2015
04.30

How to ultimately trust a public key non-interactively

Category: Uncategorized / Tag:  / Add Comment

To change the owner trust value of a given public (GPG) key you would normally use the gpg --edit-key 8A581CE7. This presents us a menu which enables you to do all key related tasks:

root@ubuntu-1404:~# gpg --edit-key 8A581CE7
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/8A581CE7  created: 2015-04-30  expires: never       usage: SCEA
                     trust: ultimate      validity: ultimate
sub  4096R/968AB157  created: 2015-04-30  expires: never       usage: SEA 
[ultimate] (1). Duplicity Backup <root@foo.bar>

gpg> trust
pub  4096R/8A581CE7  created: 2015-04-30  expires: never       usage: SCEA
                     trust: ultimate      validity: ultimate
sub  4096R/968AB157  created: 2015-04-30  expires: never       usage: SEA 
[ultimate] (1). Duplicity Backup <root@foo.bar>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/8A581CE7  created: 2015-04-30  expires: never       usage: SCEA
                     trust: ultimate      validity: ultimate
sub  4096R/968AB157  created: 2015-04-30  expires: never       usage: SEA 
[ultimate] (1). Duplicity Backup <root@foo.bar>

But that requires interaction. What if we would need to do it from a shell script for instance?

Method 1, shell magic

The output of gpg --export-ownertrust looks like this:

# List of assigned trustvalues, created Thu 30 Apr 2015 08:56:18 PM UTC
# (Use "gpg --import-ownertrust" to restore them)
A38FBA1F60F422597F6441D5E1C4C3898A581CE7:6:

So let’s see how we can recreate that without using gpg --export-ownertrust:

Get the fingerprint of key 8A581CE7:

gpg --list-keys --fingerprint | grep 8A581CE7 -A 1 | tail -1

Remove all the spaces and get the right part:

tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }'

final version, feeded to gpg --import-ownertrust:

echo "$( \
  gpg --list-keys --fingerprint \
  | grep 8A581CE7 -A 1 | tail -1 \
  | tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }' \
):6:" | gpg --import-ownertrust;

Method 2, expect

Expect is a program that “talks” to other interactive programs according to a script. Following the script, Expect knows what can be expected from a program and what the correct response should be.

Install expect:

apt-get install expect

Create an expect script:

root@ubuntu-1404:~# cat set-trust.exp 
#!/usr/bin/expect

set timeout 10

spawn /usr/bin/gpg --edit-key $argv 0 --yes trust quit

expect "Your decision? " { send "5\r" }
expect "Do you really want to set this key to ultimate trust? (y/N) " { send "y\r" }

interact

Run the expect script (with argument):

chmod 0755 ./set-trust.exp

./set-trust.exp 8A581CE7

6 comments so far

Add Your Comment
  1. Stein Arne
    Stein Arne said: 2015.09.21 15:39

    Adapted a bit to include extracting the id after importing:

    $ id=`gpg –import gpg_pubkey.gpg 2>&1 | awk ‘NR==1 { sub(/:/,””,$3) ; print $3 }’`
    $ echo $id
    2CA2F779
    $ gpg –list-keys –fingerprint | awk ‘
    $0 ~ id {
    if (!/Key fingerprint =/) { getline }
    if (!/Key fingerprint =/) {
    print “No fingerprint. exiting…”
    exit 1
    }
    sub(/^.+Key fingerprint = /,””)
    gsub(/ /,””)
    print $0 “:6:”
    }’ id=$id | gpg –import-ownertrust
    gpg: checking the trustdb
    gpg: no ultimately trusted keys found
    gpg: setting ownertrust to 6

    Some more checks should probably be implemented before applying this on a larger scale.

  2. Amos Shapira
    Amos Shapira said: 2015.09.29 03:55

    Thanks for the script.

    I found the following a little simpler to mark all keys as trusted, I manage to make it work with both GNU and OS X sed on OSX:
    “`
    gpg –list-keys –fingerprint –with-colons |
    sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ |
    gpg –import-ownertrust
    “`

  3. Einar Ryeng
    Einar Ryeng said: 2016.05.30 16:14

    If you use “–command-fd 0”, gpg will take input from STDIN. So this works for me:

    echo -e “trust\n5\ny\n” | gpg –command-fd 0 –edit-key 8A581CE7

  4. William S
    William S said: 2017.08.28 20:49

    Windows batch version…

    (echo trust && echo 5 && echo y && echo quit) | gpg.exe –command-fd 0 –edit-key keyname

  5. GS
    GS said: 2017.11.24 10:58

    For all anwsers:
    Please take care that — is replaced with two – 😉

    Same as Amos Shapira, but the \ enables you to write 3 lines not only one.

    gpg –list-keys –fingerprint –with-colons | \
    sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ | \
    gpg –import-ownertrust

  6. Zioalex
    Zioalex said: 2018.12.21 15:33

    Cool! Many thanks for the idea.
    I had to modify it a bit:
    gpg –list-keys –fingerprint |grep pub -A 1|egrep -Ev “pub|–“|tr -d ‘ ‘ | awk ‘BEGIN { FS = “\n” } ; { print $1″:6:” } ‘ | gpg –import-ownertrust

Your Comment