On 2019-06-23 at 11:23, Teemu Likonen wrote: > The Wanderer [2019-06-23 10:14:19-04:00] wrote: > >> Some years ago, I got tired of manually importing the key every >> time I saw a signed message through the Debian mailing lists for >> which I didn't already have the necessary public key. > > If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf then > GnuPG will automatically try to retrieve keys from keyservers when > you verify a signature made by an unknown key. This may solve the > problem of importing too much keys and thus making your keyring large > and slow.
An interesting suggestion. I'm not sure how it'd interact with Enigmail
(which is what is actually initiating the verification), but it's worth
investigating.
>> For reference, the file which I suspect contains those public keys
>> - ~/.gnupg/pubring.gpg - is 131MB in size.
>
> GnuPG key operations slow down when the keyring is large, especially
> if the trust model is "pgp" and the program needs to check the web of
> trust every time a new key arrives.
I'm fairly sure that I'm using the default, which appears to be the one
specified by '--gnupg', so it's '--openpgp' plus compatibility
workarounds. I doubt it's any of the '--pgp[678]' modes.
> One solution is to add "no-auto-check-trustdb" in gpg.conf and only
> run manually "gpg --check-trustdb" from time to time.
I'll try that first; I'm reading through the man page with an eye out
for this right now.
It seems entirely possible that this may be enough to get times back
into a reasonable range, just by itself. Thanks for suggesting it!
> It also helps if you delete certificates (key signatures) made by
> unknown keys.
What is an "unknown key" in this context? (And see note below.)
> You can manually clean such certificates with "--edit-key + clean" or
> automatically for future operations with the following lines in
> gpg.conf:
>
> import-options import-clean
> keyserver-options import-clean
>
> See gpg manual page for more information about --import-options and
> perhaps also --export-options.
I saw the 'clean' options (and 'minimal', relatedly), but wasn't sure
enough about what the impact of reducing the keys that way would be
willing to try it out without either asking for input or taking
backup-related precautions.
> There is no command for cleaning your current keyring but it can be
> automated with a simple script:
>
>
> #!/bin/sh
> gpg --batch --with-colons --list-keys | awk -F: '
> $1 == "pub" {pub = 1}
> pub == 1 && $1 == "fpr" {printf "%s clean save\n", $10; pub = 0}' | \
> xargs -n3 -- gpg --batch --no-auto-check-trustdb --edit-key
>
>
> The above script runs
>
> gpg --batch --no-auto-check-trustdb --edit-key FPR clean save
>
> for every key (FPR is key's fingerprint).
How sure can I/we/etc. be that this will not have any negative side
effects, in terms of eliminating key-related functionality that I
actually want to keep?
In case it's relevant, please note that I have done basically nothing as
far as keysigning or other web-of-trust activity; I'm using signature
verification as primarily a means of confirming A: that "yes, this mail
was signed by the key it says it was signed by", and B: "yes, this mail
was signed by the same key as that mail, so both mails were sent by the
same person". I don't have any web-of-trust confirmation about the
identity of the signer beyond that, and in practice for my purposes I'm
not entirely sure I care about getting it.
Before doing this, I'd probably want to back up ~/.gnupg/ in any case.
I suspect that I'd want to make sure gpg-agent, dirmngr, etc., are
stopped before doing that, or restoring the backup, in order to ensure
consistency.
--
The Wanderer
The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
