Question about --rebuild-keydb-caches

Ingo Klöcker ingo.kloecker@epost.de
Sun Apr 20 22:23:02 2003


--Boundary-02=_rCwo+t4Y677micY
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Sunday 20 April 2003 16:22, Michael Nahrath wrote:
> Ingo Kl=C3=B6cker wrote:
> >>time gpg --check-trustdb
> >
> > gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5
> > gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0
> > gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0
> > gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0
> > gpg: next trustdb check due at 2003-05-31
> >
> > real    0m1.871s
> > user    0m1.230s
> > sys     0m0.420s
> >
> > So user time went down nearly 75%.
>
> Did you try this a second time as well?

Yes, I ran "time gpg --check-trustdb" twice. Same result.

> Did you try "time gpg --check-trustdb" afterward?

After what? After the first run? Yes, see above. Since then? Yes, I just=20
tried it again:

# time gpg --check-trustdb
gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5
gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0
gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0
gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0
gpg: next trustdb check due at 2003-05-31

real    0m1.647s
user    0m1.270s
sys     0m0.360s


> > My question is now whether there was a problem with my keyring (I
> > have rebuild the caches several times since the days of 1.0.6)
>
> Probably there are only one or two keys that cause the delay.
>
> Try "gpg --list-keys | egrep pub\ \ ....G" to check for ElGamal
> Primary keys. They are a real DOS attack to each keyring.

# gpg --list-keys | egrep pub\ \ ....G
pub  4096G/DEADBEEF

So there is only one of those keys in my keyring.

Let's make a small test (deleting the key and re-importing it):
# gpg --export --armor DEADBEEF >DEADBEEF.asc

# gpg --delete-key DEADBEEF
pub  4096G/DEADBEEF

Delete this key from the keyring? y

# time gpg --check-trustdb
gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5
gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0
gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0
gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0
gpg: next trustdb check due at 2003-05-31

real    0m1.731s
user    0m1.280s
sys     0m0.350s

# time gpg --check-trustdb
gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5
gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0
gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0
gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0
gpg: next trustdb check due at 2003-05-31

real    0m1.699s
user    0m1.270s
sys     0m0.320s

# gpg --import DEADBEEF.asc
gpg: key DEADBEEF: public key "xyz" imported
gpg: Total number processed: 1
gpg:               imported: 1

# time gpg --check-trustdb
gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5
gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0
gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0
gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0
gpg: next trustdb check due at 2003-05-31

real    0m38.306s
user    0m37.770s
sys     0m0.400s

# time gpg --check-trustdb
gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5
gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0
gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0
gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0
gpg: next trustdb check due at 2003-05-31

real    0m40.260s
user    0m37.890s
sys     0m0.580s

# gpg --rebuild-keydb-caches
gpg: checking keyring `/home/ingo/.gnupg/pubring.gpg'
gpg: public key FBBB8AB1 is 58138 seconds newer than the signature
gpg: 50 keys so far checked (6070 signatures)
gpg: 100 keys so far checked (9058 signatures)
gpg: 150 keys so far checked (14018 signatures)
gpg: 200 keys so far checked (17647 signatures)
gpg: 250 keys so far checked (19479 signatures)
gpg: 275 keys checked (19697 signatures)

# time gpg --check-trustdb
gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5
gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0
gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0
gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0
gpg: next trustdb check due at 2003-05-31

real    0m1.736s
user    0m1.350s
sys     0m0.300s


Hmm, this doesn't look to good. It seems that after each import of a new=20
key (or at least after importing of expensive keys) rebuilding the=20
keydb caches might improve the speed of check-trustdb dramatically.

Regards,
Ingo


--Boundary-02=_rCwo+t4Y677micY
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+owCrGnR+RTDgudgRAjBkAJ4l8YLIZoDyytn3q3ijT04uALgtBQCg4oI7
mD/iMWJMwwTv1wUUVJIvDSY=
=crxF
-----END PGP SIGNATURE-----

--Boundary-02=_rCwo+t4Y677micY--