How do I handle untrusted keys when using PGP?

By default, all keys you import to your keyring are 'untrusted' until you tell PGP otherwise. If you're sure the key is valid and you don't mind getting an error message every time you use it, you can just ignore the invalid key error message.

But you'll probably want to assign some level of trust to the keys you'll use most often. The best way to do this is to sign the key with a non-exportable signature:

  1. Open PGP Desktop.
  2. Click to highlight the key you want to sign.
  3. From the Keys menu, select Sign...
  4. Select a keyserver: ldap:// is PGP Freeware's default server so try that first.
  5. On the PGPkeys Sign Key window, leave the 'Allow signature to be exported.' box unchecked. Click OK.
  6. Enter the passphrase for your private key in the PGP Enter Passphrase for Selected Key window.

CAUTION: You should never sign a key with an exportable signature unless you have met the person face to face, seen their identification, and have their personal assurance that the key you're signing is really theirs. Public PGP key distribution can't work unless people take key signing very seriously.

Need help?

Last updated: 

February 14, 2013

Browse by tag