How to suppress “WARNING: This key is not certified with a trusted signature!”

gnupgsecurity-warning

I've been through two Stack Exchange questions/answers and two GPG mailing list posts. I can't seem to clear "WARNING: This key is not certified with a trusted signature!". I would now like to disable it since I can't seem to clear it.

GnuPG shows the problem at Integrity Check, but they don't say how to fix it. They do say:

then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery.

Looking through my gpg.conf I don't see a way to suppress useless warnings like shown below.

How do I suppress the message for a key?

The message is below. I've already marked 9306CC77 and subkey 971EDE93 trusted. I logged out and back on. I also rebooted the server. I am ready to move onto another problem.

# ~/do-update.sh
=> Fetching new catalog and descriptions (http://mirror.opencsw.org/opencsw/testing/i386/5.11) if available ...
Checking integrity of /var/opt/csw/pkgutil/catalog.mirror.opencsw.org_opencsw_testing_i386_5.11 with gpg.
gpg: Signature made Sat Apr 20 06:10:03 2019 EDT using DSA key ID 9306CC77
gpg: Good signature from "OpenCSW catalog signing <board@opencsw.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77
==> 4013 packages loaded from /var/opt/csw/pkgutil/catalog.mirror.opencsw.org_opencsw_testing_i386_5.11

Best Answer

Any page that tells you to use --edit-key <id> trust in order to suppress this warning is, generally, going in the completely wrong direction. The confusing message actually has nothing to do with the key's trust setting. A trusted signature is one that was made by a valid key:

Key validity defines whether this key belongs to the person that it claims.
Key trust defines whether this key is allowed to sign other keys (Web-of-Trust). In other words, a trusted key may act as a CA and mark other keys as valid, transitively.

So in order to suppress the "untrusted signature" warning on a per-key basis, you have to mark the key as a valid (as that's literally the purpose of this warning).

To mark a key as valid, you usually sign it:

gpg --lsign-key "4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77"

Alternatively if you have the 'tofu' or 'tofu+pgp' trust-model active, you can also do:

gpg --tofu-policy good "4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77"

Now you should see this in --list-keys or --edit-key:

pub  dsa1024/05F42D669306CC77
     created: 2011-08-31  expires: never       usage: SC  
     trust: unknown       validity: full

There is also a config option to suppress this warning for all keys; it's called trust-model always. It means GnuPG acts as if all keys were signed by a fully trusted key.

Finally, subkeys have neither trust nor validity settings, they're only containers for cryptographic parameters so they inherit this from the primary key.

Related Solutions

Google-chrome – How to suppress Google Chrome’s virus warning page

According to the Chrome privacy/security help file,

Click the wrench icon on the browser toolbar.
Select Options (Preferences on Mac and Linux; Settings on Chrome OS).
Click the Under the Hood tab and find the "Privacy" section.
Deselect the "Enable phishing and malware protection" checkbox.

All formatting original.

Note that this will disable the warning for all sites. I think it's a bad idea, but it's the correct answer to your technical question.

How to check gpg signature given only the fingerprint and key ID

I don't know where or how to get the public key for gmp, is this fingerprint checking good enough?

The key can usually be obtained from public keyservers, based on its ID or fingerprint.

gpg --recv-key '343C 2FF0 FBEE 5EC2 EDBE F399 F359 9FF8 28C6 7298'

Alternatively:

gpg --auto-key-retrieve --verify gmp-6.1.2.tar.lz.sig gmp-6.1.2.tar.lz

Comparing its fingerprint is enough to ensure you got the correct key.

This does not seem to be very secure since I'm checking the signature of the file from the same website that I downloaded the file from.

Indeed, it's not very secure. You should try to verify the fingerprint using other means, e.g. sometimes it's part of release announcements in mailing list archives; I sometimes use web.archive.org to make sure the website hasn't changed recently.

(The "traditional" PGP mechanism, web of trust, unfortunately is not very useful here.)

Verification can still be useful though:

The same key is used to sign many releases. Even if you don't know whose key it is, it might still be enough to know that it's the same key which has been legitimately signing releases for the past few years.
The actual download could be hosted on various mirror sites. If you trust the main project website, you can use this information to verify archives downloaded from anywhere.

Best Answer

Related Solutions

Google-chrome – How to suppress Google Chrome’s virus warning page

How to check gpg signature given only the fingerprint and key ID

Related Question