How can I tell if a new version of GPG is valid?
Unfortunately, releases are signed by one individual I've never met. Also unfortunately, GPG contains no tool for telling me what I want to know, which is: given the keys I've already signed, and the web of trust, what evidence is there that the signature of that one individual is trustworthy?
GPG is willing to answer a related but much-less-useful question, namely "If I've signed huge numbers of keys and so have lots and lots of other people, so there are many paths between me and the GPG signer, is there a super-high-quality reason to believe in that signature?". But in reality there are exactly four paths from me to Werner Koch, with nowhere near enough signature redundancy for GPG's existing trustdb checks.
So here's what I recently did.
- I used Henk Penning's PGP pathfinder to find some paths from me to Werner Koch's main key (his distribution-signing key isn't in the strong key set).
- Eyeballed the paths to find a short one particularly populated by people I've heard of. This isn't very satisfying, but given the actual shape of the trust web and the number of signers of the source it's the best that can be done!
- I used gpg --recv-keys to import keys along a path.
- I used gpg --check-sigs to verify the signatures along the path. Note that the list format is cryptic and the best documentation I've found is the source code. Things to watch out for are "-" (invalid signature) and "X" (expired signature).
- I used gpg --lsign to sign Werner Koch's main key "locally" (meaning that I'm deciding to trust it for my own purposes but not to advertise this decision--that is, I am signing it to accomplish a goal of mine but not as a public endorsement).
- I used gpg --edit-key followed by the trust command to set that key as "fully trusted" to sign other keys.
- Then finally gpg --verify is willing to endorse the signature of the GPG tarball.
Arguably I should have run the check-sigs process one step further and lsign'd the distribution-signing key, but the truth of the matter is that all of this is taking place on my old, about-to-be-retired, laptop using a stale copy of my key ring. Now that I've vaguely verified the new GPG I'll install it on my new laptop.
Some promising-sounding things which are not part of a solution to my problem:
- What it does is mark the key as ultimately trusted; what I'd hoped for is that it would mark it as reasonably trusted, run the command, and then unmark it.
- I don't know what it does since for me it won't do anything--probably because I am not part of a redundantly-signed part of the graph)
- Appears to dump out a hash table.