[SOLVED] Automated gpg Key Trust

mstone0802 · 04-25-2011, 05:26 PM

My company makes extensive use of gpg, and we are constantly getting keys from our customers. We're looking to automatically import those keys (or at least pseudo-automatically), and grant a minimal trust level. I've done some reading on this, and found a couple different pages that have suggestions, but none seem to work. Most give me this:

Code:

gpg --edit-key ########
trust
1 -- or other numeric value corresponding to trust level
save

This is all well and good, but doesn't quite meet our needs. We'd like to script the process if we could. We've got everything automated up to the trust. Is there a way to grant a level of trust that can be executed from outside the gpg application so it can be scripted?

T3RM1NVT0R · 04-25-2011, 06:00 PM

You can give a try to the following:

1. Create directory which will contain all gpg keys.
2. If they start with a particular name or end with particular extension you can go with gpg --import abc.* or *.abc and this will get the key imported to your system.
3. Schedule a crontab job to run this task every midnight.

Let me know if this helps.

mstone0802 · 04-25-2011, 06:06 PM

Thank you for the reply, but that's the part that we've already got automated. Our problem is that once the keys are imported, they have a trust level of 1 (which is default). If you look at them in gpg, the trust level will report as "Unknown". We'd like to give them a trust level of 3 (marginal), but to do that, we have to follow the steps I previously mentioned. We're looking to upgrade that trust level within the script that does the initial import.

T3RM1NVT0R · 04-25-2011, 06:38 PM

Unfortunately it is a menu driven program so I am not sure how we can automate the process.

The only idea that I can give is if you can set some kind of redirection which can change the value of trust=3, like people usually do with databases

Just an example example of what I am trying to say:

database < database_file

T3RM1NVT0R · 04-25-2011, 07:00 PM

Check out this link: http://www.gossamer-threads.com/lists/gnupg/users/51413

mstone0802 · 04-25-2011, 11:25 PM

That last link looks really promising. I'll let you know how implementation goes when I'm back at work tomorrow. Fingers crossed!

mstone0802 · 04-26-2011, 12:33 PM

Thanks for the link T3RM1NVT0R, it gave me what I needed. If anybody wants to do something similar in the future, here's the relevant snippet of code:

Code:

TRUST_VALUE=':3:'

TEMP_VAR=0
while [ "${KEYNAMES[$TEMP_VAR]}" != "" ]
do
  TRUSTVAR=`gpg --fingerprint ${KEYNAMES[$TEMP_VAR]}|grep Key|cut -d= -f2|sed 's/ //g'`
  echo $TRUSTVAR$TRUST_VALUE >> $TEMP_FILE
  TEMP_VAR=`expr $TEMP_VAR + 1`
done

gpg --import-ownertrust $TEMP_FILE

This code references a previously built array of key names. Works like a charm.