LabEx
Log InJoin Free

How to un-trust a key?

QuestionsQuestions8 SkillsProDec, 16 2025
0107

That's a very practical question! In GPG, "un-trusting" a key usually means revoking your signature on it, rather than fully deleting it from your keyring. If you simply delete a public key from your keyring, you won't be able to encrypt messages for that person or verify their signatures anymore.

If you consider a key to be no longer trustworthy, or if you've mistakenly signed a key, you can revoke your signature on that key. This process essentially tells GPG that your previous cryptographic endorsement is no longer valid.

Here's how you can do it:

  1. Identify the signature to revoke:
    First, you need to know the recipient's identifier (like an email address or key ID) for the key you want to un-trust.

  2. Edit the key:
    Use the gpg --edit-key command followed by the key's identifier. For Alice, this would be:

    gpg --edit-key alice@example.com

  3. Choose to revoke the signature:
    Once you are in the GPG key editing interface, you'll see a prompt like gpg>. Type revsig (revoke signature) and press Enter.

  4. Select the signature to revoke:
    GPG will list all signatures on that key that you made. You'll be prompted to select which signature you want to revoke. If you only signed it once, it will likely be 1. Enter the number and press Enter.

    You might be asked for a reason, like "no longer valid", "key compromised", or "Other reason".

    Please select the signature you want to revoke:
1   sig  ...  [self-signature]
2   sig  ...  [key ID]
Your selection? 1

  5. Confirm and save:
    After selecting, you'll be asked to confirm the revocation. Type y and press Enter. If your private key has a passphrase, you'll need to enter it to authorize the revocation.

    Finally, type save and press Enter to save the changes to your keyring.

After this, if you list the key again with gpg --list-keys alice@example.com, you should no longer see [ultimate] next to Alice's User ID (UID) from your perspective. It might revert to [unknown] or a calculated trust level if others have signed it.

Important Note: Revoking a signature only removes your endorsement of that key. It doesn't delete the key itself from your keyring or magically remove other people's endorsements of that key. If you totally want to remove the public key from your keyring, you can use gpg --delete-key <key_id_or_email>.

Do you want to practice revoking a signature, or perhaps explore other gpg --edit-key options?

0 Comments

no data
Be the first to share your comment!