The Wanderer [2019-06-23 10:14:19-04:00] wrote:
> Some years ago, I got tired of manually importing the key every time I
> saw a signed message through the Debian mailing lists for which I didn't
> already have the necessary public key.
If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf then GnuPG
will automatically try to retrieve keys from keyservers when you verify
a signature made by an unknown key. This may solve the problem of
importing too much keys and thus making your keyring large and slow.
> For reference, the file which I suspect contains those public keys -
> ~/.gnupg/pubring.gpg - is 131MB in size.
GnuPG key operations slow down when the keyring is large, especially if
the trust model is "pgp" and the program needs to check the web of trust
every time a new key arrives. One solution is to add
"no-auto-check-trustdb" in gpg.conf and only run manually "gpg
--check-trustdb" from time to time.
It also helps if you delete certificates (key signatures) made by
unknown keys. You can manually clean such certificates with "--edit-key
+ clean" or automatically for future operations with the following lines
in gpg.conf:
import-options import-clean
keyserver-options import-clean
See gpg manual page for more information about --import-options and
perhaps also --export-options.
There is no command for cleaning your current keyring but it can be
automated with a simple script:
#!/bin/sh
gpg --batch --with-colons --list-keys | awk -F: '
$1 == "pub" {pub = 1}
pub == 1 && $1 == "fpr" {printf "%s clean save\n", $10; pub = 0}' | \
xargs -n3 -- gpg --batch --no-auto-check-trustdb --edit-key
The above script runs
gpg --batch --no-auto-check-trustdb --edit-key FPR clean save
for every key (FPR is key's fingerprint).
--
/// Teemu Likonen <https://github.com/tlikonen> //
// PGP: 4E1055DC84E9DFF613D78557719D69D324539450 ///
Attachment:
signature.asc
Description: PGP signature