The Wanderer [2019-06-23 11:46:34-04:00] wrote:
> On 2019-06-23 at 11:23, Teemu Likonen wrote:
>> If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf then
>> GnuPG will automatically try to retrieve keys from keyservers when
>> you verify a signature made by an unknown key.
> An interesting suggestion. I'm not sure how it'd interact with
> Enigmail (which is what is actually initiating the verification), but
> it's worth investigating.
I have never used Enigmail but if it executes "gpg --verify" then gpg
will try to fetch (using dirmngr) a missing key from keyserver before
verifying the signature.
>> GnuPG key operations slow down when the keyring is large, especially
>> if the trust model is "pgp" and the program needs to check the web of
>> trust every time a new key arrives.
>
> I'm fairly sure that I'm using the default, which appears to be the
> one specified by '--gnupg', so it's '--openpgp' plus compatibility
> workarounds. I doubt it's any of the '--pgp[678]' modes.
The default --trust-model is "auto" which is means that it uses the
trust model that is saved to trust database (I guess trustdb.gpg). That,
in turn, means normally trust model "pgp" (i.e., web of trust based on
key signatures). And that trust model needs some calculations which take
time on large keyrings.
>> It also helps if you delete certificates (key signatures) made by
>> unknown keys.
>
> What is an "unknown key" in this context? (And see note below.)
Unknown to your keyring. See "gpg --list-signatures" and you'll probably
see that there are key many key signatures that can't be shown because
your keyring doesn't have the signer's key.
Command "--edit-key + clean" removes those unknown key signatures as
well as older key signatures if there are many from same signer. This
"clean" thing can very much reduce the size of your keyring, if you want
that. From gpg(1) man page:
--edit-key
[...]
clean Compact (by removing all signatures except the selfsig)
any user ID that is no longer usable (e.g. revoked, or
expired). Then, remove any signatures that are not
usable by the trust calculations. Specifically, this
removes any signature that does not validate, any sig‐
nature that is superseded by a later signature, revoked
signatures, and signatures issued by keys that are not
present on the keyring.
> In case it's relevant, please note that I have done basically nothing as
> far as keysigning or other web-of-trust activity;
Then perhaps "--trust-model tofu" (or tofu+pgp) is better choice? Of
course you decide all that but web of trust (--trust-model pgp) is
useless unless user has signed (at least locally) some keys and usually
also trusts some others as signers (ownertrust).
--
/// Teemu Likonen <https://github.com/tlikonen> //
// PGP: 4E1055DC84E9DFF613D78557719D69D324539450 ///
Attachment:
signature.asc
Description: PGP signature