I have created a master key with two subkeys: one for signing and the other for encryption. Finally, I have exported the two subkeys to a new machine.
How can I tell the new machine to consider the master as "ultimate", even if it is absent from the machine? Does it matter?
You can set every key to ultimate trust through opening the key edit command line
gpg --edit-key [key-id]
and running the trust command. You will now be prompted to select the trust level:
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision?
Obviously, 5 will be the proper decision to achieve ultimate trust. Finally, save to commit the changes and exit GnuPG. The same commands apply to both GnuPG 1.4 and GnuPG 2 (and newer).
Ultimate enables a key to introduce trust in the OpenPGP web of trust, with other words all ultimately trusted keys act as a starting point for trust paths. You should set your own keys to ultimate trust, but usually will not do so for other's.
To change the Ownertrust trust level of a key after importing in a simplier way (without the interactive --edit-key mode) I found this way in one line using gpg --import-ownertrust:
According to this mail from the Gnupg-users mailing list the trust level can be changed using gpg --import-ownertrust
You only need to get the fingerprint of the key and the trust level number which is the trust level number you use in the gpg --edit-key [key-id] trust trust level as 1,2,3,4,5 ... + 1 (Don't ask me why but I have tested each level)
1 = I don't know or won't say => will be = 2
2 = I do NOT trust => will be = 3
3 = I trust marginally => will be = 4
4 = I trust fully => will be = 5
5 = I trust ultimately => will be = 6
To change Ownertrust trust level to ultimate as example:
Get the fingerprint of the key (public or private) if already imported (if not use gpg --with-fingerprint mykey.gpg to get fingerprint before importing the key)
gpg --list-keys [key-id]
gpg --list-secret-keys [key-id]
Change the Ownertrust trust level by echoing FINGERPRINT:LEVEL: to gpg --import-ownertrust
echo "07C9F77F0E8134E64A7FF0AA666B4C8DC27B4A0A:6:" | gpg --import-ownertrust
See the new Ownertrust trust level of the key
gpg --list-keys [key-id]
gpg --list-secret-keys [key-id]
You can export your Ownertrust trust level of all keys before or to backup them
gpg --export-ownertrust > trustlevel.txt
And reimport them if needed
gpg --import-ownertrust < trustlevel.txt
Using gpg --import-ownertrust you can set the Ownertrust trust level of a key before importing the key and then the key will be trusted according to the trust level defined after import operation or import the key and then change the trust level of the imported key.
Here is how to automate this (gpg --edit-key; trust; 5; save) for newly imported keys, effectively importing them as ultimately trusted.
$ gpg --import <key.asc
$ (echo 5; echo y; echo save) |
gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(
gpg --list-packets <key.asc |
awk '$1=="keyid:"{print$2;exit}')" trust
