> On Fri 23/07/10 11:48 AM , David Smith dave.sm...@st.com sent: > > I need to be able to ultimately trust a public key > > in batch mode, that I have downloaded automatically with wget from an > > internal server over HTTPS. > > I think that you might be confusing "trust" with "validity". > > If you want it to blindly encrypt data using a key that it's downloaded > from a keyserver without you having signed it (or without it being > declared valid by the web-of-trust), then you can use "--always-trust" > when doing the encryption. >
I don't think I'm confused. I need this for verifying digital signatures only. I'm not encrypting. Let me demonstrate: Attempt 1: this is no good for me ... # gpg --import /tmp/swrepo.pub gpg: key 61404A7B: public key "swrepo server <r...@testhost>" imported gpg: Total number processed: 1 gpg: imported: 1 # gpg --verify catalog gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: Good signature from "swrepo server <r...@testhost>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Attempt 2: this is also no good for me ... # gpg --trust-model always --verify catalog gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B gpg: Good signature from "swrepo server <r...@testhost>" gpg: WARNING: Using untrusted key! Attempt 3: this is what I'm after ... # gpg --edit-key "swrepo server" trust quit ... Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y ... # gpg --verify catalog gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Good signature from "swrepo server <r...@testhost>" So I need to ultimately trust a public key non-interactively. Which I can't do unless I have a way of telling gpg how far I trust the key in batch mode. This doesn't work: # gpg --batch --yes --edit-key "swrepo server" trust quit ... gpg: Sorry, we are in batchmode - can't get input If the option existed, I'd imagine this is how I would do it: # gpg --batch --yes --trust-level 5 --edit-key "swrepo server" trust quit or perhaps: # gpg --trust-key "swrepo server" 5 but of course I've made those options up, they don't exist. So the questions are a) is there already a way of achieving this? and b) if not, I'm happy to submit a patch to add the option, which of the above options makes more sense? Regards, Mark. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
