为什么 GPG 忽略我为接收密钥设置的信任级别?

tag-icon tag-icon encryption public-key gpg
为什么 GPG 忽略我为接收密钥设置的信任级别?

我遇到了以下令人费解的行为GPG:在我为收件人的密钥设置信任后,gpg 仍然抱怨它不知道是否应该使用加密子密钥并提示输入。

以下是各个步骤:

创建我自己的密钥对

我在这里只包含这一步,因为否则 gpg 会抱怨它找不到具有最终信任的密钥,我认为该密钥随后会用于签署 trustdb。

$ gpg --genkey
gpg (GnuPG) 2.3.7; Copyright (C) 2021 Free Software Foundation, Inc.

[...]

pub   ed25519 2023-12-02 [SC] [expires: 2025-12-01]
      BDCCA3DA3E0961575FC797B66E51892F600D443B
uid                      Testy Testerson <[email protected]>
sub   cv25519 2023-12-02 [E] [expires: 2025-12-01]

导入收件人的密钥

gpg --import ~/tmp/fiend.pubkey
gpg: key 7507E17705538C1C: public key "Friend of Testy Testerson <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

对导入的密钥分配“完全”信任:

$ gpg-edit-key $(gpg --list-keys | grep DF57EKDF57E)
[...]
pub  ed25519/7507E17705538C1C
     created: 2023-12-02  expires: 2025-12-01  usage: SC  
     trust: unknown       validity: unknown
sub  cv25519/F2FA4C3E9932F093
     created: 2023-12-02  expires: 2025-12-01  usage: E
[ unknown] (1). Friend of Testy Testerson <[email protected]>

gpg> trust
pub  ed25519/7507E17705538C1C
     created: 2023-12-02  expires: 2025-12-01  usage: SC
     trust: unknown       validity: unknown
sub  cv25519/F2FA4C3E9932F093
     created: 2023-12-02  expires: 2025-12-01  usage: E
[ unknown] (1). Friend of Testy Testerson <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

pub  ed25519/7507E17705538C1C
     created: 2023-12-02  expires: 2025-12-01  usage: SC 
     trust: full          validity: ultimate
sub  cv25519/F2FA4C3E9932F093
     created: 2023-12-02  expires: 2025-12-01  usage: E
[ultimate] (1). Friend of Testy Testerson <[email protected]>

gpg> save
Key not changed so no update needed.

验证是否trustdb已正确更新:

$ gpg --export-ownertrust
# List of assigned trustvalues, created Sat Dec  2 14:27:26 2023 MST
# (Use "gpg --import-ownertrust" to restore them)

BDCCA3DA3E0961575FC797B66E51892F600D443B:6:
DF57E983DFD9EFA53DF3C0CD7507E17705538C1C:5:

尝试使用收件人密钥进行加密

这是关键:我希望 gpg 知道此时的信任级别,并且不会大惊小怪:

$ gpg -e --recipient $(gpg --list-keys | grep DF57E) --output ./test.gpg ./test

gpg: F2FA4C3E9932F093: There is no assurance this key belongs to the named user

sub  cv25519/F2FA4C3E9932F093 2023-12-02 Friend of Testy Testerson <[email protected]>
 Primary key fingerprint: DF57 E983 DFD9 EFA5 3DF3  C0CD 7507 E177 0553 8C1C
      Subkey fingerprint: CD16 DC41 E806 92A1 1590  A0EB F2FA 4C3E 9932 F093

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) n

我的问题是:我在这里忽略了什么?

相关内容