04.30
To change the owner trust value of a given public (GPG) key you would normally use the gpg --edit-key 8A581CE7. This presents us a menu which enables you to do all key related tasks:
root@ubuntu-1404:~# gpg --edit-key 8A581CE7
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/8A581CE7 created: 2015-04-30 expires: never usage: SCEA
trust: ultimate validity: ultimate
sub 4096R/968AB157 created: 2015-04-30 expires: never usage: SEA
[ultimate] (1). Duplicity Backup <root@foo.bar>
gpg> trust
pub 4096R/8A581CE7 created: 2015-04-30 expires: never usage: SCEA
trust: ultimate validity: ultimate
sub 4096R/968AB157 created: 2015-04-30 expires: never usage: SEA
[ultimate] (1). Duplicity Backup <root@foo.bar>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 4096R/8A581CE7 created: 2015-04-30 expires: never usage: SCEA
trust: ultimate validity: ultimate
sub 4096R/968AB157 created: 2015-04-30 expires: never usage: SEA
[ultimate] (1). Duplicity Backup <root@foo.bar>
But that requires interaction. What if we would need to do it from a shell script for instance?
Method 1, shell magic
The output of gpg --export-ownertrust looks like this:
# List of assigned trustvalues, created Thu 30 Apr 2015 08:56:18 PM UTC # (Use "gpg --import-ownertrust" to restore them) A38FBA1F60F422597F6441D5E1C4C3898A581CE7:6:
So let’s see how we can recreate that without using gpg --export-ownertrust:
Get the fingerprint of key 8A581CE7:
gpg --list-keys --fingerprint | grep 8A581CE7 -A 1 | tail -1
Remove all the spaces and get the right part:
tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }'
final version, feeded to gpg --import-ownertrust:
echo "$( \
gpg --list-keys --fingerprint \
| grep 8A581CE7 -A 1 | tail -1 \
| tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }' \
):6:" | gpg --import-ownertrust;
Method 2, expect
Expect is a program that “talks” to other interactive programs according to a script. Following the script, Expect knows what can be expected from a program and what the correct response should be.
Install expect:
apt-get install expect
Create an expect script:
root@ubuntu-1404:~# cat set-trust.exp
#!/usr/bin/expect
set timeout 10
spawn /usr/bin/gpg --edit-key $argv 0 --yes trust quit
expect "Your decision? " { send "5\r" }
expect "Do you really want to set this key to ultimate trust? (y/N) " { send "y\r" }
interact
Run the expect script (with argument):
chmod 0755 ./set-trust.exp ./set-trust.exp 8A581CE7
Adapted a bit to include extracting the id after importing:
$ id=`gpg –import gpg_pubkey.gpg 2>&1 | awk ‘NR==1 { sub(/:/,””,$3) ; print $3 }’`
$ echo $id
2CA2F779
$ gpg –list-keys –fingerprint | awk ‘
$0 ~ id {
if (!/Key fingerprint =/) { getline }
if (!/Key fingerprint =/) {
print “No fingerprint. exiting…”
exit 1
}
sub(/^.+Key fingerprint = /,””)
gsub(/ /,””)
print $0 “:6:”
}’ id=$id | gpg –import-ownertrust
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: setting ownertrust to 6
Some more checks should probably be implemented before applying this on a larger scale.
Thanks for the script.
I found the following a little simpler to mark all keys as trusted, I manage to make it work with both GNU and OS X sed on OSX:
“`
gpg –list-keys –fingerprint –with-colons |
sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ |
gpg –import-ownertrust
“`
If you use “–command-fd 0”, gpg will take input from STDIN. So this works for me:
echo -e “trust\n5\ny\n” | gpg –command-fd 0 –edit-key 8A581CE7
Windows batch version…
(echo trust && echo 5 && echo y && echo quit) | gpg.exe –command-fd 0 –edit-key keyname
For all anwsers:
Please take care that — is replaced with two – 😉
Same as Amos Shapira, but the \ enables you to write 3 lines not only one.
gpg –list-keys –fingerprint –with-colons | \
sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ | \
gpg –import-ownertrust
Cool! Many thanks for the idea.
I had to modify it a bit:
gpg –list-keys –fingerprint |grep pub -A 1|egrep -Ev “pub|–“|tr -d ‘ ‘ | awk ‘BEGIN { FS = “\n” } ; { print $1″:6:” } ‘ | gpg –import-ownertrust
I find all above solutions overly complicated. This is my input:
gpg –list-keys –fingerprint 8A581CE7| gawk ‘NR==2 {gsub(/ /, “”); printf(“%s:6:\n”, $0)}’ | gpg –import-ownertrust
Simplifications are:
1. Picking the requested key only
2. With Gnu AWK choosing the 2nd line with key ID
3. Remove all whitespace on that row
4. Format the output as needed by –import-ownertrust
5. Done!