The short version of this is that I think I need to clear out a lot of irrelevant keys / signatures, et cetera, from my gnupg configuration - but I don't want to do anything which risks losing my private key(s), or any related information. Just in case I'm wrong about that solution, however, I want to lay out the entire situation. The primary way in which I make use of gnupg is via Thunderbird and the Enigmail extension. In addition to permitting me to sign and/or encrypt messages I send, this serves to validate E-mails received from others, by checking the signature against its associated public key. It includes functionality to reach out to a designated keyserver and download the matching public key for the signature in the currently open E-mail, on demand. Doing this, however, takes at least a few moments - and potentially considerably longer - for each such key request, and blocks the Thunderbird UI until the request either completes or is cancelled. Some years ago, I got tired of manually importing the key every time I saw a signed message through the Debian mailing lists for which I didn't already have the necessary public key. As a handy shortcut, I simply imported all keys from the debian-keyring package, which theoretically should include all Debian developer/etc. public keys. This mostly worked, in terms of reducing how many Debian-mailing-list messages I saw with unrecognized public keys, but not entirely; there were, and are, still a fair number of people whose messages were signed with keys that apparently hadn't been included. That's fine, I can just fetch those keys using the UI method, as before. (I later repeated this import process, using a newer version of the debian-keyring package. I don't know whether that would have had any meaningful effect on the behaviors I observed later.) Unfortunately, over time - and even more after the failed-RAID-array recovery on which I've spent the past 6+ months, and which is the reason I haven't posted here during that time - the time necessary to fetch a new key has gone up to unreasonable levels; by now, processing a typical new-key request seems to take something definitely in excess of 30 minutes, and possibly multiple hours, during which I can't otherwise make use of my mail client. (I don't have any convenient way of timing the process more exactly.) During this time, gnupg is pegging one CPU core at maximum, and doing a not entirely negligible amount of disk I/O. I'm guessing that it's iterating through every single public key I've got in the local keyring, although exactly what it's doing with each one I'm not sure enough to state. For reference, the file which I suspect contains those public keys - ~/.gnupg/pubring.gpg - is 131MB in size. I suspect that importing the entire debian-keyring set was my original mistake, and that I shouldn't have done that. At this point, I'd be willing to un-do that step, and go back to manually importing just the keys needed for the messages I actually receive. Unfortunately, I suspect there's no practical way of un-scrambling that egg; the keys imported that way are mixed in with the ones received by other means, and it would not be trivial to try to separate them out. I'd also be willing to just discard my entire collection of imported public keys, and start from scratch, if I knew of a way to do so which I could be completely certain wouldn't have undesirable side effects on other parts of my cryptographic situation - most particularly and especially, my private key(s). In between those, if there's a way of mass-discarding public keys which fit (or don't fit) some particular criteria, while retaining others, that might be preferable to either extreme. However, so far I've been unable to find any way of removing keys from the local key repository except 'gnupg --delete-keys [name]', which appears to require specifying each key for removal one at a time. This does not really scale to the point where I'm currently at. Any suggestions for how to recover from this situation? -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
Attachment:
signature.asc
Description: OpenPGP digital signature