我最近从一个 Ubuntu 安装迁移到另一个,并在此过程中更改了我的用户名。我将公钥/私钥对导入 gpg,虽然解密(使用我的私钥)工作正常,但每当我尝试使用我的公钥加密某些东西时,我都会收到以下警告消息:
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
之后,它会询问我是否真的要使用该密钥(我总是回答“是”,因为它实际上是仅有的密钥在我的密钥环中,我知道它来自哪里)。我可以很好地解密东西,那么为什么每次我尝试加密某些东西时 gpg 都会发出嘶嘶声?我该如何防止此消息再次出现?
答案1
我遇到了同样的问题,但是我不再有权访问旧密钥。因此,您可以使用以下命令重新创建对旧密钥的信任:
gpg --edit-key [email protected]
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
答案2
我设法重现了您遇到的问题。我按照以下步骤操作:
$ gpg --no-default-keyring --keyring ./test-keyring --secret-keyring ./test-secring --trustdb-name ./test-trustdb --no-random-seed-file --gen-key
<specified parameters and let it do its thing>
gpg: key 58018BFE marked as ultimately trusted
public and secret key created and signed.
<snip>
$
请注意,该过程将密钥标记为“最终受信任”。
现在我导出密钥:
$gpg --no-default-keyring --keyring ./test-keyring --secret-keyring ./test-secring --trustdb-name ./test-trustdb --no-random-seed-file --export-secret-keys -a >private.key
$gpg --no-default-keyring --keyring ./test-keyring --secret-keyring ./test-secring --trustdb-name ./test-trustdb --no-random-seed-file --export -a > public.key
现在我导入到一个新的 gpg 数据库:
$gpg --no-default-keyring --keyring ./test2-keyring --secret-keyring ./test2-secring --trustdb-name ./test2-trustdb --no-random-seed-file --import public.key
$gpg --no-default-keyring --keyring ./test2-keyring --secret-keyring ./test2-secring --trustdb-name ./test2-trustdb --no-random-seed-file --import private.key
现在,如果我尝试使用新的密钥环进行加密,我会得到:
$ gpg --no-default-keyring --keyring ./test2-keyring --secret-keyring ./test2-secring --trustdb-name ./test2-trustdb --no-random-seed-file -r Fake -e
gpg: AE3034E1: There is no assurance this key belongs to the named user
pub 1024R/AE3034E1 2013-06-13 Fake User <[email protected]>
Primary key fingerprint: AD4D BAFB 3960 6F9D 47C1 23BE B2E1 67A6 5801 8BFE
Subkey fingerprint: 58F2 3669 B8BD 1DFC 8B12 096F 5D19 AB91 AE30 34E1
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
原因在于“信任网络”模型。默认情况下,要使公钥可信,需要 1 个“终极”信任证书(通常由您亲自验证相关人员的身份),或 3 个“边缘”信任证书(由您认识的人、认识您认识的人的人……签署证书)。
因为 gpg 是一个安全应用程序,所以如果您尝试加密未列为受信任的密钥,它会警告您。在这种情况下,您自己的密钥不受信任的原因很简单。这是因为您没有从上一个 gpg 实例导出信任关系。为此,请使用 --export-ownertrust 和 --import-ownertrust 命令。
与往常一样,请参阅手册页。
答案3
您可以使用--always-trust标志来跳过该消息。