--weak-digest SHA1 causes significant slowdown in --check-trustdb (2.1.10)

Neal H. Walfield neal at walfield.org
Wed Jan 6 11:40:36 CET 2016


Hi Daniel,

On Wed, 06 Jan 2016 10:44:24 +0100,
Daniel Kahn Gillmor wrote:
> and, also interestingly, i note that --weak-digest SHA1 --check-trustdb
> thinks it can reach one fewer key with --no-sig-cache  is set :/
> 
> ==> gpg2 --weak-digest SHA1 --check-trustdb <==
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: depth: 0  valid:   1  signed:   9  trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: depth: 1  valid:   9  signed: 283  trust: 9-, 0q, 0n, 0m, 0f, 0u
> gpg: next trustdb check due at 2016-01-15
> 
> 
> ==> gpg2 --no-sig-cache --weak-digest SHA1 --check-trustdb <==
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: Note: signatures using the MD5 algorithm are rejected
> gpg: depth: 0  valid:   1  signed:   9  trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: depth: 1  valid:   9  signed: 284  trust: 9-, 0q, 0n, 0m, 0f, 0u
> gpg: next trustdb check due at 2016-01-15
> 
> sorry for just reporting weird corner cases here without helping to fix
> them.

Ouch!  I appreciate you not only reporting this bug, but providing a
reproducible test case!

Unfortunately, the caches in gpg are often not completely transparent.
Finding the corner cases is hard and, thus far, consistent with "don't
change a working system," we've been conservative in fixing their
semantics.  I think this provides strong evidence that we really need
to nail down the caches so that they are transparent.

Thanks!

:) Neal



More information about the Gnupg-devel mailing list