04.30
To change the owner trust value of a given public (GPG) key you would normally use the gpg --edit-key 8A581CE7. This presents us a menu which enables you to do all key related tasks:
root@ubuntu-1404:~# gpg --edit-key 8A581CE7 gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/8A581CE7 created: 2015-04-30 expires: never usage: SCEA trust: ultimate validity: ultimate sub 4096R/968AB157 created: 2015-04-30 expires: never usage: SEA [ultimate] (1). Duplicity Backup <root@foo.bar> gpg> trust pub 4096R/8A581CE7 created: 2015-04-30 expires: never usage: SCEA trust: ultimate validity: ultimate sub 4096R/968AB157 created: 2015-04-30 expires: never usage: SEA [ultimate] (1). Duplicity Backup <root@foo.bar> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 4096R/8A581CE7 created: 2015-04-30 expires: never usage: SCEA trust: ultimate validity: ultimate sub 4096R/968AB157 created: 2015-04-30 expires: never usage: SEA [ultimate] (1). Duplicity Backup <root@foo.bar>
But that requires interaction. What if we would need to do it from a shell script for instance?
Method 1, shell magic
The output of gpg --export-ownertrust looks like this:
# List of assigned trustvalues, created Thu 30 Apr 2015 08:56:18 PM UTC # (Use "gpg --import-ownertrust" to restore them) A38FBA1F60F422597F6441D5E1C4C3898A581CE7:6:
So let’s see how we can recreate that without using gpg --export-ownertrust:
Get the fingerprint of key 8A581CE7:
gpg --list-keys --fingerprint | grep 8A581CE7 -A 1 | tail -1
Remove all the spaces and get the right part:
tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }'
final version, feeded to gpg --import-ownertrust:
echo "$( \ gpg --list-keys --fingerprint \ | grep 8A581CE7 -A 1 | tail -1 \ | tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }' \ ):6:" | gpg --import-ownertrust;
Method 2, expect
Expect is a program that “talks” to other interactive programs according to a script. Following the script, Expect knows what can be expected from a program and what the correct response should be.
Install expect:
apt-get install expect
Create an expect script:
root@ubuntu-1404:~# cat set-trust.exp #!/usr/bin/expect set timeout 10 spawn /usr/bin/gpg --edit-key $argv 0 --yes trust quit expect "Your decision? " { send "5\r" } expect "Do you really want to set this key to ultimate trust? (y/N) " { send "y\r" } interact
Run the expect script (with argument):
chmod 0755 ./set-trust.exp ./set-trust.exp 8A581CE7
Adapted a bit to include extracting the id after importing:
$ id=`gpg –import gpg_pubkey.gpg 2>&1 | awk ‘NR==1 { sub(/:/,””,$3) ; print $3 }’`
$ echo $id
2CA2F779
$ gpg –list-keys –fingerprint | awk ‘
$0 ~ id {
if (!/Key fingerprint =/) { getline }
if (!/Key fingerprint =/) {
print “No fingerprint. exiting…”
exit 1
}
sub(/^.+Key fingerprint = /,””)
gsub(/ /,””)
print $0 “:6:”
}’ id=$id | gpg –import-ownertrust
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: setting ownertrust to 6
Some more checks should probably be implemented before applying this on a larger scale.
Thanks for the script.
I found the following a little simpler to mark all keys as trusted, I manage to make it work with both GNU and OS X sed on OSX:
“`
gpg –list-keys –fingerprint –with-colons |
sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ |
gpg –import-ownertrust
“`
If you use “–command-fd 0”, gpg will take input from STDIN. So this works for me:
echo -e “trust\n5\ny\n” | gpg –command-fd 0 –edit-key 8A581CE7
Windows batch version…
(echo trust && echo 5 && echo y && echo quit) | gpg.exe –command-fd 0 –edit-key keyname
For all anwsers:
Please take care that — is replaced with two – 😉
Same as Amos Shapira, but the \ enables you to write 3 lines not only one.
gpg –list-keys –fingerprint –with-colons | \
sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ | \
gpg –import-ownertrust
Cool! Many thanks for the idea.
I had to modify it a bit:
gpg –list-keys –fingerprint |grep pub -A 1|egrep -Ev “pub|–“|tr -d ‘ ‘ | awk ‘BEGIN { FS = “\n” } ; { print $1″:6:” } ‘ | gpg –import-ownertrust