Skip to main content

Trusting imported GPG keys

· 2 min read

I had to export a GPG key from one Linux host to another today. While that is not something that's particularly difficult, it is one of those tasks that I do frequently enough to be worth remembering, but not enough to actually remember. So, it makes sense to document the process somewhere, and since it may help others, here it is ;)

The export is really easy:

gpg -a --export <keyname>

You could, of course, send the output to a text file, but I simply cut and paste the result into a new file on the destination machine.

So then the import:

gpg --import tmp.key

Wow, that was easy. But there's still one small chore to go... You see, the key I was exporting is one my company uses to encrypt all backup files. Needless to say, that means it is often (only?) used by automated scripts. But the problem is that the newly imported key is as yet untrusted. Specifically, if you try to encrypt with it, then you will get an interactive error message such as:

It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.

Of course, this error message is a real problem for automated scripts (Bash scripts in my case). And the gpg command line provides no way of automatically answering "yes" instead of prompting.

So, the solution, which is quite simple, is to quickly mark the key as trusted. To do so, first enter the gpg "edit key" console by executing:

gpg --edit-key <keyname>

Then, at the prompt, enter trust, and then when prompted, enter 5 to set the key to ultimately trusted. And that's it. Now, when you encrypt using the newly imported key, you will not be prompted to verify that you trust the key, and scripts won't be broken :)