gpg 2.0.27 is updating the trustdb constantly, and taking minutes to do it

Jesus Cea jcea at jcea.es
Sun Mar 29 19:41:15 CEST 2015 

On 28/03/15 11:48, Werner Koch wrote:
> On Fri, 27 Mar 2015 17:07, jcea at jcea.es said:
> 
>> My problem is that any change to the pubring, like downloading a new
>> key, refreshing, adding a new local signature with "--lsign", etc., will
>> force a trustdb update (in the next execution. For instance, decrypting
> 
> A new key signature may chnage rthe entire WoT thus it needs to be
> re-computed.  I have
> 
>   no-auto-check-trustdb
> 
> in my gpg.conf and 
> 
>   30   1 * * *   /usr/local/bin/gpg --batch --check-trustdb 2>/dev/null
> 
> in my crontab.  Thus tehre will be only one re-computation a day.

I understand that, nice hack, but I used 1.4.19 until a week ago and
this recalculation was taking a few seconds. Now it is taking minutes.

Same configuration, same keyring files:

With 1.4 GPG:

"""
jcea at ubuntu:~/video$ time gpg.OLD --update-trustdb
gpg: public key FBBB8AB1 is 58138 seconds newer than the signature
gpg: public key D3A42C61 is 2009 seconds newer than the signature
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  21  signed:  96  trust: 0-, 0q, 0n, 0m, 0f, 21u
gpg: depth: 1  valid:  96  signed: 116  trust: 0-, 96q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2015-04-08

real	0m7.570s
user	0m6.800s
sys	0m0.440s
"""

With 2.0.27 GPG:

"""
jcea at ubuntu:~/video$ time gpg2 --update-trustdb
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  21  signed:  96  trust: 0-, 0q, 0n, 0m, 0f, 21u
gpg: depth: 1  valid:  96  signed: 106  trust: 0-, 96q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2015-04-08

real	1m27.370s
user	1m10.240s
sys	0m13.950s
"""

Trustdb rebuild time has skyrocketed. Unless GPG 1.4 has a serious bug,
2.0.17 is doing something wrong. The sys time is interesting, looks like
GPG 2.0.27 is doing a lot of syscalls. I wonder if it is doing the
calculations several times, or what.

>> As I said, my pubring.gpg is 34MB long. With gnupg 1.4.x it would take a
>> few seconds only.
> 
> Which 1.4 version is this?

"""
jcea at ubuntu:~/video$ gpg.OLD --version
gpg (GnuPG) 1.4.19
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
"""

>> PS: Bonus: how to get rid of
>>
>> """
>> gpg: DBG: armor-keys-failed (KEY 0x010D6F3A BEGIN
> 
> Sorry for this.  It has already been fixed in the repo, see below.

Great. Thanks.

PS: Thanks for GNUPG!.

-- 
Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
jabber / xmpp:jcea at jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150329/72e89391/attachment.sig>

More information about the Gnupg-users mailing list