Trusting keys and why 'This signature is not to be trusted.'
Reading time: 8 minutes
This KB explains
Let's start with an example.
Alice just received a signed mail from Steve.
The checkmark indicates that this is a signed mail. It also indicates, that the mail has not been tampered with during transit from Steve to Alice - otherwise the signature would show as invalid.
Alice clicks on the checkmark to open the signature details. The details show 'This signature is not to be trusted.'
Alice has not yet verified, that Steve is actually the owner of the key, which was used to sign this mail. The Ownertrust for Steve's public key is likely 'Unknown'. This fact is reflected in the above warning message. When Alice looks at Steve's public key in GPG Keychain and double clicks it to show the key details, she indeed sees that Ownertrust is Unknown.
Don't get confused though, the signature is still valid. Signature validity and Ownertrust are two different things, not to be mixed up. The validity indicates if a signature is valid and the Ownertrust is the trust-level of a certain key.
We recommend to verify and sign keys you are using. While this may sound like an overwhelming task, as they say, 'security is not a state it's a process', you can do this little by little one key at a time. The longer you are actively using OpenPGP and weaving your network of trusted keys, the higher your security. Allow yourself time to slowly adapt to this. Consider making the verify and sign process a routine for new keys which you are using.
Important: Before proceeding, make sure your contact can grab your public key, either from the key servers or by sharing your public key via email. [KB-article]
1. You already personally know the key owner
The easiest way to verify, that the key indeed belongs to the person it claims to belong to, is, to pick up the phone or use an audio / video chat application of your choice and get in touch with the key owner.
- double click the public key of your contact in GPG
- tell your contact to open GPG Keychain and double click their
own sec/pub key
- let them read their fingerprint to you
The fingerprint must match the fingerprint you are seeing for their public key. Identical? Perfect! You now know that the key in question indeed belongs to the person you thought it belonged to. This is really important, since anybody can create a key with any mail address.
While you are at it, you should do the same for your key. Make sure your contact has your public key in his GPG Keychain. Then read the fingerprint of your key to your contact. Once that is verified as well, you and your contact should both proceed to the next step:
Send an encrypted and signed test-email to the email in the public key of your contact. Do not mention the content of the mail to your contact but write down three random words. Send the mail and then open your sent folder. Open the sent mail and verify that it was indeed encrypted and signed. Once your contact has received the test mail, have them read the three random words to you. Repeat this process in the other direction, i.e. have your contact send an encrypted and signed email with three random words and without telling you the content, read the received mail to them.
You are now ready to proceed to the final step how to sign a verified key
2. You do not know the key owner yet
The above method only works, if you already know the key owner personally. Otherwise an impostor could give any phone number / audio chat nickname they have access to and read their fingerprint. The fingerprint would then perfectly match, but you still would be exchanging encrypted messages with the impostor and not the person they are trying to impersonate.
In order to deal with this situation, which is much less common but can of course arise, you have to stick to verification via video chat. During the video chat, have your contact show you some official document like an identity card, drivers license or a passport with their name. Those documents could be fake, but this is as far as verification goes without meeting in person.
Once you ensured, that the name is correct and matches the name in the key you are trying to verify, you can continue with the steps from #1.
Now is a good time to sign the verified key.
Important: Signatures are visible to others once you upload the signed public key to the key servers. Others may assume that you are in touch with the person owning the key. We generally recommend to upload signed public keys, but there are scenarios, in which you may not want to do that. In that case, you should be using a local signature. That option is available in the dialog when signing a key.
Right click the public key of your contact and select 'Sign'. In our example Alice does this with Steve's public key.
The key signing dialog shows up. Alice's key is used to sign. Since the fingerprint has been verified she selects 'I have done very careful checking.' There are other levels of checking, but if you invest time into key signing, why not do it right, right?
We recommend to have the signature expire. You can re-new or change your signature anytime.
Click 'Generate signature' and the key will be signed. Optionally upload the signed public key to the key servers to have your signature be visible to others (see above notice). Select the public key of your contact and then select from the menubar key > Send public key to key server (⌘ + K).
After a restart of Mail.app Alice now sees a trusted signature when she clicks on the checkmark in the received mail.
Congrats! You've made it.
If you are not tired yet and want to learn more about the 'Web of Trust' and key validity, you can continue reading more about that in the Introduction to Cryptography.
There's a separate KB-article about Ownertrust which you may want to read.