How to make auto trust gpg public key?
Solution 1
Your question is really "How do I encrypt to a key without gpg balking at the fact that the key is untrusted?"
One answer is you could sign the key.
gpg --edit-key YOUR_RECIPIENT
sign
yes
save
The other is you could tell gpg to go ahead and trust.
gpg --encrypt --recipient YOUR_RECIPIENT --trust-model always YOUR_FILE
Solution 2
Coincidentally I have a similar situation to the OP - I'm trying to use public/private keys to sign and encrypt firmware for different embedded devices. Since no answer yet shows how to add trust to a key you already have imported, here is my answer.
After creating and testing the keys on a test machine, I exported them as ascii:
$ gpg --export -a <hex_key_id> > public_key.asc
$ gpg --export-secret-keys -a <hex_key_id> > private_key.asc
Then secure-copied and imported them to the build server:
$ gpg --import public_key.asc
$ gpg --import private_key.asc
Important: add trust
Now edit the key to add ultimate trust:
$ gpg --edit-key <[email protected]>
At the gpg> prompt, type trust, then type 5 for ultimate trust, then y to confirm, then quit.
Now test it with a test file:
$ gpg --sign --encrypt --yes --batch --status-fd 1 --recipient "recipient" --output testfile.gpg testfile.txt
which reports
...
[GNUPG:] END_ENCRYPTION
without adding trust, I get various errors (not limited to the following):
gpg: There is no assurance this key belongs to the named user
gpg: testfile.bin: sign+encrypt failed: Unusable public key
Solution 3
There's an easier way to tell GPG to trust all of its keys by using the --trust-model option:
gpg -a --encrypt -r <recipient key name> --trust-model always
From the man page:
--trust-model pgp|classic|direct|always|auto
Set what trust model GnuPG should follow. The models are:
always Skip key validation and assume that used
keys are always fully trusted. You generally
won't use this unless you are using some
external validation scheme. This option also
suppresses the "[uncertain]" tag printed
with signature checks when there is no evidence
that the user ID is bound to the key. Note that
this trust model still does not allow the use
of expired, revoked, or disabled keys.
Solution 4
This worked for me:
Trying to encrypt a file responds with this:
gpg -e --yes -r <uid> <filename>
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
That causes my shell script to fail.
So I:
$gpg --edit-key <uid>
gpg> trust
Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
Now the encrypt works properly.
Solution 5
Add trusted-key 0x0123456789ABCDEF to your ~/.gnupg/gpg.conf replacing the keyid. This is equivalent to ultimately trusting this key which means that certifications done by it will be accepted as valid. Just marking this key as valid without trusting it is harder and either requires a signature or switching the trust-model to direct. If you are sure to only import valid keys you can simply mark all keys as valid by adding trust-model always. In the latter case ensure that you disable automatic key retrieval (not enabled by default).
user1366786
Updated on July 15, 2022Comments
-
user1366786 almost 2 years
I am trying to add my GPG public key as a part of our appliance installation process. The purpose of it to encrypt any important files like logs before admin pulling them into his local using admin portal and then decrypt them using private key. The plan is to export public key into a file and make appliance installation process to import it using gpg --import command. But I realized, the key is needed to be trusted/signed before do any encryption. How to make this key is trusted without any human intervention at the time of installation? Btw, our appliance os is ubuntu vm and we use kickstart to automate.
Advance thanks for all help.
-
Wejn about 9 yearsNeither of these solutions work well for batch use.Much better approach is the one mentioned by OP below. Namely, using
--import-ownertrustto make the key trusted. -
peetasan almost 8 yearshow does this solve OP's problem: "without any human intervention at the time of installation"?
-
Amos Shapira over 7 yearsCan whoever downvoted this response please explain why you did that?
-
FilBot3 over 7 yearsFor some reason, on Gpg4Win, usingtrustdidn't seem to work for signing, or trusting the keys. I had to use sign. -
rhoerbe over 7 yearsthis one can be simplified with gpg --export-ownertrust
-
rhoerbe over 7 years--command-fd or: echo -e "trust\n5\ny" > x.cmd gpg2 --command-file x.cmd –edit-key AA11BB22
-
Mihail Malostanidis over 5 yearsIs this for
cmd.exe? In PowerShell, this didn't work for me. But$(echo trust; echo 5; echo y; echo quit) | gpg --command-fd 0 --edit-key [email protected]worked perfectly. ($+ semicolons) -
dessert over 4 yearsSimplified:gpg --export-ownertrust | sed 's/:.*/:5:/' | gpg --import-ownertrust -
Profpatsch over 4 yearsThat’s horrible, you shouldn’t use an interactive menu flow to automate this stuff.
-
Profpatsch over 4 yearsDownvoted, because no explanation of what this code does or why.
-
Profpatsch over 4 yearsSame downvote as for stackoverflow.com/a/55419488/1382925, you shouldn’t automate implicit interactive menu flow.
-
Nico Haase over 4 yearsPlease add some explanation to your answer such that others can learn from it - what does that
echocommand do? -
John McGehee over 4 yearsI like how this explicitly trusts the key for just this invocation of encryption, rather than globally. -
Jaimil Patel about 4 yearsHope It will solve issue but please add explanation of your code with it so user will get perfect understanding which he/she really wants -
mymedia almost 4 years
trust-model alwayssetting does not work - gpg still prints a warning of untrusted key -
silveiralexf almost 4 yearsadded some information to it for better clarity, as this oneliner helped me out :-)
-
Oliver about 2 yearsThis will set the trust to unknown.
