--check-sigs cache and fingerprints

Werner Koch wk at gnupg.org
Wed Jun 30 07:49:23 CEST 2010

Nicholas Cole <nicholas.cole at gmail.com> writes:

> Is there any particular reason why the --with-colons output for
> --check-sigs lists the signing key fingerprint if the --no-sig-cache
> option is specified, but not if it doesn't?  If not, could a future

That is purely for performance reasons.  Without the signature cache the
listing would be very slow.  The cache is implemented using the old ring
trust packets which immediately follow a signature packet.  There is no
space to put the fingerprint into the ring trust packet thus what we
have is only the keyid form the signature packet.

If we wanted to print the fingerprint we would need to lookup the public
key which requires to scan the entire keyring - that's too slow.

There are two ways to solve the problem: Either extend the ring trust
packet to also store the fingerprint or to make use of the forthcoming
keybox format which has space for all kind of meta data and does not
need the ugly hack with the ring trust packets.

BTW, I am currently working on migrating secret keys from the secring to
the agent.  After this has been done GnuPG 2.1 should be again stable
enough for testing and I can start to convert the code to use the keybox
format.  Then a first 2.1 release is due and then we can start to add
all those features I promised for so long.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list