This is a text-only version of the following page on https://raymii.org: --- Title : GPG noninteractive batch sign, trust and send gnupg keys Author : Remy van Elst Date : 01-06-2018 URL : https://raymii.org/s/articles/GPG_noninteractive_batch_sign_trust_and_send_gnupg_keys.html Format : Markdown/HTML --- ![][1] Recently a team I consult for started using a shared password manager, pass. It uses GPG keys and presents itself as the standard unix password manager, but in essence it's nothing more than a wrapper around GPG encrypted files. We all had to generate new keys since the team is new and we were not allowed to use existing keys. Using a new, empty keyring, I generated my key and imported their keys. I wanted to trust, sign and publish all keys to a keyserver, this article shows how to do that noninteractively in batch form. Saves me doing the same thing four times.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

If you ever want to send me something encrypted, you can find [my GPG and S/MIME keys here][3] I'm using the following GPG version on Ubuntu 18.04: $ gpg --version gpg (GnuPG) 2.2.4 libgcrypt 1.8.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/remy/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Do note that I started with an empty slate (new key, empty gnupg keyring) and with all people in the same room. Don't do this on your regular GnuPG keyring since then you might not want to trust and sign everyone's key. Normally you would just sign and publish the keys from people you actually verified the identity of, at a keysigning party for example. ### Machine readable format I started with an empty keyring, generated a new secret key and then imported the other keys from a folder (`gpg --import *.asc`). The next step is to trust these keys, sign them and upload them to a keyserver. I can do that by hand using the CLI, but that doesn't scale. This time it's three keys, the next time it will be a hundred. Let's find a way to automate that. Using `gpg --list-keys` I can get a list of keys and their ID's: $ gpg --list-keys gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 2 signed: 0 trust: 2-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2019-06-01 /home/remy/.gnupg/pubring.kbx ----------------------------- pub secp256k1 2018-06-01 [SC] [expires: 2019-06-01] BA3185A7E50F713280F4559AA2EB77DDEA029199 uid [ultimate] R. van Elst sub secp256k1 2018-06-01 [E] [expires: 2019-06-01] pub rsa2048 2018-06-01 [SC] [expires: 2020-05-31] 99A986134D54F69AB9BE0E3939110B67C1165E3F uid [ unknown] Christian sub rsa4096 2018-05-31 [E] pub rsa3072 2018-05-31 [SC] [expires: 2020-05-30] EC6D4F0A72117779D2D89C816F8ACF16C411318B uid [ full ] Ron Duiker sub rsa3072 2018-05-31 [E] [expires: 2020-05-30] Parsing shell command output in general is a bad idea since that can change. GnuPG addresses this in the manual page specifically: --list-keys -k --list-public-keys List the specified keys. If no keys are specified, then all keys from the configured public keyrings are listed. Never use the output of this command in scripts or other programs. The output is intended only for humans and its format is likely to change. The --with-colons option emits the out- put in a stable, machine-parseable format, which is intended for use by scripts and other programs. Thank you to the GnuPG developers for doing this, if all software would be so specific and clear that would save me a lot of time and effort. The output `--with-colons` looks like this: $ gpg --list-keys --with-colons tru::1:1527866875:1559373557:3:1:5 pub:u:256:19:A2EB77DDEA029199:1527837557:1559373557::u:::scESC:::::secp256k1:::0: fpr:::::::::BA3185A7E50F713280F4559AA2EB77DDEA029199: uid:u::::1527837557::38561F394B0A364FE743B28BF03B3602E8F8D8E1::R. van Elst ::::::::::0: sub:u:256:18:770B8C8E75662ABE:1527837557:1559373557:::::e:::::secp256k1:: fpr:::::::::0E83BF12C86332243F76C8CC770B8C8E75662ABE: pub:-:2048:1:39110B67C1165E3F:1527834492:1590906492::-:::scESC::::::23::0: fpr:::::::::99A986134D54F69AB9BE0E3939110B67C1165E3F: uid:-::::1527834492::6B405A1FBF0307CF08C19D6771B6F6472CB0E1FF::Christian ::::::::::0: sub:f:4096:1:040F45BF5344AC48:1527781980::::::e::::::23: fpr:::::::::D3F1C10C742313FFA998552C040F45BF5344AC48: pub:f:3072:1:6F8ACF16C411318B:1527781700:1590853700::-:::scESC::::::23::0: fpr:::::::::EC6D4F0A72117779D2D89C816F8ACF16C411318B: uid:f::::1527781700::20DD8EAC4DE8E83947F95136BB03CD0E8ECE7D94::Ron Duiker ::::::::::0: sub:f:3072:1:0492EAEFF2E0EA2F:1527781700:1590853700:::::e::::::23: fpr:::::::::0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F: This format [is documented here][4]. Reading that it seems I can safely search for 'fpr::::'. The change that someone names their key or comment that seems small to me. Using `awk` I can get the fingerprints, which I need in the next commands to trust, sign and upload the keys: $ gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $0}' fpr:::::::::4DDE73DB5030B53926813A502B6755BD1B7F88DC: fpr:::::::::3AFDF7F4DA1B3A0C64671217CE2786EB97AC7685: fpr:::::::::BA3185A7E50F713280F4559AA2EB77DDEA029199: fpr:::::::::0E83BF12C86332243F76C8CC770B8C8E75662ABE: fpr:::::::::99A986134D54F69AB9BE0E3939110B67C1165E3F: fpr:::::::::B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A: fpr:::::::::CF518D6D969A7448F7545A343A624724EAFF8D71: fpr:::::::::D3F1C10C742313FFA998552C040F45BF5344AC48: fpr:::::::::EC6D4F0A72117779D2D89C816F8ACF16C411318B: fpr:::::::::0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F: Printing just the fingerprints: $ gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' 4DDE73DB5030B53926813A502B6755BD1B7F88DC 3AFDF7F4DA1B3A0C64671217CE2786EB97AC7685 BA3185A7E50F713280F4559AA2EB77DDEA029199 0E83BF12C86332243F76C8CC770B8C8E75662ABE 99A986134D54F69AB9BE0E3939110B67C1165E3F B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A CF518D6D969A7448F7545A343A624724EAFF8D71 D3F1C10C742313FFA998552C040F45BF5344AC48 EC6D4F0A72117779D2D89C816F8ACF16C411318B 0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F ### Trust the keys noninteractive in batch Trusting a key involves going through a menu, setting a trust level and confirming that. Using the flag `--command-fd 0` we instruct GnuPG to accept input from STDIN, thus allowing us to use a pipe with the correct input. The following command batch trusts all keys ultimately: $ for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key $fpr trust; done The output looks like this: gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa3072/6F8ACF16C411318B created: 2018-05-31 expires: 2020-05-30 usage: SC trust: ultimate validity: ultimate sub rsa3072/0492EAEFF2E0EA2F created: 2018-05-31 expires: 2020-05-30 usage: E [ultimate] (1). Ron Duiker pub rsa3072/6F8ACF16C411318B created: 2018-05-31 expires: 2020-05-30 usage: SC trust: ultimate validity: ultimate sub rsa3072/0492EAEFF2E0EA2F created: 2018-05-31 expires: 2020-05-30 usage: E [ultimate] (1). Ron Duiker Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu pub rsa3072/6F8ACF16C411318B created: 2018-05-31 expires: 2020-05-30 usage: SC trust: ultimate validity: ultimate sub rsa3072/0492EAEFF2E0EA2F created: 2018-05-31 expires: 2020-05-30 usage: E [ultimate] (1). Ron Duiker <> pub rsa3072/6F8ACF16C411318B created: 2018-05-31 expires: 2020-05-30 usage: SC trust: ultimate validity: ultimate sub rsa3072/0492EAEFF2E0EA2F created: 2018-05-31 expires: 2020-05-30 usage: E [ultimate] (1). Ron Duiker gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec secp256k1/A2EB77DDEA029199 created: 2018-06-01 expires: 2019-06-01 usage: SC trust: ultimate validity: ultimate ssb secp256k1/770B8C8E75662ABE created: 2018-06-01 expires: 2019-06-01 usage: E [ultimate] (1). R. van Elst sec secp256k1/A2EB77DDEA029199 created: 2018-06-01 expires: 2019-06-01 usage: SC trust: ultimate validity: ultimate ssb secp256k1/770B8C8E75662ABE created: 2018-06-01 expires: 2019-06-01 usage: E [ultimate] (1). R. van Elst Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu sec secp256k1/A2EB77DDEA029199 created: 2018-06-01 expires: 2019-06-01 usage: SC trust: ultimate validity: ultimate ssb secp256k1/770B8C8E75662ABE created: 2018-06-01 expires: 2019-06-01 usage: E [ultimate] (1). R. van Elst sec secp256k1/A2EB77DDEA029199 created: 2018-06-01 expires: 2019-06-01 usage: SC trust: ultimate validity: ultimate ssb secp256k1/770B8C8E75662ABE created: 2018-06-01 expires: 2019-06-01 usage: E [ultimate] (1). R. van Elst The keys are now marked as trusted in the local trust database. We can continue on to sign them. ### Signing the keys noninteractively in batch mode Signing the keys tells other people that we verified the identity of the key owners and trusting their keys, confirming that with a signature of our own key. Because we all were in a room together doing this I did verify their identity, thus vouching for their public keys. This command signs all the keys found in the keyring: $ for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "y\ny\n" | gpg --command-fd 0 --expert --edit-key $fpr sign; done Depending on how your key agent is set up it will prompt you on the command line for the passphrase, or a GUI dialog window. Output looks like this: gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa2048/2B6755BD1B7F88DC created: 2014-06-01 expires: never usage: SCEA trust: ultimate validity: ultimate sub rsa2048/CE2786EB97AC7685 created: 2014-06-01 expires: 2019-05-31 usage: E [ultimate] (1). Remy van Elst User ID "Remy van Elst " is not self-signed. pub rsa2048/2B6755BD1B7F88DC created: 2014-06-01 expires: never usage: SCEA trust: ultimate validity: ultimate Primary key fingerprint: 4DDE 73DB 5030 B539 2681 3A50 2B67 55BD 1B7F 88DC Remy van Elst Are you sure that you want to sign this key with your key "R. van Elst " (A2EB77DDEA029199) pub rsa2048/2B6755BD1B7F88DC created: 2014-06-01 expires: never usage: SCEA trust: ultimate validity: ultimate sub rsa2048/CE2786EB97AC7685 created: 2014-06-01 expires: 2019-05-31 usage: E [ultimate] (1). Remy van Elst If you want to use a specific key to sign with, for example when you hae more then 1 private key, add the `--local-user` parameter: $ echo "y\ny\n" | gpg --command-fd 0 --expert --local-user BA3185A7E50F713280F4559AA2EB77DDEA029199 --edit-key 4DDE73DB5030B53926813A502B6755BD1B7F88DC sign ### Publishing the keys to a keyserver noninteractive in batch mode Now that all keys are trusted and signed we can publish the result to a keyserver so that we can tell the entire world about these new trust relations. You probably are able to guess the command, it uses the same loop as before: $ for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); do gpg --send-keys --keyserver pool.sks-keyservers.net $fpr; done Output looks like below: gpg: sending key 6F8ACF16C411318B to hkp://pool.sks-keyservers.net gpg: sending key A2EB77DDEA029199 to hkp://pool.sks-keyservers.net gpg: sending key 2B6755BD1B7F88DC to hkp://pool.sks-keyservers.net gpg: sending key 2B6755BD1B7F88DC to hkp://pool.sks-keyservers.net gpg: sending key 39110B67C1165E3F to hkp://pool.sks-keyservers.net gpg: sending key 39110B67C1165E3F to hkp://pool.sks-keyservers.net gpg: sending key A2EB77DDEA029199 to hkp://pool.sks-keyservers.net gpg: sending key 3A624724EAFF8D71 to hkp://pool.sks-keyservers.net gpg: sending key 3A624724EAFF8D71 to hkp://pool.sks-keyservers.net gpg: sending key 6F8ACF16C411318B to hkp://pool.sks-keyservers.net That's all there is to it. Some shell commands chained together to save me a lot of time and effort. Just the way I like it. [1]: https://raymii.org/s/inc/img/gnupg_logo.png [2]: https://www.digitalocean.com/?refcode=7435ae6b8212 [3]: https://raymii.org/s/static/About.html [4]: http://web.archive.org/web/20180601074943/https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.