Trusting keys and why 'This signature is not to be trusted.'
Reading time: 7 minutes
This KB covers
In our example Alice received a signed email from Steve. The checkmark indicates that the message is signed and the email has not been tampered with during transit.
Alice clicks on the checkmark and the signature details show 'This signature is not to be trusted.'
Alice has not yet verified, that Steve is actually the owner of the key, which was used to sign this email. Alice opens GPG Keychain and double clicks Steve's public key. The Ownertrust for Steve's public key is 'Unknown'. That is the reason why Alice sees the info "This signature is not to be trusted".
Don't let this confuse you though - the signature is still valid. Signature Validity and Ownertrust are two different things: the Validity indicates wether a signature is valid and the Ownertrust is the trust-level of a certain key. See also: KB-article about Ownertrust
How to verify a key
We recommend to verify and sign keys you are using. While this may sound overwhelming at first, do keep in mind: security is not a state - it's a process'. You can do this little by little one key at a time, whenever you have capacity. The longer you actively use OpenPGP the better the security and trust you can have in your setup. The most important thing is to just start familiarizing yourself with the process. Give yourself the time and consider making the verify and sign process a routine for new keys which you are using.
Before proceeding, make sure your contact has access to your public key.
1. You personally know the key owner
The easiest way to verify, that the key indeed belongs to the person it claims to belong to, is to use audio / video chat or phone and get in touch with the key owner.
- double click the public key of your contact in GPG Keychain
- tell your contact to open GPG Keychain and double click their own sec/pub key
- have them read their fingerprint to you
The fingerprint must match the fingerprint you are seeing for their public key. Identical? Perfect! You now know that the key in question indeed belongs to the person you thought it belonged to. This is really important, since anybody can create a key with any name and email address.
While you are at it, you should do the same for your own key. Make sure your contact has your public key in their GPG Keychain. Then read the fingerprint of your key to your contact. Once that is verified as well proceed to the next step:
Send an encrypted and signed test email to your contact. Write down three random words in that email. Do not mention the content of the email to your contact. Send the message and open your sent folder. Open the sent email and verify that it was indeed encrypted and signed. Once your contact has received the test email, have them read the three random words to you. Repeat this process in the other direction, i.e. have your contact send an encrypted and signed email with three random words and without telling you the content, read the received email to them.
You are now ready to proceed to the final step.
2. You do not know the key owner yet
The above method only works, if you already know the key owner personally. Otherwise an impostor could give any phone number / audio chat nickname they have access to and read their fingerprint. The fingerprint would then perfectly match, but you still would be exchanging encrypted messages with the impostor and not the person they are trying to impersonate.
In order to deal with this situation, which is much less common but can of course arise, you have to stick to verification via video chat. During the video chat, have your contact show you some official document like an identity card, drivers license or a passport with their name. Those documents could be fake, but this is as far as verification goes without meeting in person.
Once you verified the name of your contact you can continue with the steps from #1.
How to sign a verified key
To sign the verified key, right click the key of your contact and select 'Sign'. In our example Alice does this with Steve's public key. Alice's key is used to sign. When a key uses more than one user ID (email) you will see a list of all user IDs and pick the one(s) you want to sign.
After a restart of Mail app Alice now sees a trusted signature when she clicks on the checkmark in the received email.
- Learn more about Web of Trust and key validity in Introduction to Cryptography
- Learn more about Ownertrust
GPG Mail FAQ
GPG Keychain FAQ
GPG Services FAQ