8

When encrypting a document with a public key I got a warning:

$gpg --encrypt -r 6B7F10E4 file.pdf

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N)

I set the trust level to 4 and signed the key:

$ gpg --edit-key 6B7F10E4
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision?

4 <Enter>
gpg> sign

Are you sure that you want to sign this key with your
key ... (8F3A3A54)

Really sign? (y/N)

y <Enter>
gpg> save

But I still get that warning when encrypting documents with that key. What else do I need to do to remove it?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
user4035
  • 297
  • 1
  • 5

3 Answers3

5

You need to also set ultimate trust on your own key.

The message says GnuPG could not validate the key issuing a correct signature. With other words, you know that the signature was indeed issued by a given private key, but are not sure who actually issued this key.

Trust in GnuPG is only relevant when validating keys based on certifications in the OpenPGP web of trust, also read up on "What is the exact meaning of this gpg output regarding trust?". The trust level defines how much you put trust in the key owner's certifications on other keys, but requires already validated keys. For example if issued on an already-validated key, trust level four ("full trust"), by default defines all keys certified by the valid and fully trusted key to be also valid.

"Ultimate trust" (level five) is special: it is used as introducer when validating keys, thus makes the key validated and always considers other keys certified by this key as validated. This should never be used on keys not issued by yourself, gpg --edit-key and sign other's keys instead of issuing trust (after verifying the key in fact belongs to that party). If you do not want to issue a public certification, there's also lsign for issuing local signatures that GnuPG does not export when sharing a public key.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • "The message says GnuPG could not validate the key issuing a correct signature" - I signed this key myself, but it still shows the warning I can remove it with parameter "--trust-model always", but it's not the best way I think. – user4035 Oct 28 '17 at 15:04
  • Have you issued ultimate trust on your own key, which you used for signing? This happens automatically when generating a new private key, but might not have happened if you exported the private key and imported it to a new computer. – Jens Erat Oct 28 '17 at 15:17
  • Ahh, yes, I imported my key from another computer and didn't set the trust level. After setting it to 5, everything started to work fine. Thank you. – user4035 Oct 28 '17 at 15:36
2

The warning is shown always excepting for your own keys (level 5), accepted by 'per se'.

The gpg trust levels are explained here: https://gpgtools.tenderapp.com/kb/faq/what-is-ownertrust-trust-levels-explained

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • 3
    While this answer is technically not wrong (indeed, issuing ultimate trust would prevent the warning message), I'd consider it dangerous, as it somewhat invites issuing ultimate trust on other people's keys without explaining the actual meaning. – Jens Erat Oct 28 '17 at 13:03
2

You have assigned a trust level to a key that has not been verified yet. Verification works by finding a path of trustworthy keys from a key with ultimate trust (which should be your own key) through signatures made by trusted keys to the key being verified.

In your case, the trust path is rather short, since you have signed the key. Since it's not showing as verified, this means that your own key is not marked as trusted.

By marking the other person's key as trusted, all keys they sign are now also marked as verified.

Simon Richter
  • 1,482
  • 11
  • 8