Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

GPG noninteractive batch sign, trust and send gnupg keys

Published: 01-06-2018 | Author: Remy van Elst | Text only version of this article


❗ This post is over six years old. It may no longer be up to date. Opinions may have changed.

Recently a team I consult for started using a shared password manager, pass. It uses GPG keys and presents itself as the standard unix password manager, but in essence it's nothing more than a wrapper around GPG encrypted files. We all had to generate new keys since the team is new and we were not allowed to use existing keys. Using a new, empty keyring, I generated my key and imported their keys. I wanted to trust, sign and publish all keys to a keyserver, this article shows how to do that noninteractively in batch form. Saves me doing the same thing four times.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

If you ever want to send me something encrypted, you can find my GPG and S/MIME keys here

I'm using the following GPG version on Ubuntu 18.04:

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/remy/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Do note that I started with an empty slate (new key, empty gnupg keyring) and with all people in the same room. Don't do this on your regular GnuPG keyring since then you might not want to trust and sign everyone's key. Normally you would just sign and publish the keys from people you actually verified the identity of, at a keysigning party for example.

Machine readable format

I started with an empty keyring, generated a new secret key and then imported the other keys from a folder (gpg --import *.asc). The next step is to trust these keys, sign them and upload them to a keyserver. I can do that by hand using the CLI, but that doesn't scale. This time it's three keys, the next time it will be a hundred. Let's find a way to automate that.

Using gpg --list-keys I can get a list of keys and their ID's:

$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   2  signed:   0  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2019-06-01
/home/remy/.gnupg/pubring.kbx
-----------------------------
pub   secp256k1 2018-06-01 [SC] [expires: 2019-06-01]
      BA3185A7E50F713280F4559AA2EB77DDEA029199
uid           [ultimate] R. van Elst <remy@example2.nl>
sub   secp256k1 2018-06-01 [E] [expires: 2019-06-01]

pub   rsa2048 2018-06-01 [SC] [expires: 2020-05-31]
      99A986134D54F69AB9BE0E3939110B67C1165E3F
uid           [ unknown] Christian <christian@example4.com
sub   rsa2048 2018-06-01 [E] [expires: 2020-05-31]

pub   rsa4096 2018-05-31 [SC]
      CF518D6D969A7448F7545A343A624724EAFF8D71
uid           [  full  ] Karel Jan van Dijk <karel@example1.org>
sub   rsa4096 2018-05-31 [E]

pub   rsa3072 2018-05-31 [SC] [expires: 2020-05-30]
      EC6D4F0A72117779D2D89C816F8ACF16C411318B
uid           [  full  ] Ron Duiker <ron@example1.org>
sub   rsa3072 2018-05-31 [E] [expires: 2020-05-30]

Parsing shell command output in general is a bad idea since that can change. GnuPG addresses this in the manual page specifically:

   --list-keys
   -k
   --list-public-keys
          List the specified keys.  If no keys are specified, then all keys from the configured public keyrings are listed.

          Never  use the output of this command in scripts or other programs.  The output is intended only for humans and its format is likely to change.  The --with-colons option emits the out-
          put in a stable, machine-parseable format, which is intended for use by scripts and other programs.

Thank you to the GnuPG developers for doing this, if all software would be so specific and clear that would save me a lot of time and effort.

The output --with-colons looks like this:

$ gpg --list-keys --with-colons
tru::1:1527866875:1559373557:3:1:5
pub:u:256:19:A2EB77DDEA029199:1527837557:1559373557::u:::scESC:::::secp256k1:::0:
fpr:::::::::BA3185A7E50F713280F4559AA2EB77DDEA029199:
uid:u::::1527837557::38561F394B0A364FE743B28BF03B3602E8F8D8E1::R. van Elst <remy@example2.nl>::::::::::0:
sub:u:256:18:770B8C8E75662ABE:1527837557:1559373557:::::e:::::secp256k1::
fpr:::::::::0E83BF12C86332243F76C8CC770B8C8E75662ABE:
pub:-:2048:1:39110B67C1165E3F:1527834492:1590906492::-:::scESC::::::23::0:
fpr:::::::::99A986134D54F69AB9BE0E3939110B67C1165E3F:
uid:-::::1527834492::6B405A1FBF0307CF08C19D6771B6F6472CB0E1FF::Christian <christian@example4.com::::::::::0:
sub:-:2048:1:4B7F18953DB2549A:1527834492:1590906492:::::e::::::23:
fpr:::::::::B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A:
pub:f:4096:1:3A624724EAFF8D71:1527781980:::-:::scESC::::::23::0:
fpr:::::::::CF518D6D969A7448F7545A343A624724EAFF8D71:
uid:f::::1527781980::F77BFCFB07762E657B2D8EB7BE6FFC348E6B9EC8::Karel Jan van Dijk <karel@example1.org>::::::::::0:
sub:f:4096:1:040F45BF5344AC48:1527781980::::::e::::::23:
fpr:::::::::D3F1C10C742313FFA998552C040F45BF5344AC48:
pub:f:3072:1:6F8ACF16C411318B:1527781700:1590853700::-:::scESC::::::23::0:
fpr:::::::::EC6D4F0A72117779D2D89C816F8ACF16C411318B:
uid:f::::1527781700::20DD8EAC4DE8E83947F95136BB03CD0E8ECE7D94::Ron Duiker <ron@example1.org>::::::::::0:
sub:f:3072:1:0492EAEFF2E0EA2F:1527781700:1590853700:::::e::::::23:
fpr:::::::::0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F:

This format is documented here. Reading that it seems I can safely search for 'fpr::::'. The change that someone names their key or comment that seems small to me.

Using awk I can get the fingerprints, which I need in the next commands to trust, sign and upload the keys:

$ gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $0}' 
fpr:::::::::4DDE73DB5030B53926813A502B6755BD1B7F88DC:
fpr:::::::::3AFDF7F4DA1B3A0C64671217CE2786EB97AC7685:
fpr:::::::::BA3185A7E50F713280F4559AA2EB77DDEA029199:
fpr:::::::::0E83BF12C86332243F76C8CC770B8C8E75662ABE:
fpr:::::::::99A986134D54F69AB9BE0E3939110B67C1165E3F:
fpr:::::::::B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A:
fpr:::::::::CF518D6D969A7448F7545A343A624724EAFF8D71:
fpr:::::::::D3F1C10C742313FFA998552C040F45BF5344AC48:
fpr:::::::::EC6D4F0A72117779D2D89C816F8ACF16C411318B:
fpr:::::::::0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F:

Printing just the fingerprints:

$ gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' 
4DDE73DB5030B53926813A502B6755BD1B7F88DC
3AFDF7F4DA1B3A0C64671217CE2786EB97AC7685
BA3185A7E50F713280F4559AA2EB77DDEA029199
0E83BF12C86332243F76C8CC770B8C8E75662ABE
99A986134D54F69AB9BE0E3939110B67C1165E3F
B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A
CF518D6D969A7448F7545A343A624724EAFF8D71
D3F1C10C742313FFA998552C040F45BF5344AC48
EC6D4F0A72117779D2D89C816F8ACF16C411318B
0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F

Trust the keys noninteractive in batch

Trusting a key involves going through a menu, setting a trust level and confirming that. Using the flag --command-fd 0 we instruct GnuPG to accept input from STDIN, thus allowing us to use a pipe with the correct input. The following command batch trusts all keys ultimately:

$ for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do  echo -e "5\ny\n" |  gpg --command-fd 0 --expert --edit-key $fpr trust; done

The output looks like this:

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa3072/6F8ACF16C411318B
     created: 2018-05-31  expires: 2020-05-30  usage: SC  
     trust: ultimate      validity: ultimate
sub  rsa3072/0492EAEFF2E0EA2F
     created: 2018-05-31  expires: 2020-05-30  usage: E   
[ultimate] (1). Ron Duiker <ron@example1.org>

pub  rsa3072/6F8ACF16C411318B
     created: 2018-05-31  expires: 2020-05-30  usage: SC  
     trust: ultimate      validity: ultimate
sub  rsa3072/0492EAEFF2E0EA2F
     created: 2018-05-31  expires: 2020-05-30  usage: E   
[ultimate] (1). Ron Duiker <ron@example1.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu


pub  rsa3072/6F8ACF16C411318B
     created: 2018-05-31  expires: 2020-05-30  usage: SC  
     trust: ultimate      validity: ultimate
sub  rsa3072/0492EAEFF2E0EA2F
     created: 2018-05-31  expires: 2020-05-30  usage: E   
[ultimate] (1). Ron Duiker <>


pub  rsa3072/6F8ACF16C411318B
     created: 2018-05-31  expires: 2020-05-30  usage: SC  
     trust: ultimate      validity: ultimate
sub  rsa3072/0492EAEFF2E0EA2F
     created: 2018-05-31  expires: 2020-05-30  usage: E   
[ultimate] (1). Ron Duiker <ron@example1.org>

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  secp256k1/A2EB77DDEA029199
     created: 2018-06-01  expires: 2019-06-01  usage: SC  
     trust: ultimate      validity: ultimate
ssb  secp256k1/770B8C8E75662ABE
     created: 2018-06-01  expires: 2019-06-01  usage: E   
[ultimate] (1). R. van Elst <remy@example2.nl>

sec  secp256k1/A2EB77DDEA029199
     created: 2018-06-01  expires: 2019-06-01  usage: SC  
     trust: ultimate      validity: ultimate
ssb  secp256k1/770B8C8E75662ABE
     created: 2018-06-01  expires: 2019-06-01  usage: E   
[ultimate] (1). R. van Elst <remy@example2.nl>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu


sec  secp256k1/A2EB77DDEA029199
     created: 2018-06-01  expires: 2019-06-01  usage: SC  
     trust: ultimate      validity: ultimate
ssb  secp256k1/770B8C8E75662ABE
     created: 2018-06-01  expires: 2019-06-01  usage: E   
[ultimate] (1). R. van Elst <remy@example2.nl>


sec  secp256k1/A2EB77DDEA029199
     created: 2018-06-01  expires: 2019-06-01  usage: SC  
     trust: ultimate      validity: ultimate
ssb  secp256k1/770B8C8E75662ABE
     created: 2018-06-01  expires: 2019-06-01  usage: E   
[ultimate] (1). R. van Elst <remy@example2.nl>

The keys are now marked as trusted in the local trust database. We can continue on to sign them.

Signing the keys noninteractively in batch mode

Signing the keys tells other people that we verified the identity of the key owners and trusting their keys, confirming that with a signature of our own key. Because we all were in a room together doing this I did verify their identity, thus vouching for their public keys.

This command signs all the keys found in the keyring:

$ for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "y\ny\n" |  gpg --command-fd 0 --expert --edit-key $fpr sign; done

Depending on how your key agent is set up it will prompt you on the command line for the passphrase, or a GUI dialog window.

Output looks like this:

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/2B6755BD1B7F88DC
     created: 2014-06-01  expires: never       usage: SCEA
     trust: ultimate      validity: ultimate
sub  rsa2048/CE2786EB97AC7685
     created: 2014-06-01  expires: 2019-05-31  usage: E   
[ultimate] (1). Remy van Elst <remy@example3.net>

User ID "Remy van Elst <remy@example3.net>" is not self-signed.

pub  rsa2048/2B6755BD1B7F88DC
     created: 2014-06-01  expires: never       usage: SCEA
     trust: ultimate      validity: ultimate
 Primary key fingerprint: 4DDE 73DB 5030 B539 2681  3A50 2B67 55BD 1B7F 88DC

     Remy van Elst <remy@example3.net>

Are you sure that you want to sign this key with your
key "R. van Elst <remy@example2.nl>" (A2EB77DDEA029199)



pub  rsa2048/2B6755BD1B7F88DC
     created: 2014-06-01  expires: never       usage: SCEA
     trust: ultimate      validity: ultimate
sub  rsa2048/CE2786EB97AC7685
     created: 2014-06-01  expires: 2019-05-31  usage: E   
[ultimate] (1). Remy van Elst <remy@example3.net>

If you want to use a specific key to sign with, for example when you hae more then 1 private key, add the --local-user parameter:

$ echo "y\ny\n" | gpg --command-fd 0 --expert --local-user BA3185A7E50F713280F4559AA2EB77DDEA029199 --edit-key 4DDE73DB5030B53926813A502B6755BD1B7F88DC  sign

Publishing the keys to a keyserver noninteractive in batch mode

Now that all keys are trusted and signed we can publish the result to a keyserver so that we can tell the entire world about these new trust relations. You probably are able to guess the command, it uses the same loop as before:

$ for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do gpg --send-keys --keyserver pool.sks-keyservers.net $fpr; done

Output looks like below:

gpg: sending key 6F8ACF16C411318B to hkp://pool.sks-keyservers.net
gpg: sending key A2EB77DDEA029199 to hkp://pool.sks-keyservers.net
gpg: sending key 2B6755BD1B7F88DC to hkp://pool.sks-keyservers.net
gpg: sending key 2B6755BD1B7F88DC to hkp://pool.sks-keyservers.net
gpg: sending key 39110B67C1165E3F to hkp://pool.sks-keyservers.net
gpg: sending key 39110B67C1165E3F to hkp://pool.sks-keyservers.net
gpg: sending key A2EB77DDEA029199 to hkp://pool.sks-keyservers.net
gpg: sending key 3A624724EAFF8D71 to hkp://pool.sks-keyservers.net
gpg: sending key 3A624724EAFF8D71 to hkp://pool.sks-keyservers.net
gpg: sending key 6F8ACF16C411318B to hkp://pool.sks-keyservers.net

That's all there is to it. Some shell commands chained together to save me a lot of time and effort. Just the way I like it.

Tags: articles , bash , batch , gnupg , gpg , hsm , nitrokey , pgp , security , ubuntu