--weak-digest SHA1 causes significant slowdown in --check-trustdb (2.1.10)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 5 06:36:05 CET 2016


On Tue 2016-01-05 00:11:07 -0500, Daniel Kahn Gillmor wrote:
> On Mon 2016-01-04 23:20:25 -0500, Daniel Kahn Gillmor wrote:
>
>> i'm running gnupg 2.1.10 with a large keybox (a couple thousand
>> certificates).
>
> a few more datapoints:
>
> My first reports were from tests with ~/.gnupg/pubring.kbx alongside a
> similarly-sized ~/.gnupg/pubring.gpg.
>
> The keyring is ~91MiB and the keybox is ~93MiB in size.

there are about 3100 certificates in the keyring.  And about 500 or 600
reachable via ownertrusted keys (depending on whether SHA1
certifications are acceptable or not).

I also just tried rebuilding the keybox from scratch, with:

gpg2 --export-ownertrust > otrust.txt
gpg2 --export-options export-local --export > keyring.backup
mv ~/.gnupg/pubring.kbx{,.bak}
mv ~/.gnupg/pubring.gpg{,.bak}
rm ~/.gnupg/trustdb.gpg
gpg2 --import-options import-local --import < keyring.backup
gpg2 --import-ownertrust < otrust.txt

and now the timings for --check-trustdb are:

SHA1 OK:

real	0m5.910s
user	0m4.720s
sys	0m1.188s

--weak-digest SHA1:

real	0m47.636s
user	0m12.352s
sys	0m35.288s


So with that explicit keybox rebuild, it's still significantly different
to rule out SHA1 certifications, but it's more like a power of 10 than a
power of 60.  And the userspace/kernelspace difference is still present.

        --dkg



More information about the Gnupg-devel mailing list