I'm new to this PGP thing. Here are my questions:
Verification
When I do this, I'm given the message "This key is not certified with a trusted signature". Is there anyway to make it trusted and better yet what's the proper way for doing so?
[root@dev /]# gpg --verify bind-9.9.4-P2.tar.gz.sha512.asc bind-9.9.4-P2.copiedlink.tar.gz
gpg: Signature made Fri 03 Jan 2014 01:58:50 PM PST using RSA key ID 189CDBC5
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B48 A38A E1CF 9886 435F 89EE 45AC 7857 189C DBC5
Managing Key
I downloaded and saved a public key as isc.public.key, and imported it using the following command:
gpg –import isc.public.key
I'm sure there is an expiration date on it so how do I do the following:
- Find out when it expires? In fact does GPG tells me when the key I've imported has already expired when I do a "gpg --verify"?
- Update the key. Do I have to delete the key and re-import when this happens?
Thanks!
A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys.
You can edit the trust level of keys by running "gpg --edit-key ", and then using the
trust
command. This section of the GPG manual discusses key trust, and it's worth a read: good security is hard.Note that the warning "This key is not certified with a trusted signature" basically means, "this thing could have been signed by anybody". I can create a key that claims to be for "Internet Systems Consortium, Inc. (Signing key, 2013) ", and sign things with it, and GPG will happily confirm that yes, the things I signed were signed with my key. To avoid this problem, you would presumably download the ISC GPG key from the website and either trust it ultimately ("I believe this entity can certify itself") or sign it with your ultimately-trusted private key. Without proper management of key trust, signature verification is mostly theater.
Running
gpg -k <keyid>
will show you when a given key expires. For example, I created a key that expires tomorrow, andgpg -k <keyid>
gives me:You can see that the expiration dates on subkeys are clearly marked. Note that subkeys used for signing and encryption may have different expiration dates from the primary key. You can read more about subkeys here.
Yes, GPG will notify you about an expired key. Note that this does not necessarily represent a problem: the signature was valid when the document was signed.
You should have you GPG environment configured to use a keyserver, and periodically run
gpg --refresh-keys
. This will update any keys in your keyring with new information from the keyserver, which may include:If a person or organization begins using a new key, you would just add it to your keychain -- you would not need to delete the existing key.