6

The key currently has an unknown validity:

$ gpg --edit-key some.user

pub  rsa4096/FAC6C35BDFF9359A
     created: 2020-03-01  expires: 2022-03-01  usage: SC  
     trust: full          validity: unknown
sub  rsa4096/CDA6BEA851FFCE2E
     created: 2020-03-01  expires: 2022-03-01  usage: E   
[ unknown] (1). Some User <[email protected]>

The validity is calculated based on signatures. "At least one key with complete trust has to sign another key to make the key valid." Since I trust my own key ultimately, that means that if I sign Some User's key, it should also become valid.

I already signed this user's key:

$ gpg --list-signatures some.user
pub   rsa4096 2020-03-01 [SC] [expires: 2022-03-01]
      E9E7BDF5FB135FF9858ABAAAB007FDB2
uid           [ unknown] Some User <[email protected]>
sig 3        FAC6C35BDFF9359A 2020-03-01  Some User <[email protected]>
sig          12CA169A2B5A5CFC 2020-03-15  Luc <[email protected]>
sig 3        FAC6C35BDFF9359A 2021-03-01  Some User <[email protected]>
sub   rsa4096 2020-03-01 [E] [expires: 2022-03-01]
sig          FAC6C35BDFF9359A 2020-03-01  Some User <[email protected]>
sig          FAC6C35BDFF9359A 2021-03-01  Some User <[email protected]>

The key's expiration time was recently extended with gpg --edit-key and the expire command (by Some User themselves), but I can't re-sign it (and I can't tell whether that should even be necessary, no resource says anything about it so I guess not):

$ gpg --edit-key some.user
gpg> sign
"Some User <[email protected]>" was already signed by key 12CA169A2B5A5CFC
Nothing to sign with key 12CA169A2B5A5CFC

Checking the signatures, I see nothing out of the ordinary:

$ gpg --check-sigs some.user
pub   rsa4096 2020-03-01 [SC] [expires: 2022-03-01]
      E9E7BDF5FB135FF9858ABAAAB007FDB2
uid           [ unknown] Some User <[email protected]>
sig!3        FAC6C35BDFF9359A 2020-03-01  Some User <[email protected]>
sig!         12CA169A2B5A5CFC 2020-03-03  Luc <[email protected]>
sig!3        FAC6C35BDFF9359A 2021-03-01  Some User <[email protected]>
sub   rsa4096 2020-03-01 [E] [expires: 2022-03-01]
sig!         FAC6C35BDFF9359A 2020-03-01  Some User <[email protected]>
sig!         FAC6C35BDFF9359A 2021-03-01  Some User <[email protected]>

gpg: 5 good signatures

Why is this key not considered valid?
Do I need to re-sign it somehow, perhaps by revoking my old signature first?

Luc
  • 3,418
  • 3
  • 26
  • 37

1 Answers1

4

Unknown validity means that GnuPG hasn’t calculated the web of trust for that key, and therefore it doesn’t know whether the key is valid or not. This is always the case for newly-added keys, but it can also happen for updated keys (since changes in signatures can affect your connection to the key). Trust recalculations don’t necessarily happen automatically, even in trivial cases, because they can be expensive and they may require user input.

Updating the trust database should fix this; you can run a minimal update with

gpg --check-trustdb

or a more complete update (which might involve answering questions about how much you trust key owners) with

gpg --update-trustdb

(The documentation says, for --check-trustdb, “Normally, GnuPG will calculate when this is required and do it automatically unless --no-auto-check-trustdb is set.” but I don’t know what the calculations are.)

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164