How to setup trust?
Jakob Bohm
jb-gnumlists at wisemo.com
Sat Nov 1 08:08:27 CET 2025
On 31/10/2025 16:37, Daniel Cerqueira wrote:
> Hi.
>
> Firstly, I am not subscribe to this list. Please, do reply my address
> in the "To:", and the gnupg-users at gnupg.org in the "Cc:" field. Thanks!
>
> Second, I am trying to use the trust feature of GnuPG. My GnuPG uses
> the trust model "pgp".
>
> Now, if I do `gpg -k "<wk at gnupg.org>"` it shows this:
>
> --8<---------------cut here---------------start------------->8---
> pub ed25519/0x63113AE866587D0A 2018-09-28 [SC] [expires: 2027-01-31]
> Key fingerprint = AEA8 4EDC F01A D86C 4701 C85C 6311 3AE8 6658 7D0A
> uid [ unknown] wk at gnupg.org
> uid [ unknown] werner at eifzilla.de
> uid [ unknown] wk at g10code.com
> uid [ unknown] werner.koch at gnupg.com
> sub ed25519/0x19CC1C9E085B107A 2020-08-04 [S]
> Key fingerprint = 8777 461F 2A07 4EBC 480D 3594 19CC 1C9E 085B 107A
> sub brainpoolP384r1/0x2B999FA9CE046B1B 2021-06-28 [E] [expires: 2027-01-10]
> Key fingerprint = A1DB 793D C236 63E7 F914 75D8 2B99 9FA9 CE04 6B1B
> sub ky768_bp256/0x5CF9E3DE6BC9DA95 2025-02-06 [E]
> Key fingerprint = 5CF9E 3DE6B C9DA9 57ED2 4B39E C2D29 580F7 0B3F8 AF14B 8D7BE
> --8<---------------cut here---------------end--------------->8---
>
> The "[ unknown]" is what shows the trust? Or it shows something else
> (like PGP's concept of validity)?
"Trust" is PGP's concept of validity. Not sure if the --list-keys
output prints out
the full trust result, or only the calculated result from other
signatures. Someone
else on the list has to answer that.
>
> Third, how can I make this 0x63113AE866587D0A key, to be marginally
> trusted?
The root of trust in the PGP model is to "ultimately trust" one of your
own keys (not
necessarily the one you use for regular e-mail), and then count the
trust levels of keys
that signed other keys.
For gnupg, this ultimate trust is typically granted to all the keys for
which your copy
of gnupg stores the private key under your user account, plus any
offline keys listed
in the "--trusted-key" option (which is usually placed in a gnupg config
file).
On top of the default calculation of trust based on signatures tracing
back to your
trusts, gnupg has a personal database of "ownertrusts", which can be changed
interactively with the command "gpg --edit-key" and saved with the command
"gpg --export-ownertrust". Usually, gnupg will prompt you to set the
trust for
any key where you have not yet set it. Either when encountering the key
in its
calculations or when rerunning the calculculations with the command
"gpg --update-trustdb" . Much more about this concept can be found in the
gnupg handbook .
> I have tried making a local signature with cert-level of 1 and also have
> edited this key's `trust` to be "marginal", then "save". Afterwards, I
> did an `gpg --update-trustdb`, and still I get the output above :-( .
>
>
> I am not understanding how the GnuPG's trust feature works. I want to
> learn.
>
>
> Cheers for Freedom :-) ,
>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the Gnupg-users
mailing list