2015
04.30

To change the owner trust value of a given public (GPG) key you would normally use the gpg --edit-key 8A581CE7. This presents us a menu which enables you to do all key related tasks:

root@ubuntu-1404:~# gpg --edit-key 8A581CE7
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/8A581CE7  created: 2015-04-30  expires: never       usage: SCEA
                     trust: ultimate      validity: ultimate
sub  4096R/968AB157  created: 2015-04-30  expires: never       usage: SEA 
[ultimate] (1). Duplicity Backup <root@foo.bar>

gpg> trust
pub  4096R/8A581CE7  created: 2015-04-30  expires: never       usage: SCEA
                     trust: ultimate      validity: ultimate
sub  4096R/968AB157  created: 2015-04-30  expires: never       usage: SEA 
[ultimate] (1). Duplicity Backup <root@foo.bar>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/8A581CE7  created: 2015-04-30  expires: never       usage: SCEA
                     trust: ultimate      validity: ultimate
sub  4096R/968AB157  created: 2015-04-30  expires: never       usage: SEA 
[ultimate] (1). Duplicity Backup <root@foo.bar>

But that requires interaction. What if we would need to do it from a shell script for instance?

Method 1, shell magic

The output of gpg --export-ownertrust looks like this:

# List of assigned trustvalues, created Thu 30 Apr 2015 08:56:18 PM UTC
# (Use "gpg --import-ownertrust" to restore them)
A38FBA1F60F422597F6441D5E1C4C3898A581CE7:6:

So let’s see how we can recreate that without using gpg --export-ownertrust:

Get the fingerprint of key 8A581CE7:

gpg --list-keys --fingerprint | grep 8A581CE7 -A 1 | tail -1

Remove all the spaces and get the right part:

tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }'

final version, feeded to gpg --import-ownertrust:

echo "$( \
  gpg --list-keys --fingerprint \
  | grep 8A581CE7 -A 1 | tail -1 \
  | tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }' \
):6:" | gpg --import-ownertrust;

Method 2, expect

Expect is a program that “talks” to other interactive programs according to a script. Following the script, Expect knows what can be expected from a program and what the correct response should be.

Install expect:

apt-get install expect

Create an expect script:

root@ubuntu-1404:~# cat set-trust.exp 
#!/usr/bin/expect

set timeout 10

spawn /usr/bin/gpg --edit-key $argv 0 --yes trust quit

expect "Your decision? " { send "5\r" }
expect "Do you really want to set this key to ultimate trust? (y/N) " { send "y\r" }

interact

Run the expect script (with argument):

chmod 0755 ./set-trust.exp

./set-trust.exp 8A581CE7

7 comments so far

Add Your Comment
  1. Stein Arne

    Adapted a bit to include extracting the id after importing:

    $ id=`gpg –import gpg_pubkey.gpg 2>&1 | awk ‘NR==1 { sub(/:/,””,$3) ; print $3 }’`
    $ echo $id
    2CA2F779
    $ gpg –list-keys –fingerprint | awk ‘
    $0 ~ id {
    if (!/Key fingerprint =/) { getline }
    if (!/Key fingerprint =/) {
    print “No fingerprint. exiting…”
    exit 1
    }
    sub(/^.+Key fingerprint = /,””)
    gsub(/ /,””)
    print $0 “:6:”
    }’ id=$id | gpg –import-ownertrust
    gpg: checking the trustdb
    gpg: no ultimately trusted keys found
    gpg: setting ownertrust to 6

    Some more checks should probably be implemented before applying this on a larger scale.

  2. Amos Shapira

    Thanks for the script.

    I found the following a little simpler to mark all keys as trusted, I manage to make it work with both GNU and OS X sed on OSX:
    “`
    gpg –list-keys –fingerprint –with-colons |
    sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ |
    gpg –import-ownertrust
    “`

  3. Einar Ryeng

    If you use “–command-fd 0”, gpg will take input from STDIN. So this works for me:

    echo -e “trust\n5\ny\n” | gpg –command-fd 0 –edit-key 8A581CE7

  4. William S

    Windows batch version…

    (echo trust && echo 5 && echo y && echo quit) | gpg.exe –command-fd 0 –edit-key keyname

  5. GS

    For all anwsers:
    Please take care that — is replaced with two – 😉

    Same as Amos Shapira, but the \ enables you to write 3 lines not only one.

    gpg –list-keys –fingerprint –with-colons | \
    sed -E -n -e ‘s/^fpr:::::::::([0-9A-F]+):$/\1:6:/p’ | \
    gpg –import-ownertrust

  6. Zioalex

    Cool! Many thanks for the idea.
    I had to modify it a bit:
    gpg –list-keys –fingerprint |grep pub -A 1|egrep -Ev “pub|–“|tr -d ‘ ‘ | awk ‘BEGIN { FS = “\n” } ; { print $1″:6:” } ‘ | gpg –import-ownertrust

  7. Jari Turkia

    I find all above solutions overly complicated. This is my input:
    gpg –list-keys –fingerprint 8A581CE7| gawk ‘NR==2 {gsub(/ /, “”); printf(“%s:6:\n”, $0)}’ | gpg –import-ownertrust

    Simplifications are:
    1. Picking the requested key only
    2. With Gnu AWK choosing the 2nd line with key ID
    3. Remove all whitespace on that row
    4. Format the output as needed by –import-ownertrust
    5. Done!