--weak-digest SHA1 causes significant slowdown in --check-trustdb (2.1.10)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 5 06:11:07 CET 2016

On Mon 2016-01-04 23:20:25 -0500, Daniel Kahn Gillmor wrote:

> i'm running gnupg 2.1.10 with a large keybox (a couple thousand
> certificates).

a few more datapoints:

My first reports were from tests with ~/.gnupg/pubring.kbx alongside a
similarly-sized ~/.gnupg/pubring.gpg.

The keyring is ~91MiB and the keybox is ~93MiB in size.

I've cleared the trustdb between each test with:

   gpg2 --export-ownertrust > otrust.txt
   rm ~/.gnupg/trustdb.gpg
   gpg2 --import-ownertrust < otrust.txt

the explicit ownertrust db has only about a dozen entries: one ultimate
(6 in otrust.txt), a few marginals (4 in otrust.txt), a few explicitly
untrusted ("never", 3 in otrust.txt), and a few disabled keys (128 in

Subsequently, i tried with an empty ~/.gnupg/pubring.gpg while leaving
the keybox the same.  I got the same results as before:

           SHA1 OK: ~17s, mostly userland
--weak-digest SHA1: ~22m, ~half-kernelspace 

Then i tried creating a fresh pubring.gpg and moving the .kbx out of the

With only a pubring.gpg and SHA1 OK (and a hot cache), i get ~20s, mostly userland:

real	0m20.369s
user	0m19.052s
sys	0m1.316s

With only a pubring.gpg and --weak-digest SHA1, i get about the same

real	0m20.265s
user	0m18.908s
sys	0m1.356s

So it appears to be an issue that only happens with a keybox and with
--weak-digest SHA1.

Hopefully these are helpful details,


More information about the Gnupg-devel mailing list