50

I'm new to this PGP thing. Here are my questions: Verification
When I do this, I'm given the message "This key is not certified with a trusted signature". Is there anyway to make it trusted and better yet what's the proper way for doing so?

[root@dev /]# gpg --verify bind-9.9.4-P2.tar.gz.sha512.asc bind-9.9.4-P2.copiedlink.tar.gz
gpg: Signature made Fri 03 Jan 2014 01:58:50 PM PST using RSA key ID 189CDBC5
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B48 A38A E1CF 9886 435F  89EE 45AC 7857 189C DBC5

Managing Key
I downloaded and saved a public key as isc.public.key, and imported it using the following command:

gpg –import isc.public.key

I'm sure there is an expiration date on it so how do I do the following:

  1. Find out when it expires? In fact does GPG tells me when the key I've imported has already expired when I do a "gpg --verify"?
  2. Update the key. Do I have to delete the key and re-import when this happens?

Thanks!

user192702
  • 921
  • 4
  • 15
  • 22
  • 2
    As larsks said, good security is hard; and this is a little flip in response to a sincere question with reasonable detail, no? If I'm wrong I'm sure to recieve a smackdown, and I can't afford any loss of "status" with my total standing at 118 ;-} That said I'm voting you up for the 'web of trust' search term suggestion. – Sinthia V May 05 '16 at 20:30

1 Answers1

61

When I do this, I'm given the message "This key is not certified with a trusted signature". Is there anyway to make it trusted and better yet what's the proper way for doing so?

A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys.

You can edit the trust level of keys by running "gpg --edit-key ", and then using the trust command. This section of the GPG manual discusses key trust, and it's worth a read: good security is hard.

Note that the warning "This key is not certified with a trusted signature" basically means, "this thing could have been signed by anybody". I can create a key that claims to be for "Internet Systems Consortium, Inc. (Signing key, 2013) ", and sign things with it, and GPG will happily confirm that yes, the things I signed were signed with my key. To avoid this problem, you would presumably download the ISC GPG key from the website and either trust it ultimately ("I believe this entity can certify itself") or sign it with your ultimately-trusted private key. Without proper management of key trust, signature verification is mostly theater.

Find out when it expires?

Running gpg -k <keyid> will show you when a given key expires. For example, I created a key that expires tomorrow, and gpg -k <keyid> gives me:

$ gpg -k 0xD4C2B757C3FAE256
pub   2048R/0xD4C2B757C3FAE256 2014-01-26 [expires: 2014-01-27]
uid                 [ultimate] Test User <testuser@example.com>
sub   2048R/0xE87A56CDCC670D7A 2014-01-26 [expires: 2014-01-27]

You can see that the expiration dates on subkeys are clearly marked. Note that subkeys used for signing and encryption may have different expiration dates from the primary key. You can read more about subkeys here.

In fact does GPG tells me when the key I've imported has already expired when I do a "gpg --verify"?

Yes, GPG will notify you about an expired key. Note that this does not necessarily represent a problem: the signature was valid when the document was signed.

Update the key. Do I have to delete the key and re-import when this happens?

You should have you GPG environment configured to use a keyserver, and periodically run gpg --refresh-keys. This will update any keys in your keyring with new information from the keyserver, which may include:

  • new expiration dates
  • additional signatures on the key

If a person or organization begins using a new key, you would just add it to your keychain -- you would not need to delete the existing key.

larsks
  • 41,276
  • 13
  • 117
  • 170