How to raise a key to ultimate trust on another machine?

You can set every key to ultimate trust through opening the key edit command line

gpg --edit-key [key-id]

and running the trust command. You will now be prompted to select the trust level:

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 

Obviously, 5 will be the proper decision to achieve ultimate trust. Finally, save to commit the changes and exit GnuPG. The same commands apply to both GnuPG 1.4 and GnuPG 2 (and newer).

Ultimate enables a key to introduce trust in the OpenPGP web of trust, with other words all ultimately trusted keys act as a starting point for trust paths. You should set your own keys to ultimate trust, but usually will not do so for other's.


Here is how to automate this (gpg --edit-key; trust; 5; save) for newly imported keys, effectively importing them as ultimately trusted.

$ gpg --import <key.asc
$ (echo 5; echo y; echo save) |
  gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(
  gpg --list-packets <key.asc |
  awk '$1=="keyid:"{print$2;exit}')" trust 

To change the Ownertrust trust level of a key after importing in a simplier way (without the interactive --edit-key mode) I found this way in one line using gpg --import-ownertrust:

According to this mail from the Gnupg-users mailing list the trust level can be changed using gpg --import-ownertrust

You only need to get the fingerprint of the key and the trust level number which is the trust level number you use in the gpg --edit-key [key-id] trust trust level as 1,2,3,4,5 ... + 1 (Don't ask me why but I have tested each level)

1 = I don't know or won't say => will be = 2
2 = I do NOT trust => will be = 3
3 = I trust marginally => will be = 4
4 = I trust fully => will be = 5
5 = I trust ultimately => will be = 6

To change Ownertrust trust level to ultimate as example:

Get the fingerprint of the key (public or private) if already imported (if not use gpg --with-fingerprint mykey.gpg to get fingerprint before importing the key)

gpg --list-keys [key-id]
gpg --list-secrect-keys [key-id]

Change the Ownertrust trust level by echoing FINGERPRINT:LEVEL: to gpg --import-ownertrust

echo "07C9F77F0E8134E64A7FF0AA666B4C8DC27B4A0A:6:" | gpg --import-ownertrust

See the new Ownertrust trust level of the key

gpg --list-keys [key-id]
gpg --list-secrect-keys [key-id]

You can export your Ownertrust trust level of all keys before or to backup them

gpg --export-ownertrust > trustlevel.txt

And reimport them if needed

gpg --import-ownertrust < trustlevel.txt

Using gpg --import-ownertrust you can set the Ownertrust trust level of a key before importing the key and then the key will be trusted according to the trust level defined after import operation or import the key and then change the trust level of the imported key.

Regards,

Tags:

Gnupg

Pgp

Openpgp