Fwd: Re: regular update of all keys from a keyserver

Stephan Beck stebe at mailbox.org
Mon Oct 17 18:35:00 CEST 2016

I forgot to send it to the list as well...

-------- Forwarded Message --------
Subject: Re: regular update of all keys from a keyserver
Date: Mon, 17 Oct 2016 16:20:00 +0000
From: Stephan Beck <stebe at mailbox.org>
Reply-To: stebe at mailbox.org
To: Martin T <m4rtntns at gmail.com>

Hi Martin,

Martin T:
> Hi,
> I am aware that one can update all the keys in local-keyring from a
> keyserver using "gpg --refresh-keys". Are there any disadvantages to
> simply put this command into user crontab and execute for example once
> a day?

Yes. To protect you and your contacts from an eavesdropper (may it be
the ISP or someone else), you may refresh your keyring over the Tor
Network, using Parcimonie (1), which opens another circuit for every
single refreshing action (one refreshing action, one refreshed key),
thus slowly refreshing the whole keyring. Actually, it works with gpg
v1, I've never got it working with gpg2, though. If someone out there
knows how to adapt it for use with gpg2, go ahead and tell us!

Well, you don't tell us anything about your system or your gpg version,
but another way (with gpg 2.1.10 or later) is using the in-built support
for refreshing your keyring via Tor using --use-tor option.
Quote from the 2.1.10 announce mail (2):
 * dirmngr: New option --use-tor.  For full support this requires
   libassuan version 2.4.2 and a patched version of libadns
   (e.g. adns-1.4-g10-7 as used by the standard Windows installer).

If you do not use or do not want to use Tor, I'd recommend using at
least https in any case, retrieving the certificate of
sks-keyservers.netCA.pem first (3), verifying it and copying it into
your gnupg home directory, and adding it to the keyserver section in

I'd never refresh my keyring over plain http, because, yes, we "should
all have something to hide" (4), whatever the threats may be that are
already knocking on our doors and whoever might tell us that this battle
is lost or useless.

(1) https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
(2) https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html
(3) https://sks-keyservers.net/sks-keyservers.netCA.pe
(4) https://moxie.org/blog/we-should-all-have-something-to-hide/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161017/31b7ec2e/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161017/31b7ec2e/attachment.sig>

More information about the Gnupg-users mailing list