Using the "clean" function (and the "PGP Global Directory")

Dan Mahoney, System Admin danm at
Wed Jun 23 05:02:49 CEST 2010

It seems there's two interesting problems which inter-relate.

The first is PGP corporation's "global directory", which seems to operate 
orthogonally from every other keyserver I've seen.  It's HTTP-only, not 
queryable by any of the open-source clients (in fact, it doesn't support 
wildcard searches at all, and returns a captcha before delivering 
results), and not SUBMITTABLE to from any of the open source clients.

It's also the ONLY keyserver I've seen that supports photo IDs, and 
actually uses the web interface to show you the person.

Finally, it will sign your non-photo-uids.  With a very short signature 
time, and pollute them so they look like this:

uid                  Dan Mahoney <dmahoney at>
sig 3        E919EC51 2008-11-22  Dan Mahoney <dmahoney@>
sig 3        E8048D08 2009-10-15  Peter Losher <Peter_Losher@>
sig          68D482E2 2009-08-31  Guy Sisalli <gsisalli@>
sig          CF9890F8 2009-07-01  Mark Andrews <marka@>
sig          08F13AD2 2009-10-14  Evan Hunt <each@>
sig 3        294EC062 2009-06-30  Paul Vlaar <vlaar@>
sig          2DC6FF82 2009-10-14  Rob Austein <sra@>
sig          8FA50232 2010-06-13  Emma Smith <esmith@>
sig       X  CA57AD7C 2009-12-16  PGP Global Directory Verification Key
sig       X  CA57AD7C 2009-12-29  PGP Global Directory Verification Key
sig       X  CA57AD7C 2010-01-12  PGP Global Directory Verification Key
sig       X  CA57AD7C 2010-01-25  PGP Global Directory Verification Key
sig       X  CA57AD7C 2010-02-07  PGP Global Directory Verification Key
sig       X  CA57AD7C 2010-02-20  PGP Global Directory Verification Key
sig          B38DB1BE 2010-06-13  Francisco Obispo (ISC) <fobispo@>
uid                  Dan Mahoney <dan_mahoney at>

Yes, I'm sure I need a signature added to my key EVERY TWO WEEKS.  From 
the same ENTITY.

So, to correct this, gpg has the "clean" function, except that it seems to 
be broken.  I can then re-upload my key.

"clean" kills off any local signature and uid that is expired, but it also 
removes keys I have no trust value for.   This might make sense on someone 
ELSE'S key in my homedir.  But I want EVERY nonexpired signature to stay 
on my public key, even if I don't have an explicit trust value for the 

A workaround is to assign some trust value to every other person who's 
signed my key, then run --clean, but this seems broken.

So, all that said, two questions.

1) Is there some option I'm missing that will just remove expired 
signatures, and not other things?  Assume I'm still interested in the 
social networking aspect of who-knows-who and who-trusts-who, but not 
interested in this automated "I figured out a web url three years ago" 

2) If I find the magic way to do #1, and upload it to a keyserver, will 
they accept it, or will they just re-merge the expired sigs in?  (For most 
common keyservers).



"Ca. Tas. Tro. Phy."

-John Smedley, March 28th 1998, 3AM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM

More information about the Gnupg-users mailing list