GnuPG key validity

I have been struggling whole day trying to understand key validity.

  1. I had a public key in my pubring with validity unknown and trust unknown
  2. I signed it with an ultimately trusted key and the validity became full trust was still unknown
  3. then I deleted my signature using minimize command from --edit-key submenu
  4. after that I run --list-keys --list-options show-uid-validity
  5. but the validity of that key was still full even though it was no longer signed.

Please help me to understand this mystery.

Also, please confirm if using the using command --list-keys --with-colons nida gives me the same information as --list-options show-uid-validity except for here instead of the word "full" I just get one letter "f", and instead of "ultimate", I just get "u"

Thank you in advance for helping me understand this very difficult subject.


Solution 1:

I signed it with an ultimately trusted key and the validity became full trust was still unknown

Trust is set manually and is a different thing from validity. Signing influences validity, while commands like gpg --update-trustdb or gpg --edit-key $KEYID trust will let you change the trust level.

  • Validity describes whether this key is the correct key.

  • Trust describes whether this key can grant validity to other keys by signing them.

Keys that you sign are automatically valid. However, keys that are signed by someone's key whom you fully trust are also valid. Keys are also valid if they are signed by 3 people whom you marginally trust.

(Practical example: Arch Linux master keys, where the 'owner' key grants marginal trust to 5 'master' keys, and their marginal signatures add up to validate all 'developer' keys.)

Importantly, a key can be valid and untrusted, and that's a completely normal situation. In fact, most keys that you sign or lsign should remain untrusted unless you know the person behind that key and (literally) trust them to validate other people's keys.

then I deleted my signature using minimize command from --edit-key submenu

Did you use the save command afterwards? If not, then all your changes were lost. (The only exception is trust level changes, which don't actually change the key but get saved in the trustdb instead.)