--check-sigs cache and fingerprints

Nicholas Cole nicholas.cole at gmail.com
Sun Jul 4 20:18:00 CEST 2010

On Wed, Jun 30, 2010 at 6:49 AM, Werner Koch <wk at gnupg.org> wrote:
> Nicholas Cole <nicholas.cole at gmail.com> writes:
>> Is there any particular reason why the --with-colons output for
>> --check-sigs lists the signing key fingerprint if the --no-sig-cache
>> option is specified, but not if it doesn't?  If not, could a future
> That is purely for performance reasons.  Without the signature cache the
> listing would be very slow.  The cache is implemented using the old ring
> trust packets which immediately follow a signature packet.  There is no
> space to put the fingerprint into the ring trust packet thus what we
> have is only the keyid form the signature packet.
> If we wanted to print the fingerprint we would need to lookup the public
> key which requires to scan the entire keyring - that's too slow.
> There are two ways to solve the problem: Either extend the ring trust
> packet to also store the fingerprint or to make use of the forthcoming
> keybox format which has space for all kind of meta data and does not
> need the ugly hack with the ring trust packets.
> BTW, I am currently working on migrating secret keys from the secring to
> the agent.  After this has been done GnuPG 2.1 should be again stable
> enough for testing and I can start to convert the code to use the keybox
> format.  Then a first 2.1 release is due and then we can start to add
> all those features I promised for so long.

Dear Warner,

Thank you very much for the explanation. I always enjoy learning more
about the reasons for things!

The new format is very exciting (will it then be backported to gpg
1?).  I do think it would be good, after there is a new keybox format,
for the --with-colons list to also show the fingerprints.

Best wishes,


More information about the Gnupg-devel mailing list