Skip to content


How to specify signature level in OpenPGP / GnuPG

I always misplace this information, so I’m saving it here for (hopefully) easier access next time. By default, gpg will sign keys without specifying a certification level (ie it will set it to 0, which means unspecified). If you want to change this behavior, you can add ask-cert-level in the configuration file (gpg.conf, I don’t know where it’s hidden in Windows…), or more simply launch gpg with the --ask-cert-level parameter. Note that this must be specified before the --edit-key parameter, like:
gpg --ask-cert-level --edit-key [keyID]
Then simply type sign, and before signing gpg will first ask you for the signature level that you want to use. As a reminder:

  • 0 = unspecified
  • 1 = no verification – I use this one only locally, when I haven’t seen any ID but need the key to be signed for convenience
  • 2 = casual verification – I use this one when I’ve checked some official ID but don’t know the person otherwise
  • 3 = extensive verification – I only use this one when I’ve checked some official ID and personally know the person to some extent

Posted in cryptography, GnuPG & co.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA