Hi Werner, On Fri, Sep 13, 2024 at 01:39:08PM GMT, Werner Koch wrote: > Hi! > > On Thu, 12 Sep 2024 13:28, Alejandro Colomar said: > > > I have my ~/.gnupg keyring under git source control, which helps > > creating and updating backups, and also having a history of the changes. > > That is not a good idea because the key database (pubring.gpg, > pubring.kbx, or keyboxd DB) are a binary format which also stores meta > data which is only used by gnupg itself and not part of an official > API (e.g. the signature cache).
Maybe you could split the pubring as a directory with many files, have
most of them as text files, and a few that need to be binary could be
kept as binary.
> Thus if you want to put something under version control, it is better to
> do this with exported files. You may use "--export-option backup" so
> that you get all the internal infos and also non-exportable signed
> signatures ("--export-option export-local-sigs" would be sufficient
> here.
I prefer having the actual keyring under version control, although will
consider that option.
> Although I really like text files, it will be somewhat hard to diff them
> because any property update of a key also requires a new signature and
> that give a lot of diff overhead.
If we had one text file per contact (just like we have now one text file
per private key under `~/.gnupg/private-keys-v1.d`), I wouldn't mind the
diff for the contact to look like an entire (or almost entire) rewrite
of the contact. That's already better than
"Binary files a/pubring.kbx and b/pubring.kbx differ".
> This is similar to Libreoffice's fodt
> format - in theory a way to diff things but in practice it is useless.
>
> We actually moved to an SQL database to speed up things. If you have
> hundreds of keys with thousands of key signatures it is very helpful to
> have indices; it really speeds up things.
>
> OpenPGP keys do not allow a rollback by design. For documentation
> writing a (sorted) key listing to a file might thus be more useful than
> plain text files.
I don't use git to be able to roll back, but rather to know at which
state a backup is. For example, I gave a backup to a family member last
time I saw him, and I know that backup is N commits behind my current
keyring.
>
>
>
> Shalom-Salam,
>
> Werner
Have a lovely day!
Alex
--
<https://www.alejandro-colomar.es/>
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
