
our clients, we always assign level 4 (fully) to each.

On the legacy (v2.0.22) host, it looks like this:
# /usr/bin/gpg --list-keys 571F553F
pub   2048R/571F553F 2023-07-10 [expires: 2025-10-09]
uid                  FISERV-SFG-NA-PROD-GPG-2K-23-193-01 (FISERV SFG NA
PROD GPG 2K) <X3GDS_FDFileGateway at fiserv.com>
sub   2048R/C71BDCEC 2023-07-10 [expires: 2025-10-09]

However, on the new host (v2.3.3) the output is different:
# /usr/bin/gpg --list-keys 571F553F
pub   rsa2048 2023-07-10 [SC] [expires: 2025-10-09]
      41261F6446B51FDBD18FDDF8C4D62F13571F553F
uid           [ unknown] FISERV-SFG-NA-PROD-GPG-2K-23-193-01 (FISERV SFG NA
PROD GPG 2K) <X3GDS_FDFileGateway at fiserv.com>
sub   rsa2048 2023-07-10 [E] [expires: 2025-10-09]

Encrypting a file using that key, for example, fails thusly:
gpg: 9B51B2A5C71BDCEC: There is no assurance this key belongs to the named
user

The only solution we've found is to _manually_ edit each public key, and
assign level 5 (ultimate) - which we are loathe to do.

We do not want every key at level ultimate, and we do not want to manually
edit hundreds of keys to change each trust level.

What are we missing?

Please, advise. Thank you.

~ Mike

On Wed, Oct 9, 2024 at 11:30 AM Werner Koch <wk at gnupg.org> wrote:

> On Tue,  8 Oct 2024 13:09, Mike Schleif said:
>
> > Ought we do something on the legacy (v2.0.22) host before copying to the
> > new host?
>
> I general not but you can do this:
>
>   gpg --export             >all-public-keys.gpg
>   gpg --export-secret-keys >all-secret-keys.gpg
>   gpg --export-ownertrust  >ownertrust.txt
>
> also backup the *.conf files if you have some.
>
> On the new machine rename the existsing ~/.gnupg to ~/.gnupg-saved and
> then run
>
>   gpg -k
>
> which will create a new ~/.gnupg
>
> Then
>
>   gpg --import <all-secret-keys.gpg
>   gpg --import <all-public-keys.gpg
>   gpg --import-ownertrust <ownertrust.txt
>   gpg --check-trustdb
>
> That avoids any problem with garbage inthe ~/.gnupg.  Check gpg.conf
> whether you have any strange keys in them.  Inb particular remove any
> references to the old PGP-2 keys.
>
>
> Shalom-Salam,
>
>    Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service.             - A. Einstein
>


-- 

If ever I can be of service to you; contact me at once.
I wish for you a truly extraordinary day ...

-- 
Best Regards,

Mike Schleif
612-235-6060
https://mikeschleif.net
http://mdsresource.net
http://www.linkedin.com/in/schleif
http://facebook.com/MDSResource
http://twitter.com/mikeschleif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20241009/5000868c/attachment.html>

More information about the Gnupg-users mailing list