Global Directory signatures (was Re: GPG wants to check trustdb every day)

David Shaw dshaw at jabberwocky.com
Thu Dec 30 05:23:18 CET 2004


On Wed, Dec 29, 2004 at 08:44:43PM -0500, David Shaw wrote:
> On Wed, Dec 29, 2004 at 07:54:30PM +0100, Johan Wevers wrote:
> > David Shaw wrote:
> > 
> > >> Yes. However, it still doesn't prevent the keyservers from being
> > >> loaded with a lot of useless signatures. I don't know how this would
> > >> affect the load of the keyservers.
> > 
> > >It lowers the rate of growth (and thus the keyserver load) since gpg
> > >would not send out expired sigs to keyservers.
> > 
> > GPG would not, put pgp probably will, so the blogging will still occur.
> > If the keyservers won't sct against that, gpg will have to.
> > 
> > >I wonder if it is better to "clean" the keyring by simply not showing
> > >or preventing the import of sigs that are not useful rather than by
> > >deleting them after they are already imported.
> > 
> > In that case the keyring does remain big. If I get a keyring with each key
> > hundreds of expired sigs, I'm affraid gpg might get slow and diskusage for
> > the keyrings will increase (also a problem for "gpg on a floppy" solotions).
> 
> Yes, this is true.  Ok, how about going back to the idea of import and
> export options to not import or export expired sigs.  It's not
> perfect, due to the time overlap between expired and reissued GD
> signatures, but it's a reasonably good solution.

Try this patch to 1.4.  It adds an export-option
"export-unusable-sigs" and an import-option "import-unusable-sigs".
Both are off by default.

Comments welcome.

David
-------------- next part --------------
Index: export.c
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/export.c,v
retrieving revision 1.44
diff -u -r1.44 export.c
--- export.c	26 Nov 2004 16:48:05 -0000	1.44
+++ export.c	30 Dec 2004 04:16:30 -0000
@@ -49,6 +49,7 @@
       {"export-attributes",EXPORT_ATTRIBUTES,NULL},
       {"export-sensitive-revkeys",EXPORT_SENSITIVE_REVKEYS,NULL},
       {"export-minimal",EXPORT_MINIMAL,NULL},
+      {"export-unusable-sigs",EXPORT_UNUSABLE_SIGS,NULL},
       /* Aliases for backward compatibility */
       {"include-local-sigs",EXPORT_LOCAL_SIGS,NULL},
       {"include-attributes",EXPORT_ATTRIBUTES,NULL},
@@ -314,12 +315,22 @@
 
 	    if( node->pkt->pkttype == PKT_SIGNATURE )
 	      {
-		/* If we have minimal-export turned on, do not include
+		/* If we have export-minimal turned on, do not include
 		   any signature that isn't a selfsig.  Note that this
 		   only applies to uid sigs (0x10, 0x11, 0x12, and
 		   0x13).  A designated revocation is not stripped. */
 		if((options&EXPORT_MINIMAL)
 		   && IS_UID_SIG(node->pkt->pkt.signature)
+		   && (node->pkt->pkt.signature->keyid[0]!=keyid[0]
+		       || node->pkt->pkt.signature->keyid[1]!=keyid[1]))
+		  continue;
+
+		/* We do basically the same thing for
+		   export-unusable-sigs.  It only applies to expired
+		   uid sigs that aren't selfsigs. */
+		if(!(options&EXPORT_UNUSABLE_SIGS)
+		   && IS_UID_SIG(node->pkt->pkt.signature)
+		   && node->pkt->pkt.signature->flags.expired
 		   && (node->pkt->pkt.signature->keyid[0]!=keyid[0]
 		       || node->pkt->pkt.signature->keyid[1]!=keyid[1]))
 		  continue;
Index: import.c
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/import.c,v
retrieving revision 1.117
diff -u -r1.117 import.c
--- import.c	26 Nov 2004 15:51:37 -0000	1.117
+++ import.c	30 Dec 2004 04:16:32 -0000
@@ -93,6 +93,7 @@
       {"fast-import",IMPORT_FAST,NULL},
       {"convert-sk-to-pk",IMPORT_SK2PK,NULL},
       {"merge-only",IMPORT_MERGE_ONLY,NULL},
+      {"import-unusable-sigs",IMPORT_UNUSABLE_SIGS,NULL},
       /* Aliases for backward compatibility */
       {"allow-local-sigs",IMPORT_LOCAL_SIGS,NULL},
       {"repair-hkp-subkey-bug",IMPORT_REPAIR_PKS_SUBKEY_BUG,NULL},
@@ -1555,6 +1556,21 @@
 	      log_info(_("key %s: unexpected signature class (0x%02X) -"
 			 " skipped\n"),keystr(keyid),
 		       node->pkt->pkt.signature->sig_class);
+	    delete_kbnode(node);
+	  }
+	else if(node->pkt->pkttype==PKT_SIGNATURE
+		&& IS_UID_SIG(node->pkt->pkt.signature)
+		&& node->pkt->pkt.signature->flags.expired
+		&& !(options&IMPORT_UNUSABLE_SIGS))
+	  {
+	    if(opt.verbose)
+	      {
+		char *kid=m_strdup(keystr(keyid));
+		log_info(_("key %s: expired signature from key %s -"
+			   " skipped\n"),kid,
+			 keystr(node->pkt->pkt.signature->keyid));
+		m_free(kid);
+	      }
 	    delete_kbnode(node);
 	  }
 	else if( (node->flag & 4) ) /* marked for deletion */
Index: options.h
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/options.h,v
retrieving revision 1.132
diff -u -r1.132 options.h
--- options.h	22 Dec 2004 18:09:41 -0000	1.132
+++ options.h	30 Dec 2004 04:16:32 -0000
@@ -252,11 +252,13 @@
 #define IMPORT_FAST                      (1<<2)
 #define IMPORT_SK2PK                     (1<<3)
 #define IMPORT_MERGE_ONLY                (1<<4)
+#define IMPORT_UNUSABLE_SIGS             (1<<5)
 
 #define EXPORT_LOCAL_SIGS                (1<<0)
 #define EXPORT_ATTRIBUTES                (1<<1)
 #define EXPORT_SENSITIVE_REVKEYS         (1<<2)
 #define EXPORT_MINIMAL                   (1<<3)
+#define EXPORT_UNUSABLE_SIGS             (1<<4)
 
 #define LIST_SHOW_PHOTOS                 (1<<0)
 #define LIST_SHOW_POLICY_URLS            (1<<1)


More information about the Gnupg-users mailing list