4

I just need to trust a bunch public keys to use it with pass. Unfortunately I didn't find an easy way to trust all the public keys I've stored locally. The procees I found it its quite expensive in order of time:

> gpg --edit-key XXXXXXXXXXXXXXXX
  gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

pub  rsa4096/XXXXXXXXXXXXXXXX
     created: 2018-11-16  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/XXXXXXXXXXXXXXXX
     created: 2018-11-16  expires: never       usage: E   
[ unknown] (1). email@example.com

gpg> trust
pub  rsa4096/XXXXXXXXXXXXXXXX
     created: 2018-11-16  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/XXXXXXXXXXXXXXXX
     created: 2018-11-16  expires: never       usage: E   
[ unknown] (1). email@example.com

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? y
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/XXXXXXXXXXXXXXXX
     created: 2018-11-16  expires: never       usage: SC  
     trust: ultimate      validity: unknown
sub  rsa4096/XXXXXXXXXXXXXXXX
     created: 2018-11-16  expires: never       usage: E   
[ unknown] (1). email@example.com
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> q

How to do it quickly?

Zioalex
  • 3,441
  • 2
  • 33
  • 30

1 Answers1

6

Looking around I found a blog that describe the process: ow-to-ultimately-trust-a-public-key-non-interactively

The solution proposed there however doesn't work with the currect gpg version. To make it working I used the follow commands:

gpg --list-keys --fingerprint |grep pub -A 1|egrep -Ev "pub|--"|tr -d ' ' \
 | awk 'BEGIN { FS = "\n" } ; { print $1":6:" } ' | gpg --import-ownertrust

Basically it create a ownertrust text that is then imported on the fly by gpg.

Zioalex
  • 3,441
  • 2
  • 33
  • 30
  • You might want to use `:5:` which is "I trust fully" rather `:6:` which is "I trust ultimately" (which really should only be used for your own keys...) – Potherca Nov 24 '20 at 15:38
  • I mean, you shouldn't do this at all. There's a reason gpg doesn't have a simple way to do it built in. You should verify fingerprints before trusting keys, and the fingerprints should be sent through a different communications channel that the one you got the key from. You're really just turning "pretty good privacy" into "who knows if there's privacy". – Tom Dec 22 '21 at 09:28