keyserver-options: self-sigs-only, import-clean, import-minimal

Werner Koch wk at
Tue Jul 2 12:24:42 CEST 2019

On Tue,  2 Jul 2019 10:23, gnupg-users at said:

> Why not make "import-clean" and "import-minimal" strip key signatures
> before importing a key? That would make "import-minimal" behave like

Because that contradicts what import-clean is supposed to do:

  After import, compact (remove all signatures except the
  self-signature) any user IDs from the new key that are not usable.
  Then, remove any signatures from the new key _that are not usable_.
  This includes signatures that were issued by keys that are not present
  on the keyring.

To do this gpg needs to check whether the corresponding key exists and
the verify the signature using that key.  In contrast self-sigs-only
removes all signature which are not self-signature right away by just
comparing a 64 bit integer.

> My opinion: make "keyserver-options import-clean" the default and make
> it internally never import any unknown signatures.

Sorry, this is a catch-22.  We need the key to verify the signature.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list