On 2019-06-23 at 13:32, Teemu Likonen wrote: > The Wanderer [2019-06-23 11:46:34-04:00] wrote: > >> On 2019-06-23 at 11:23, Teemu Likonen wrote: >>> If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf >>> then GnuPG will automatically try to retrieve keys from >>> keyservers when you verify a signature made by an unknown key. > >> An interesting suggestion. I'm not sure how it'd interact with >> Enigmail (which is what is actually initiating the verification), >> but it's worth investigating. > > I have never used Enigmail but if it executes "gpg --verify" then > gpg will try to fetch (using dirmngr) a missing key from keyserver > before verifying the signature.
I haven't tried this yet, but it's still on my consideration list. The reason I'm replying is to report that 'no-check-trustdb' does seem to have done the trick! Without it, occasionally I would have a random fetch attempt succeed in seconds with no issues; now that seems to be happening every time. I've also added a nightly cron job (in my user-specific crontab) with "gpg --batch --check-trustdb --quiet 2>&1 | grep -v '^gpg: no need for a trustdb check$'", to make sure that the check does get run periodically when it's needed, but also not send me mail every day just to report that nothing was done. (Running that command when a check *is* needed seems to actually print the exact, full text I was seeing in the Enigmail results dialog, as a prefix to the actual fetch results, on every fetch attempt. I suspect that some of it may represent useless or problematic keys, but I don't know how to parse it well enough to figure out what to do about the information.) >>> GnuPG key operations slow down when the keyring is large, >>> especially if the trust model is "pgp" and the program needs to >>> check the web of trust every time a new key arrives. >> >> I'm fairly sure that I'm using the default, which appears to be >> the one specified by '--gnupg', so it's '--openpgp' plus >> compatibility workarounds. I doubt it's any of the '--pgp[678]' >> modes. > > The default --trust-model is "auto" which is means that it uses the > trust model that is saved to trust database (I guess trustdb.gpg). Ah. I was looking at the wrong part of the man page; thanks for clarifying what this was referring to. >>> It also helps if you delete certificates (key signatures) made >>> by unknown keys. >> >> What is an "unknown key" in this context? (And see note below.) > > Unknown to your keyring. See "gpg --list-signatures" and you'll > probably see that there are key many key signatures that can't be > shown because your keyring doesn't have the signer's key. > > Command "--edit-key + clean" removes those unknown key signatures as > well as older key signatures if there are many from same signer. > This "clean" thing can very much reduce the size of your keyring, if > you want that. From gpg(1) man page: I saw that in the man page, but I wasn't sure what it would mean in practice, especially since none of my keys (except my personal key) are signed for web-of-trust purposes. I was afraid that the lack of a web-of-trust signature chain would mean *all* of these keys would be deleted by the clean process. Am I correct in thinking that if I kill any running background gpg-related process (gpg-agent, dirmngr, etc.), make a backup copy of ~/.gnupg/ (or possibly even just ~/.gnupg/pubring.gpg), and run this command, I should be able to just revert to that backup copy in the event that it turns out to have made changes I don't want? >> In case it's relevant, please note that I have done basically >> nothing as far as keysigning or other web-of-trust activity; > > Then perhaps "--trust-model tofu" (or tofu+pgp) is better choice? Of > course you decide all that but web of trust (--trust-model pgp) is > useless unless user has signed (at least locally) some keys and > usually also trusts some others as signers (ownertrust). This is a good suggestion, and I'm considering it, but since things are now working fine without having needed to make that change - and I'm not sure I'll never want to use the web of trust, and I'm not sure how safely reversible (without non-meaningless loss) changing trust models in this direction is - I'm leaving this alone for the time being. Thanks for the advice! -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
