file size change in trustdb.gpg after recovery

Michal Novotny clime at redhat.com
Sat Feb 25 13:23:39 CET 2017 

Hello,

I have got a trustdb that gives the following output on --check-trustdb:

  gpg: public key of ultimately trusted key 3ADE2987ABBFDB66 not found
  gpg: public key of ultimately trusted key 831FE43EDDD16F3D not found
  gpg: marginals needed: 3  completes needed: 1  trust model: pgp
  gpg: depth: 0  valid: 6468  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 6468u
  gpg: next trustdb check due at 2021-01-18

There are two public keys that are not found in public keyring (nor secret
keyring actually) but there is a record for them in the trustdb. I have a
vague idea how this could have happened, however what I would like to get
is a trustdb without the two records.

For that, I

- called gpg2 --export-ownertrust > otrust.txt
- manually removed the two records in otrust.txt for which there is no
public key
- moved current trustdb.gpg to trustdb.gpg.bak
- and finally called gpg2 --import-ownertrust < otrust.txt

The output of --check-trustdb with the new db is now okay:

gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid: 6466  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 6466u
gpg: next trustdb check due at 2021-01-18

However what bugs me slightly is that trustdb.gpg is now of much smaller
size. Before it was: 908K, now it is 554K.

There is pretty much the same size decrease if I do not remove the records
for missing public keys and just do:

- called gpg2 --export-ownertrust > otrust.txt
- move current trustdb.gpg to trustdb.gpg.bak
- and finally call gpg2 --import-ownertrust < otrust.txt

The output of --check-trustdb is now:

gpg: public key of ultimately trusted key 3ADE2987ABBFDB66 not found
gpg: public key of ultimately trusted key 831FE43EDDD16F3D not found
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid: 6468  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 6468u
gpg: next trustdb check due at 2021-01-18

Again, the new trustdb.gpg has 554K, while the original had 908K. And also
what is curious is that the new file had 301K before calling
--check-trustdb and 554K after.

Anyway, it seems the original trustdb is not fully restored after
--export-ownertrust and --import-ownertrust even though the output of
--check-trustdb gives the same output for the original and new file (6468
valid ultimately trusted keys).

I know this is a bit complicated description but could anyone explain
what's going on with the changes in the trustdb.gpg file size?

Thank you
Michal Novotny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170225/0c04ca62/attachment.html>

More information about the Gnupg-users mailing list