PGP Command Line supports several signature types:
Local means the signature is non-exportable, which means it cannot be sent with the key to a keyserver or exported in any way. Use this signature when you believe the key is valid, but do not want others to rely on your opinion of the key.
Exportable means the signature is exportable. The signature can be sent with the key to a keyserver or exported with the key. Use this signature when you believe the key is valid and you want others to be able to rely on your opinion of the key. They are not obligated to rely on your opinion, however.
Meta-introducer means this is a non-exportable meta-introducer and that this key and any keys signed by this key with a trusted introducer validity assertion are fully trusted introducers to you. This signature type is not exportable.
Trusted-introducer means that you certify that this key is valid and that the owner of the key should be completely trusted to vouch for other keys. This signature type is exportable.
Trust-depth for meta-introducers and trusted introducers allows you to specify how many levels of trust your signature applies to. The default for meta introducer is 2, the default for trusted introducers is 1. The maximum depth for both is 8.
Regular-expression lets you establish a domain restriction for trusted introducers. This limits the trusted introducer’s certificate validation capabilities to the domain you enter. For example, example.com.
Set the trust level:
To set the trust level use the following command:
pgp --set-trust <user> --trust <trust> As <trust> use for example "marginal"
Never (the key is never trusted),
Marginal (the key is marginally trusted),
Complete (the key is fully trusted),
Implicit (the key has ultimate trust).
Example: pgp --set-trust key --trust complete
The above command sets the trust to complete for the key in question, which is the highest level of trust outside of having an actual keypair.
Bypassing the key invalid error code: If signing the key on the local keyring is not possible, such as when using PGP Command Line with USP and Symantec Encryption Management Server, using the --always-trustoption in the command will bypass this error, and allow the command to return without the "key invalid" error code without actually having to sign the key.
CAUTION: Always take special care when encrypting to keys. Symantec Corporation always recommends taking proper steps to validate the key being used for encryption, is a legitimate AND trusted key.
TIP: To validate you have the valid key:
Call the recipient on the phone, and have them read to you the Key ID and ensure it matches.
Call the recipient on the phone, and have them read to you the biometric fingerprint on the key.
Check the signature on the key to be used for encryption, do any other signatures exist on the key that you trust? If you trust other signatures on this key, this provides a level of validation that this key is valid, however, you are relying on the efforts of the signer, and that they actually validated the key.