Re: gnupg / enigmail excessive processing times

To: debian-user@lists.debian.org
Subject: Re: gnupg / enigmail excessive processing times
From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
Date: Wed, 3 Jul 2019 02:15:56 +1000
Message-id: <[🔎] a0ed9992-215d-7b07-42e1-df07556dc871@affinityvision.com.au>
In-reply-to: <5D0F893B.7000202@fastmail.fm>
References: <5D0F893B.7000202@fastmail.fm>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 24/6/19 12:14 am, The Wanderer wrote:
> The short version of this is that I think I need to clear out a
> lot of irrelevant keys / signatures, et cetera, from my gnupg 
> configuration - but I don't want to do anything which risks losing 
> my private key(s), or any related information.

Your problem is most likely polluted keys due to a major design flaw
with SKS serverv.

I've seen two keys become extremely large due to junk being added and
the behaviour of anything using my public keyring was horribly slow
and with the CPU pinning by one process.

The following has been sent to a couple of local LUGs that I'm in:

For those of us whom use OpenPGP/GPG keys with GNUPG implementation
(perhaps everyone whom interacts with SKS servers)... there has been a
very long standing technical problem that is currently causing issues.

The problem, in a nutshell causes keys to significantly increase in
size due to bad data being easily uploaded to the SKS servers without
proper validation and consequently severely effecting performance of
anything using the public keyring database.  If you experience the
problem, it will be due to a significant increase of the size of your
public keyring file.  When processing the public keyring data, the CPU
gets pinned at 100% for at least one thread.

What I have done is a full export of keys to ASCII armoured files and
look at the larger files -- in my case the two largest were for Micah
Lee and the Tor Project keys.  Delete problematic keys and import
fresh sane data for them.

Having older backups of the Tor Project's key, I've replaced the key
with one that doesn't have the extra bad payload.  The former key
/may/ not be easily found as the Tor website directs you to an SKS
server to collect the data and it doesn't appear to be easily
available directly from Tor project's own website.

For Micah Lee's key, I got it from keybase.io (micahflee).
   https://keybase.io/micahflee

There are different solutions, keybase.io is but one.  In any case the
SKS servers are in big trouble as they stand today.

A reason for the problem popping up might be related to a simple key
refresh; so that is a major problem.  It's been said that even just
using the keys can cause problems when you don't have any keys with
bad data, but I'm not so sure about that.

And a follow up:

Without any specific refresh, my Tor Project key grew again.

I've change my gpg.conf now, let's see if that stops the problem.

Using an alternate server:

keyserver hkp://keys.openpgp.org

More details here:
https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/

Cheers
A.
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXRuDNwAKCRCoFmvLt+/i
+zbSAP0Zh8WrQMJaEQRegRl+rBoNCucSSwySGAa4Iy/CbRr+GAD9G4FOYnJMs363
98asLeJ3TGuBWgjEqLVUItNH9HIOblE=
=uA5x
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: gnupg / enigmail excessive processing times
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: Choice of VMs under i386 Stretch?
Next by Date: Re: How Buster release may affect Unstable?
Previous by thread: Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?
Next by thread: Re: gnupg / enigmail excessive processing times
Index(es):
- Date
- Thread