--weak-digest SHA1 causes significant slowdown in --check-trustdb (2.1.10)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 5 06:36:05 CET 2016
On Tue 2016-01-05 00:11:07 -0500, Daniel Kahn Gillmor wrote:
> On Mon 2016-01-04 23:20:25 -0500, Daniel Kahn Gillmor wrote:
>> i'm running gnupg 2.1.10 with a large keybox (a couple thousand
> a few more datapoints:
> My first reports were from tests with ~/.gnupg/pubring.kbx alongside a
> similarly-sized ~/.gnupg/pubring.gpg.
> The keyring is ~91MiB and the keybox is ~93MiB in size.
there are about 3100 certificates in the keyring. And about 500 or 600
reachable via ownertrusted keys (depending on whether SHA1
certifications are acceptable or not).
I also just tried rebuilding the keybox from scratch, with:
gpg2 --export-ownertrust > otrust.txt
gpg2 --export-options export-local --export > keyring.backup
gpg2 --import-options import-local --import < keyring.backup
gpg2 --import-ownertrust < otrust.txt
and now the timings for --check-trustdb are:
So with that explicit keybox rebuild, it's still significantly different
to rule out SHA1 certifications, but it's more like a power of 10 than a
power of 60. And the userspace/kernelspace difference is still present.
More information about the Gnupg-devel