Page MenuHome GnuPG
Create Task
Maniphest T3255

Trust model direct does not respect local signatures
Closed, InvalidPublic
Actions

Description

$ gpg 2>/dev/null --trust-model=direct --list-sigs schokokeks|egrep '(uid|sig *L)'
uid           [ unknown] schokokeks.org GbR <root@schokokeks.org>
sig   L      8BB805C8DC0C3C84 2017-07-05  susie@example.org
$ gpg 2>/dev/null --trust-model=pgp --list-sigs schokokeks|egrep '(uid|sig *L)'
uid           [  full  ] schokokeks.org GbR <root@schokokeks.org>
sig   L      8BB805C8DC0C3C84 2017-07-05  susie@example.org

This affects the VS-NfD project which is expected to use the direct trust model. The spec says that Kleopatra should highlight keys which are not fully trusted, and suggest that the user should verify those keys. If the user does that by means of a local signature (the default in Kleopatra), it does not have the desired effect because GnuPG still says 'unknown'.

Event Timeline

justus created this task.Jul 5 2017, 12:37 PM
justus lowered the priority of this task from High to Normal.Jul 10 2017, 10:29 AM
werner closed this task as Invalid.Oct 24 2017, 6:00 PM
werner added a subscriber: werner.

The trust-model=direct does not care about signatures or user ids. It simply checks the user assigned _ownertrust_ to decide whether a key is valid:

direct
          Key  validity  is  set  directly  by  the user and not calculated via the Web of
          Trust.  This model is solely based on the key and does not distinguish user IDs.
          Note  that  when  changing to another trust model the trust values assigned to a
          key are transformed into ownertrust values, which also indicate  how  you  trust
          the owner of the key to sign other keys.