How to verify an imported GPG key

gpg

I'm new to this PGP thing. Here are my questions:
Verification
When I do this, I'm given the message "This key is not certified with a trusted signature". Is there anyway to make it trusted and better yet what's the proper way for doing so?

[root@dev /]# gpg --verify bind-9.9.4-P2.tar.gz.sha512.asc bind-9.9.4-P2.copiedlink.tar.gz
gpg: Signature made Fri 03 Jan 2014 01:58:50 PM PST using RSA key ID 189CDBC5
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B48 A38A E1CF 9886 435F  89EE 45AC 7857 189C DBC5

Managing Key
I downloaded and saved a public key as isc.public.key, and imported it using the following command:

gpg –import isc.public.key

I'm sure there is an expiration date on it so how do I do the following:

Find out when it expires? In fact does GPG tells me when the key I've imported has already expired when I do a "gpg –verify"?
Update the key. Do I have to delete the key and re-import when this happens?

Thanks!

Best Answer

When I do this, I'm given the message "This key is not certified with a trusted signature". Is there anyway to make it trusted and better yet what's the proper way for doing so?

A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys.

You can edit the trust level of keys by running "gpg --edit-key ", and then using the trust command. This section of the GPG manual discusses key trust, and it's worth a read: good security is hard.

Note that the warning "This key is not certified with a trusted signature" basically means, "this thing could have been signed by anybody". I can create a key that claims to be for "Internet Systems Consortium, Inc. (Signing key, 2013) ", and sign things with it, and GPG will happily confirm that yes, the things I signed were signed with my key. To avoid this problem, you would presumably download the ISC GPG key from the website and either trust it ultimately ("I believe this entity can certify itself") or sign it with your ultimately-trusted private key. Without proper management of key trust, signature verification is mostly theater.

Find out when it expires?

Running gpg -k <keyid> will show you when a given key expires. For example, I created a key that expires tomorrow, and gpg -k <keyid> gives me:

$ gpg -k 0xD4C2B757C3FAE256
pub   2048R/0xD4C2B757C3FAE256 2014-01-26 [expires: 2014-01-27]
uid                 [ultimate] Test User <testuser@example.com>
sub   2048R/0xE87A56CDCC670D7A 2014-01-26 [expires: 2014-01-27]

You can see that the expiration dates on subkeys are clearly marked. Note that subkeys used for signing and encryption may have different expiration dates from the primary key. You can read more about subkeys here.

In fact does GPG tells me when the key I've imported has already expired when I do a "gpg --verify"?

Yes, GPG will notify you about an expired key. Note that this does not necessarily represent a problem: the signature was valid when the document was signed.

Update the key. Do I have to delete the key and re-import when this happens?

You should have you GPG environment configured to use a keyserver, and periodically run gpg --refresh-keys. This will update any keys in your keyring with new information from the keyserver, which may include:

new expiration dates
additional signatures on the key

If a person or organization begins using a new key, you would just add it to your keychain -- you would not need to delete the existing key.

Related Solutions

GPG – Validating Key Signature Authenticity

The usual means of verification is to contact the key owner and ask him/her to provide you (over the phone, or in person) with their key fingerprint. If you have strong reason to believe you are actually speaking to the person identified by the key, AND if the fingerprint the person provides matches the fingerprint of the key you have, THEN you can be quite certain you have the owner's real public key (and NOT a counterfeit key, created by an imposter for the purpose of impersonating that person).

Once you have verified the authenticity of the key to your satisfaction, you should sign that public key with your own private key. Once you've signed the key, you will no longer get those WARNINGs, because by signing it, you have indicated that you believe the key to be authentic.

Validating signature trust with gpg

This is what ended up with:

#!/bin/sh

tmpfile=$(mktemp gpgverifyXXXXXX)
trap "rm -f $tmpfile" EXIT

gpg --status-fd 3 --verify "$@" 3> $tmpfile || exit 1
egrep -q '^\[GNUPG:] TRUST_(ULTIMATE|FULLY)' $tmpfile

This looks for the trust information that gpg outputs on --status-fd. The script exits with an error in the presence of an untrusted signature (or invalid/no signature):

$ sh checksig sample.sh.bad 
gpg: Signature made Mon 24 Jun 2013 11:42:58 AM EDT using RSA key ID DCD5C569
gpg: Good signature from "Test User <testuser@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6FCD 3CF0 8BBC AD50 662E  5070 E33E D53C DCD5 C569
$ echo $?
1

The script exits with no error in the presence of a valid, trusted signature:

$ sh checksig sample.sh.good
gpg: Signature made Mon 24 Jun 2013 11:38:49 AM EDT using RSA key ID 5C2864A8
gpg: Good signature from "Lars Kellogg-Stedman <...>"
$ echo $?
0

Best Answer

Related Solutions

GPG – Validating Key Signature Authenticity

Validating signature trust with gpg

Related Topic