View Source

Establishing trust in important CNS keys.

You should have already setup your system, setup your account, and either generated a new key or imported your old key.

Be sure your keypair exists and is ultimately trusted

# Check to be sure your public key is ultimately trusted.
$ gpg --list-options show-uid-validity --list-key $LOGNAME
pub   3072R/FA6C4994 2011-10-05 [expires: 2021-10-02]
uid       [ultimate] Phillip E Benchoff <benchoff@vt.edu>
sub   3072R/363340BA 2011-10-05 [expires: 2016-10-03]

sec   3072R/FA6C4994 2011-10-05 [expires: 2021-10-02]
uid                  Phillip E Benchoff <benchoff@vt.edu>
ssb   3072R/363340BA 2011-10-05

Load the list of important CNS keys

gpg --recv-keys 90D808E2 80319F94 FA6C4994 D827583D
gpg: requesting key 90D808E2 from hkps server keyserver.cns.vt.edu
gpg: requesting key 80319F94 from hkps server keyserver.cns.vt.edu
gpg: requesting key FA6C4994 from hkps server keyserver.cns.vt.edu
gpg: requesting key D827583D from hkps server keyserver.cns.vt.edu
gpg: /dev/shm/benchoff/trustdb.gpg: trustdb created
gpg: key 90D808E2: public key "Carl Harris <ceharris@vt.edu>" imported
gpg: key 80319F94: public key "Laurie Zirkle <lat@vt.edu>" imported
gpg: key FA6C4994: public key "Phillip E Benchoff <benchoff@bev.net>" imported
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see http://www.gnupg.org/faq/weak-digest-algos.html for more information
gpg: key D827583D: public key "Phillip E Benchoff <benchoff@bev.net>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 4
gpg:               imported: 4  (RSA: 4)

Set trust and/or sign each key

# obtain the fingerprint for the key
$ gpg --fingerprint 90D808E2
pub   2048R/90D808E2 2011-02-17
      Key fingerprint = 22E2 04A6 657E FA4C D669  E438 C928 091B 90D8 08E2
uid       [ unknown] Carl Harris <ceharris@vt.edu>
uid       [ unknown] [jpeg image of size 5229]
sub   2048R/63916311 2011-02-17 [expires: 2013-02-16]

# Verify the fingerprint in person

# Set the key as fully trusted
$ gpg --ask-cert-level --edit-key 90D808E2
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   2  signed:   1  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2021-10-02
pub  2048R/90D808E2  created: 2011-02-17  expires: never       usage: SC  
                     trust: unknown       validity: undefined
sub  2048R/63916311  created: 2011-02-17  expires: 2013-02-16  usage: E   
[  undef ] (1). Carl Harris <ceharris@vt.edu>
[ unknown] (2)  [jpeg image of size 5229]

# Note that as we start, UIDs, trust, and validity are all unknown or undefined.
# The UIDs and validity will be "full" if the key is signed by a fully-trusted key.

# Verify the fingerprint and compare to your out-of-band-copy
gpg> fpr
pub   2048R/90D808E2 2011-02-17 Carl Harris <ceharris@vt.edu>
 Primary key fingerprint: 22E2 04A6 657E FA4C D669  E438 C928 091B 90D8 08E2

# Since this key has an image, check it.
# If you don't have a way to validate the image, use the command, use the
# uid command to select all of the UIDs you are going to sign.
gpg> showphoto
Displaying jpeg photo ID of size 5229 for key 90D808E2 (uid 2)

gpg> sign
Really sign all user IDs? (y/N) y

pub  2048R/90D808E2  created: 2011-02-17  expires: never       usage: SC  
                     trust: unknown       validity: undefined
 Primary key fingerprint: 22E2 04A6 657E FA4C D669  E438 C928 091B 90D8 08E2

     Carl Harris <ceharris@vt.edu>
     [jpeg image of size 5229]

How carefully have you verified the key you are about to sign actually belongs
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

Your selection? (enter `?' for more information): 3
Are you sure that you want to sign this key with your
key "Phillip E Benchoff <benchoff@bev.net>" (FA6C4994)

I have checked this key very carefully.

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "Phillip E Benchoff <benchoff@bev.net>"
3072-bit RSA key, ID FA6C4994, created 2011-10-05

# Set the trust level to full.
# Only do this for keys you trust to certify other keys.
gpg> trust
pub  2048R/90D808E2  created: 2011-02-17  expires: never       usage: SC  
                     trust: unknown       validity: undefined
sub  2048R/63916311  created: 2011-02-17  expires: 2013-02-16  usage: E   
[  undef ] (1). Carl Harris <ceharris@vt.edu>
[ unknown] (2)  [jpeg image of size 5229]

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

pub  2048R/90D808E2  created: 2011-02-17  expires: never       usage: SC  
                     trust: full          validity: undefined
sub  2048R/63916311  created: 2011-02-17  expires: 2013-02-16  usage: E   
[  undef ] (1). Carl Harris <ceharris@vt.edu>
[ unknown] (2)  [jpeg image of size 5229]
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> save

# Edit again and see that the key is fully trusted and validated.
$ gpg --edit-key 90D808E2
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  2048R/90D808E2  created: 2011-02-17  expires: never       usage: SC  
                     trust: full          validity: full
sub  2048R/63916311  created: 2011-02-17  expires: 2013-02-16  usage: E   
[  full  ] (1). Carl Harris <ceharris@vt.edu>
[  full  ] (2)  [jpeg image of size 5229]

gpg> check
uid  Carl Harris <ceharris@vt.edu>
sig!         D827583D 2011-02-17  Phillip E Benchoff <benchoff@bev.net>
sig!3        80319F94 2011-10-13  Laurie Zirkle <lat@vt.edu>
sig!3        90D808E2 2011-02-17  [self-signature]
sig!3        FA6C4994 2011-11-14  Phillip E Benchoff <benchoff@bev.net>
uid  [jpeg image of size 5229]
sig!3        90D808E2 2011-10-13  [self-signature]
sig!3        FA6C4994 2011-11-14  Phillip E Benchoff <benchoff@bev.net>
2 signatures not checked due to missing keys

gpg> quit