This is a text-only version of the following page on https://raymii.org:
---
Title       :   GPG noninteractive batch sign, trust and send gnupg keys
Author      :   Remy van Elst
Date        :   01-06-2018
URL         :   https://raymii.org/s/articles/GPG_noninteractive_batch_sign_trust_and_send_gnupg_keys.html
Format      :   Markdown/HTML
---



![][1]

Recently a team I consult for started using a shared password manager, pass. It
uses GPG keys and presents itself as the standard unix password manager, but in
essence it's nothing more than a wrapper around GPG encrypted files. We all had
to generate new keys since the team is new and we were not allowed to use
existing keys. Using a new, empty keyring, I generated my key and imported their
keys. I wanted to trust, sign and publish all keys to a keyserver, this article
shows how to do that noninteractively in batch form. Saves me doing the same
thing four times.

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>


If you ever want to send me something encrypted, you can find [my GPG and S/MIME
keys here][3]

I'm using the following GPG version on Ubuntu 18.04:



   $ gpg --version
   gpg (GnuPG) 2.2.4
   libgcrypt 1.8.1
   Copyright (C) 2017 Free Software Foundation, Inc.
   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.

   Home: /home/remy/.gnupg
   Supported algorithms:
   Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
   Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
   Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
   Compression: Uncompressed, ZIP, ZLIB, BZIP2


Do note that I started with an empty slate (new key, empty gnupg keyring) and
with all people in the same room. Don't do this on your regular GnuPG keyring
since then you might not want to trust and sign everyone's key. Normally you
would just sign and publish the keys from people you actually verified the
identity of, at a keysigning party for example.

### Machine readable format

I started with an empty keyring, generated a new secret key and then imported
the other keys from a folder (`gpg --import *.asc`). The next step is to trust
these keys, sign them and upload them to a keyserver. I can do that by hand
using the CLI, but that doesn't scale. This time it's three keys, the next time
it will be a hundred. Let's find a way to automate that.

Using `gpg --list-keys` I can get a list of keys and their ID's:



   $ gpg --list-keys
   gpg: checking the trustdb
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   2  signed:   0  trust: 2-, 0q, 0n, 0m, 0f, 0u
   gpg: next trustdb check due at 2019-06-01
   /home/remy/.gnupg/pubring.kbx
   -----------------------------
   pub   secp256k1 2018-06-01 [SC] [expires: 2019-06-01]
         BA3185A7E50F713280F4559AA2EB77DDEA029199
   uid           [ultimate] R. van Elst <[email protected]>
   sub   secp256k1 2018-06-01 [E] [expires: 2019-06-01]

   pub   rsa2048 2018-06-01 [SC] [expires: 2020-05-31]
         99A986134D54F69AB9BE0E3939110B67C1165E3F
   uid           [ unknown] Christian <[email protected]
   sub   rsa2048 2018-06-01 [E] [expires: 2020-05-31]

   pub   rsa4096 2018-05-31 [SC]
         CF518D6D969A7448F7545A343A624724EAFF8D71
   uid           [  full  ] Karel Jan van Dijk <[email protected]>
   sub   rsa4096 2018-05-31 [E]

   pub   rsa3072 2018-05-31 [SC] [expires: 2020-05-30]
         EC6D4F0A72117779D2D89C816F8ACF16C411318B
   uid           [  full  ] Ron Duiker <[email protected]>
   sub   rsa3072 2018-05-31 [E] [expires: 2020-05-30]


Parsing shell command output in general is a bad idea since that can change.
GnuPG addresses this in the manual page specifically:



      --list-keys
      -k
      --list-public-keys
             List the specified keys.  If no keys are specified, then all keys from the configured public keyrings are listed.

             Never  use the output of this command in scripts or other programs.  The output is intended only for humans and its format is likely to change.  The --with-colons option emits the out-
             put in a stable, machine-parseable format, which is intended for use by scripts and other programs.


Thank you to the GnuPG developers for doing this, if all software would be so
specific and clear that would save me a lot of time and effort.

The output `--with-colons` looks like this:



   $ gpg --list-keys --with-colons
   tru::1:1527866875:1559373557:3:1:5
   pub:u:256:19:A2EB77DDEA029199:1527837557:1559373557::u:::scESC:::::secp256k1:::0:
   fpr:::::::::BA3185A7E50F713280F4559AA2EB77DDEA029199:
   uid:u::::1527837557::38561F394B0A364FE743B28BF03B3602E8F8D8E1::R. van Elst <[email protected]>::::::::::0:
   sub:u:256:18:770B8C8E75662ABE:1527837557:1559373557:::::e:::::secp256k1::
   fpr:::::::::0E83BF12C86332243F76C8CC770B8C8E75662ABE:
   pub:-:2048:1:39110B67C1165E3F:1527834492:1590906492::-:::scESC::::::23::0:
   fpr:::::::::99A986134D54F69AB9BE0E3939110B67C1165E3F:
   uid:-::::1527834492::6B405A1FBF0307CF08C19D6771B6F6472CB0E1FF::Christian <[email protected]::::::::::0:
   sub:-:2048:1:4B7F18953DB2549A:1527834492:1590906492:::::e::::::23:
   fpr:::::::::B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A:
   pub:f:4096:1:3A624724EAFF8D71:1527781980:::-:::scESC::::::23::0:
   fpr:::::::::CF518D6D969A7448F7545A343A624724EAFF8D71:
   uid:f::::1527781980::F77BFCFB07762E657B2D8EB7BE6FFC348E6B9EC8::Karel Jan van Dijk <[email protected]>::::::::::0:
   sub:f:4096:1:040F45BF5344AC48:1527781980::::::e::::::23:
   fpr:::::::::D3F1C10C742313FFA998552C040F45BF5344AC48:
   pub:f:3072:1:6F8ACF16C411318B:1527781700:1590853700::-:::scESC::::::23::0:
   fpr:::::::::EC6D4F0A72117779D2D89C816F8ACF16C411318B:
   uid:f::::1527781700::20DD8EAC4DE8E83947F95136BB03CD0E8ECE7D94::Ron Duiker <[email protected]>::::::::::0:
   sub:f:3072:1:0492EAEFF2E0EA2F:1527781700:1590853700:::::e::::::23:
   fpr:::::::::0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F:


This format [is documented here][4]. Reading that it seems I can safely search
for 'fpr::::'. The change that someone names their key or comment that seems
small to me.

Using `awk` I can get the fingerprints, which I need in the next commands to
trust, sign and upload the keys:



   $ gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $0}'
   fpr:::::::::4DDE73DB5030B53926813A502B6755BD1B7F88DC:
   fpr:::::::::3AFDF7F4DA1B3A0C64671217CE2786EB97AC7685:
   fpr:::::::::BA3185A7E50F713280F4559AA2EB77DDEA029199:
   fpr:::::::::0E83BF12C86332243F76C8CC770B8C8E75662ABE:
   fpr:::::::::99A986134D54F69AB9BE0E3939110B67C1165E3F:
   fpr:::::::::B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A:
   fpr:::::::::CF518D6D969A7448F7545A343A624724EAFF8D71:
   fpr:::::::::D3F1C10C742313FFA998552C040F45BF5344AC48:
   fpr:::::::::EC6D4F0A72117779D2D89C816F8ACF16C411318B:
   fpr:::::::::0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F:


Printing just the fingerprints:



   $ gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}'
   4DDE73DB5030B53926813A502B6755BD1B7F88DC
   3AFDF7F4DA1B3A0C64671217CE2786EB97AC7685
   BA3185A7E50F713280F4559AA2EB77DDEA029199
   0E83BF12C86332243F76C8CC770B8C8E75662ABE
   99A986134D54F69AB9BE0E3939110B67C1165E3F
   B5E0E76BD1A4338ADF67ACDC4B7F18953DB2549A
   CF518D6D969A7448F7545A343A624724EAFF8D71
   D3F1C10C742313FFA998552C040F45BF5344AC48
   EC6D4F0A72117779D2D89C816F8ACF16C411318B
   0B6AA791FB99C5FCE6701E260492EAEFF2E0EA2F


### Trust the keys noninteractive in batch

Trusting a key involves going through a menu, setting a trust level and
confirming that. Using the flag `--command-fd 0` we instruct GnuPG to accept
input from STDIN, thus allowing us to use a pipe with the correct input. The
following command batch trusts all keys ultimately:



   $ for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do  echo -e "5\ny\n" |  gpg --command-fd 0 --expert --edit-key $fpr trust; done


The output looks like this:



   gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.


   pub  rsa3072/6F8ACF16C411318B
        created: 2018-05-31  expires: 2020-05-30  usage: SC
        trust: ultimate      validity: ultimate
   sub  rsa3072/0492EAEFF2E0EA2F
        created: 2018-05-31  expires: 2020-05-30  usage: E
   [ultimate] (1). Ron Duiker <[email protected]>

   pub  rsa3072/6F8ACF16C411318B
        created: 2018-05-31  expires: 2020-05-30  usage: SC
        trust: ultimate      validity: ultimate
   sub  rsa3072/0492EAEFF2E0EA2F
        created: 2018-05-31  expires: 2020-05-30  usage: E
   [ultimate] (1). Ron Duiker <[email protected]>

   Please decide how far you trust this user to correctly verify other users' keys
   (by looking at passports, checking fingerprints from different sources, etc.)

     1 = I don't know or won't say
     2 = I do NOT trust
     3 = I trust marginally
     4 = I trust fully
     5 = I trust ultimately
     m = back to the main menu


   pub  rsa3072/6F8ACF16C411318B
        created: 2018-05-31  expires: 2020-05-30  usage: SC
        trust: ultimate      validity: ultimate
   sub  rsa3072/0492EAEFF2E0EA2F
        created: 2018-05-31  expires: 2020-05-30  usage: E
   [ultimate] (1). Ron Duiker <>


   pub  rsa3072/6F8ACF16C411318B
        created: 2018-05-31  expires: 2020-05-30  usage: SC
        trust: ultimate      validity: ultimate
   sub  rsa3072/0492EAEFF2E0EA2F
        created: 2018-05-31  expires: 2020-05-30  usage: E
   [ultimate] (1). Ron Duiker <[email protected]>

   gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.

   Secret key is available.

   sec  secp256k1/A2EB77DDEA029199
        created: 2018-06-01  expires: 2019-06-01  usage: SC
        trust: ultimate      validity: ultimate
   ssb  secp256k1/770B8C8E75662ABE
        created: 2018-06-01  expires: 2019-06-01  usage: E
   [ultimate] (1). R. van Elst <[email protected]>

   sec  secp256k1/A2EB77DDEA029199
        created: 2018-06-01  expires: 2019-06-01  usage: SC
        trust: ultimate      validity: ultimate
   ssb  secp256k1/770B8C8E75662ABE
        created: 2018-06-01  expires: 2019-06-01  usage: E
   [ultimate] (1). R. van Elst <[email protected]>

   Please decide how far you trust this user to correctly verify other users' keys
   (by looking at passports, checking fingerprints from different sources, etc.)

     1 = I don't know or won't say
     2 = I do NOT trust
     3 = I trust marginally
     4 = I trust fully
     5 = I trust ultimately
     m = back to the main menu


   sec  secp256k1/A2EB77DDEA029199
        created: 2018-06-01  expires: 2019-06-01  usage: SC
        trust: ultimate      validity: ultimate
   ssb  secp256k1/770B8C8E75662ABE
        created: 2018-06-01  expires: 2019-06-01  usage: E
   [ultimate] (1). R. van Elst <[email protected]>


   sec  secp256k1/A2EB77DDEA029199
        created: 2018-06-01  expires: 2019-06-01  usage: SC
        trust: ultimate      validity: ultimate
   ssb  secp256k1/770B8C8E75662ABE
        created: 2018-06-01  expires: 2019-06-01  usage: E
   [ultimate] (1). R. van Elst <[email protected]>


The keys are now marked as trusted in the local trust database. We can continue
on to sign them.

### Signing the keys noninteractively in batch mode

Signing the keys tells other people that we verified the identity of the key
owners and trusting their keys, confirming that with a signature of our own key.
Because we all were in a room together doing this I did verify their identity,
thus vouching for their public keys.

This command signs all the keys found in the keyring:



   $ for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "y\ny\n" |  gpg --command-fd 0 --expert --edit-key $fpr sign; done


Depending on how your key agent is set up it will prompt you on the command line
for the passphrase, or a GUI dialog window.

Output looks like this:



   gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.


   pub  rsa2048/2B6755BD1B7F88DC
        created: 2014-06-01  expires: never       usage: SCEA
        trust: ultimate      validity: ultimate
   sub  rsa2048/CE2786EB97AC7685
        created: 2014-06-01  expires: 2019-05-31  usage: E
   [ultimate] (1). Remy van Elst <[email protected]>

   User ID "Remy van Elst <[email protected]>" is not self-signed.

   pub  rsa2048/2B6755BD1B7F88DC
        created: 2014-06-01  expires: never       usage: SCEA
        trust: ultimate      validity: ultimate
    Primary key fingerprint: 4DDE 73DB 5030 B539 2681  3A50 2B67 55BD 1B7F 88DC

        Remy van Elst <[email protected]>

   Are you sure that you want to sign this key with your
   key "R. van Elst <[email protected]>" (A2EB77DDEA029199)



   pub  rsa2048/2B6755BD1B7F88DC
        created: 2014-06-01  expires: never       usage: SCEA
        trust: ultimate      validity: ultimate
   sub  rsa2048/CE2786EB97AC7685
        created: 2014-06-01  expires: 2019-05-31  usage: E
   [ultimate] (1). Remy van Elst <[email protected]>


If you want to use a specific key to sign with, for example when you hae more
then 1 private key, add the `--local-user` parameter:



   $ echo "y\ny\n" | gpg --command-fd 0 --expert --local-user BA3185A7E50F713280F4559AA2EB77DDEA029199 --edit-key 4DDE73DB5030B53926813A502B6755BD1B7F88DC  sign


### Publishing the keys to a keyserver noninteractive in batch mode

Now that all keys are trusted and signed we can publish the result to a
keyserver so that we can tell the entire world about these new trust relations.
You probably are able to guess the command, it uses the same loop as before:



   $ for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do gpg --send-keys --keyserver pool.sks-keyservers.net $fpr; done


Output looks like below:



   gpg: sending key 6F8ACF16C411318B to hkp://pool.sks-keyservers.net
   gpg: sending key A2EB77DDEA029199 to hkp://pool.sks-keyservers.net
   gpg: sending key 2B6755BD1B7F88DC to hkp://pool.sks-keyservers.net
   gpg: sending key 2B6755BD1B7F88DC to hkp://pool.sks-keyservers.net
   gpg: sending key 39110B67C1165E3F to hkp://pool.sks-keyservers.net
   gpg: sending key 39110B67C1165E3F to hkp://pool.sks-keyservers.net
   gpg: sending key A2EB77DDEA029199 to hkp://pool.sks-keyservers.net
   gpg: sending key 3A624724EAFF8D71 to hkp://pool.sks-keyservers.net
   gpg: sending key 3A624724EAFF8D71 to hkp://pool.sks-keyservers.net
   gpg: sending key 6F8ACF16C411318B to hkp://pool.sks-keyservers.net


That's all there is to it. Some shell commands chained together to save me a lot
of time and effort. Just the way I like it.

  [1]: https://raymii.org/s/inc/img/gnupg_logo.png
  [2]: https://www.digitalocean.com/?refcode=7435ae6b8212
  [3]: https://raymii.org/s/static/About.html
  [4]: http://web.archive.org/web/20180601074943/https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS

---

License:
All the text on this website is free as in freedom unless stated otherwise.
This means you can use it in any way you want, you can copy it, change it
the way you like and republish it, as long as you release the (modified)
content under the same license to give others the same freedoms you've got
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for
advertisements. You are tracked and Google knows everything about you.
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license
unless already licensed under a license which does not allows this form
of licensing or if another license is stated on that page / in that software:

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational
purposes and you use it at your own risk. I do not take responsibility if you
screw something up. Use common sense, do not 'rm -rf /' as root for example.
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.

You are viewing proxied material from raymii.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.