Trusting keys and why 'This signature is not to be trusted.'
Reading time: 7 minutes
This KB covers
In this example, Alice received a signed email from Steve. The checkmark indicates that the message is signed. It also indicates, that the email has not been tampered with during transit - otherwise the signature would show as invalid.
Alice clicks on the checkmark to open signature details and sees 'This signature is not to be trusted.'
Alice has not yet verified, that Steve is actually the owner of the key, which was used to sign this email. Alice opens up GPG Keychain and double clicks Steve's public key. The Ownertrust for Steve's public key is 'Unknown'. That is why Alice sees the info "This signature is not to be trusted".
Don't let this confuse you though - the signature is still valid. Signature Validity and Ownertrust are two different things, not to be mixed up. The Validity indicates if a signature is valid and the Ownertrust is the trust-level of a certain key.
We recommend to verify and sign keys you are using. While this may sound overwhelming, as they say, 'security is not a state it's a process'. You can do this little by little one key at a time, whenever you have capacity. The longer you actively use OpenPGP the higher your security and trust you can put in your key setup. Give yourself the time to slowly adapt to this. Consider making the verify and sign process a routine for new keys which you are using.
Important: Before proceeding, make sure your contact has access to your public key, either via key servers or by directly sharing your public key via email. [KB-article]
1. You already personally know the key owner
The easiest way to verify, that the key indeed belongs to the person it claims to belong to, is to pick up the phone or use audio / video chat and get in touch with the key owner.
- double click the public key of your contact in GPG Keychain
- tell your contact to open GPG Keychain and double click their own sec/pub key
- let them read their fingerprint to you
The fingerprint must match the fingerprint you are seeing for their public key. Identical? Perfect! You now know that the key in question indeed belongs to the person you thought it belonged to. This is really important, since anybody can create a key with any name and email address.
While you are at it, you should do the same for your own key. Make sure your contact has your public key in his GPG Keychain. Then read the fingerprint of your key to your contact. Once that is verified as well, you and your contact should both proceed to the next step:
Send an encrypted and signed test email to your contact. Write down three random words in that email. Do not mention the content of the email to your contact. Send the message and open your sent folder. Open the sent email and verify that it was indeed encrypted and signed. Once your contact has received the test email, have them read the three random words to you. Repeat this process in the other direction, i.e. have your contact send an encrypted and signed email with three random words and without telling you the content, read the received email to them.
You are now ready to proceed to the final step how to sign a verified key
2. You do not know the key owner yet
The above method only works, if you already know the key owner personally. Otherwise an impostor could give any phone number / audio chat nickname they have access to and read their fingerprint. The fingerprint would then perfectly match, but you still would be exchanging encrypted messages with the impostor and not the person they are trying to impersonate.
In order to deal with this situation, which is much less common but can of course arise, you have to stick to verification via video chat. During the video chat, have your contact show you some official document like an identity card, drivers license or a passport with their name. Those documents could be fake, but this is as far as verification goes without meeting in person.
Once you verified the name of your contact you can continue with the steps from #1.
Now let's sign the verified key.
Important: We recommend to publish the signature, but default to not using this feature. Signatures are visible to others once you upload the signed public key to the key servers. Others may assume that you are in touch with the person owning the key.
Right click the key of your contact and select 'Sign'. In our example Alice does this with Steve's public key. Alice's key is used to sign.
When a key uses more than one user ID (email) you will see a list of all user IDs and pick the one(s) you want to sign.
After a restart of Mail.app Alice now sees a trusted signature when she clicks on the checkmark in the received email.