6

I've been through two Stack Exchange questions/answers and two GPG mailing list posts. I can't seem to clear "WARNING: This key is not certified with a trusted signature!". I would now like to disable it since I can't seem to clear it.

GnuPG shows the problem at Integrity Check, but they don't say how to fix it. They do say:

then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery.

Looking through my gpg.conf I don't see a way to suppress useless warnings like shown below.

How do I suppress the message for a key?

The message is below. I've already marked 9306CC77 and subkey 971EDE93 trusted. I logged out and back on. I also rebooted the server. I am ready to move onto another problem.

# ~/do-update.sh
=> Fetching new catalog and descriptions (http://mirror.opencsw.org/opencsw/testing/i386/5.11) if available ...
Checking integrity of /var/opt/csw/pkgutil/catalog.mirror.opencsw.org_opencsw_testing_i386_5.11 with gpg.
gpg: Signature made Sat Apr 20 06:10:03 2019 EDT using DSA key ID 9306CC77
gpg: Good signature from "OpenCSW catalog signing <board@opencsw.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77
==> 4013 packages loaded from /var/opt/csw/pkgutil/catalog.mirror.opencsw.org_opencsw_testing_i386_5.11
jww
  • 11,918
  • 44
  • 119
  • 208
  • @grawity - using `key-edit` as described [here](https://www.gnupg.org/gph/en/manual/r899.html), [here](http://gnupg.10057.n7.nabble.com/WARNING-This-key-is-not-certified-with-a-trusted-signature-td38625.html), [here](https://serverfault.com/q/569911/145545), and [here](https://security.stackexchange.com/q/147447/29925). I'm seriously ready to move on. I'm tired of dicking around with their broken tools, and only need to suppress the warning now. – jww May 10 '19 at 05:50

1 Answers1

11

Any page that tells you to use --edit-key <id> trust in order to suppress this warning is, generally, going in the completely wrong direction. The confusing message actually has nothing to do with the key's trust setting. A trusted signature is one that was made by a valid key:

  • Key validity defines whether this key belongs to the person that it claims.

  • Key trust defines whether this key is allowed to sign other keys (Web-of-Trust). In other words, a trusted key may act as a CA and mark other keys as valid, transitively.

So in order to suppress the "untrusted signature" warning on a per-key basis, you have to mark the key as a valid (as that's literally the purpose of this warning).

To mark a key as valid, you usually sign it:

gpg --lsign-key "4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77"

Alternatively if you have the 'tofu' or 'tofu+pgp' trust-model active, you can also do:

gpg --tofu-policy good "4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77"

Now you should see this in --list-keys or --edit-key:

pub  dsa1024/05F42D669306CC77
     created: 2011-08-31  expires: never       usage: SC  
     trust: unknown       validity: full

There is also a config option to suppress this warning for all keys; it's called trust-model always. It means GnuPG acts as if all keys were signed by a fully trusted key.

Finally, subkeys have neither trust nor validity settings, they're only containers for cryptographic parameters so they inherit this from the primary key.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 2
    As for suppressing this warning on a per-key basis, well, this is *literally* how you do it. The whole purpose of the warning is to inform that the key hasn't been signed by you (or another trusted key), therefore you suppress the warning by signing that key. – u1686_grawity May 10 '19 at 05:54
  • Thanks @grawity. `trust-model always` did not clear the warning. It is still present. Thanks for the try. – jww May 10 '19 at 16:17
  • Thanks for ignoring the rest of the post. – u1686_grawity May 10 '19 at 16:19
  • At least the --lsign-key did not solve it for me when trying to validate the signature of the gpg4win installer, new question at https://superuser.com/questions/1616531/gpg4win-signature-validation-how-to-fix-warning-this-key-is-not-certified-wit. – questionto42 Jan 10 '21 at 23:51