I have some trouble to get a chain of trust with GPG 0.4.4 and 0.4.5.
As far as I can remember, 0.4.3 (and the CVS snapshot I got at
98-11-10) didn't have this problem.
Here's what happened: I signed the key of Thomas Roessler and fully
trust it as an introducer (this trust was imported from my PGP 2.*
keyring, but it worked with 0.4.3, too). If I read a message by
someone, whose key is signed by Thomas, her key should be trusted,
too.
But when I try this, I get:
gpg: Signature made Sun Mar 1 14:44:26 1998 CET using RSA key ID A9B8829D
gpg: Good signature from "Bettina Fink <laura@krell.snafu.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
But now let's have a look at the keys (I manually removed the
signatures from the list, that aren't needed here):
$ gpg -kvv 0xA9B8829D
pub 1024R/A9B8829D 1996-03-07 Bettina Fink <laura@krell.snafu.de>
sig A9B8829D 1997-05-27 Bettina Fink <laura@krell.snafu.de>
uid Bettina Fink <laura@caissa.franken.de>
sig A9B8829D 1997-05-11 Bettina Fink <laura@krell.snafu.de>
sig 593238E1 1996-11-21 Thomas Roessler <roessler@guug.de>
uid Bettina Fink <laura@sisyphus.franken.de>
sig A9B8829D 1996-08-21 Bettina Fink <laura@krell.snafu.de>
uid Bettina Fink <laura@oops.franken.de>
sig A9B8829D 1997-05-10 Bettina Fink <laura@krell.snafu.de>
uid Bettina Fink <laura@caissa.mayn.de>
sig A9B8829D 1997-05-11 Bettina Fink <laura@krell.snafu.de>
sig 593238E1 1996-11-25 Thomas Roessler <roessler@guug.de>
So Thomas signed two of her uids with his 0x593238E1 key which looks
this way (again all irrelevant signatures manually removed):
pub 1280R/593238E1 1996-01-19 Thomas Roessler <roessler@guug.de>
sig 593238E1 1997-05-19 Thomas Roessler <roessler@guug.de>
uid Thomas Roessler <Thomas.Roessler@Sobolev.Rhein.DE>
sig FCF20B7D 1997-01-06 Ulf Moeller <um@c2.net>
sig A9B8829D 1996-11-21 Bettina Fink <laura@krell.snafu.de>
sig 593238E1 1996-01-21 Thomas Roessler <roessler@guug.de>
sig DD08DD6D 1996-01-21 Roland Rosenfeld <roland@spinnaker.rhein.de>
So you can see, that I myself signed his key and I completely trust
his key in the keyring imported from PGP 2. But I was unsure, so I run
gpg --edit-key 0x593238E1
This shows me:
pub 1280R/593238E1 created: 1996-01-19 expires: never trust: -/f
(1) Thomas Roessler <roessler@guug.de>
(2) Thomas Roessler <Thomas.Roessler@Sobolev.Rhein.DE>
(BTW: "trust: -/f" isn't very intuitive, maybe the output should be
more verbose?)
I entered the command "trust" and asked for more information using
"s". This is the answer of gpg:
Certificates leading to an ultimately trusted key:
1280R/593238E1.5472 1996-01-19 "Thomas Roessler <roessler@guug.de>"
1024R/FCF20B7D.7767 1994-03-22 "Ulf Moeller <um@c2.net>"
512R/F0841B11.4303 1994-04-23 "Arno Eigenwillig <arno@yaps.rhein.de>"
1024R/DD08DD6D.4215 1995-01-15 "Roland Rosenfeld <roland@spinnaker.rhein.de>"
This isn't incorrect, but it also isn't the short path (I myself
signed 0x593238E1 directly using 0xDD08DD6D) I expected. I ignored
this funny path and selected "4 = I trust fully". After "save"
I tried again to check Bettina's signature, but I still get the
message, that it isn't trusted.
After this I run gpgm --update-trustdb and gpgm --check-trustdb but
this didn't change the trust of Bettina's key, too.
Just for the notes:
gpg --edit-key 0xA9B8829D
gives the following output:
pub 1024R/A9B8829D created: 1996-03-07 expires: never trust: -/q
(1) Bettina Fink <laura@krell.snafu.de>
(2) Bettina Fink <laura@caissa.franken.de>
(3) Bettina Fink <laura@sisyphus.franken.de>
(4) Bettina Fink <laura@oops.franken.de>
(5) Bettina Fink <laura@caissa.mayn.de>
But I don't know, what "-/q" exactly means...
Many open questions, but Werner told me, that he gets to less bug
reports, so here's a very confused one. I fear, that the biggest
problem is sitting in front of my keyboard, but I don't see my
mistakes...
Ciao
Roland
--
* Internet: roland@spinnaker.rhein.de * Fido: 2:2450/42 *
PGP: 1024/DD08DD6D 2D E7 CC DE D5 8D 78 BE 3C A0 A4 F1 4B 09 CE AF
As far as I can remember, 0.4.3 (and the CVS snapshot I got at
98-11-10) didn't have this problem.
Here's what happened: I signed the key of Thomas Roessler and fully
trust it as an introducer (this trust was imported from my PGP 2.*
keyring, but it worked with 0.4.3, too). If I read a message by
someone, whose key is signed by Thomas, her key should be trusted,
too.
But when I try this, I get:
gpg: Signature made Sun Mar 1 14:44:26 1998 CET using RSA key ID A9B8829D
gpg: Good signature from "Bettina Fink <laura@krell.snafu.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
But now let's have a look at the keys (I manually removed the
signatures from the list, that aren't needed here):
$ gpg -kvv 0xA9B8829D
pub 1024R/A9B8829D 1996-03-07 Bettina Fink <laura@krell.snafu.de>
sig A9B8829D 1997-05-27 Bettina Fink <laura@krell.snafu.de>
uid Bettina Fink <laura@caissa.franken.de>
sig A9B8829D 1997-05-11 Bettina Fink <laura@krell.snafu.de>
sig 593238E1 1996-11-21 Thomas Roessler <roessler@guug.de>
uid Bettina Fink <laura@sisyphus.franken.de>
sig A9B8829D 1996-08-21 Bettina Fink <laura@krell.snafu.de>
uid Bettina Fink <laura@oops.franken.de>
sig A9B8829D 1997-05-10 Bettina Fink <laura@krell.snafu.de>
uid Bettina Fink <laura@caissa.mayn.de>
sig A9B8829D 1997-05-11 Bettina Fink <laura@krell.snafu.de>
sig 593238E1 1996-11-25 Thomas Roessler <roessler@guug.de>
So Thomas signed two of her uids with his 0x593238E1 key which looks
this way (again all irrelevant signatures manually removed):
pub 1280R/593238E1 1996-01-19 Thomas Roessler <roessler@guug.de>
sig 593238E1 1997-05-19 Thomas Roessler <roessler@guug.de>
uid Thomas Roessler <Thomas.Roessler@Sobolev.Rhein.DE>
sig FCF20B7D 1997-01-06 Ulf Moeller <um@c2.net>
sig A9B8829D 1996-11-21 Bettina Fink <laura@krell.snafu.de>
sig 593238E1 1996-01-21 Thomas Roessler <roessler@guug.de>
sig DD08DD6D 1996-01-21 Roland Rosenfeld <roland@spinnaker.rhein.de>
So you can see, that I myself signed his key and I completely trust
his key in the keyring imported from PGP 2. But I was unsure, so I run
gpg --edit-key 0x593238E1
This shows me:
pub 1280R/593238E1 created: 1996-01-19 expires: never trust: -/f
(1) Thomas Roessler <roessler@guug.de>
(2) Thomas Roessler <Thomas.Roessler@Sobolev.Rhein.DE>
(BTW: "trust: -/f" isn't very intuitive, maybe the output should be
more verbose?)
I entered the command "trust" and asked for more information using
"s". This is the answer of gpg:
Certificates leading to an ultimately trusted key:
1280R/593238E1.5472 1996-01-19 "Thomas Roessler <roessler@guug.de>"
1024R/FCF20B7D.7767 1994-03-22 "Ulf Moeller <um@c2.net>"
512R/F0841B11.4303 1994-04-23 "Arno Eigenwillig <arno@yaps.rhein.de>"
1024R/DD08DD6D.4215 1995-01-15 "Roland Rosenfeld <roland@spinnaker.rhein.de>"
This isn't incorrect, but it also isn't the short path (I myself
signed 0x593238E1 directly using 0xDD08DD6D) I expected. I ignored
this funny path and selected "4 = I trust fully". After "save"
I tried again to check Bettina's signature, but I still get the
message, that it isn't trusted.
After this I run gpgm --update-trustdb and gpgm --check-trustdb but
this didn't change the trust of Bettina's key, too.
Just for the notes:
gpg --edit-key 0xA9B8829D
gives the following output:
pub 1024R/A9B8829D created: 1996-03-07 expires: never trust: -/q
(1) Bettina Fink <laura@krell.snafu.de>
(2) Bettina Fink <laura@caissa.franken.de>
(3) Bettina Fink <laura@sisyphus.franken.de>
(4) Bettina Fink <laura@oops.franken.de>
(5) Bettina Fink <laura@caissa.mayn.de>
But I don't know, what "-/q" exactly means...
Many open questions, but Werner told me, that he gets to less bug
reports, so here's a very confused one. I fear, that the biggest
problem is sitting in front of my keyboard, but I don't see my
mistakes...
Ciao
Roland
--
* Internet: roland@spinnaker.rhein.de * Fido: 2:2450/42 *
PGP: 1024/DD08DD6D 2D E7 CC DE D5 8D 78 BE 3C A0 A4 F1 4B 09 CE AF