auto refresh-keys

Benjamin Marwell bmarwell at
Fri Jun 4 19:55:37 CEST 2010

Hello every one!

I'm new to this list, but this seems a very interesting topic to me.

2010/6/4 Micah Anderson <micah at>:
> 0 1 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1
Thanks for this wounderful idea. I update my keys every now and then,
but it usually comes down to events like key signing parties. Which
is, in fact, very seldom.

> It seems like the best solution would be to build into gnupg the functionality
> that is similar to the automatic trust database operation: have gpg auto-refresh
> From the configured keyserver periodically. There are some considerations that
> should be made here, such as how frequent should this refresh operation happen?
> Should it happen on every use, before the key is used? Should it happen just on
> the key(s) that the current operation is going to act on? What about network
> problems, such as no network at all, keyserver down, or slow? There should
> probably be a low timeout to not cause user annoyance, but also some sort of
> indication/warning that when a keyserver update could not be performed that the
> key is potentially out of date. Users should have the capability to configure in
> their gpg.conf a 'no-auto-refresh-keys' variable if they do not want this
> functionality. Perhaps even some sanity checking on the data that is coming in
> would be good to guard against gigabytes of data coming down.

Sounds good to me. Another consideration would be to pass this task to
gui frontends, like kleopatra or seahorse. A warning printed out by
gpg would be a good idea, too. Also, there should be a severe warning
if you sign a key, which hasn't been updated for months (or so).

Looking foreward to you opinions.


More information about the Gnupg-users mailing list