keyserver-options: self-sigs-only, import-clean, import-minimal

Werner Koch wk at
Wed Jul 3 08:57:55 CEST 2019

On Tue,  2 Jul 2019 11:00, dkg at said:

> It sounds like you are saying that the order of operations --
> import-then-clean vs. clean-then-import is part of the API spec that
> GnuPG is committed to.

No.  What I say is that if we want to clean the keys from bogus
signatures we need to get the key for each signature first.  Obviously
this requires that we do some checking on that key as a weel and this is
why I say it is a catch-22.

However, if you are only talking about self-signature, there is for sure
no problem: We already have the key (it is a self-signature) and thus we
can immediately check the signature.  Anyway, that takes some time, it
is a crypto operation - multiply that by 150000.  OTOH, simply removing
non-self-signatures does not costs any measurable time because it is
just comparing two integers.

> But "clean-then-import" is clearly a preferable approach to any of the
> workarounds described so far.

--import-options import-clean does exactly this.  With the latest pacth
we fallback to this option and --self-sigs-only if gpg detects that the
keyblock is too larger afer some basic checks.

> certificate in the keyring.  "clean" means that the certificates already
> stored in the keyring are used to validate incoming signatures.  right?

import-clean does this:

   After import, compact (remove all signatures except the
   self-signature) any user IDs from the new key that are not usable.
   Then, remove any signatures from the new key that are not usable.
   This includes *signatures that were issued by keys that are not*
   *present on the keyring*. This option is the same as running the
   --edit-key command "clean" after import. Defaults to no.

This import-clean works on all signatures, not just self-signatures.
This is what takes time - finding the key in the keyring (slower since
2.1 due to DB correctness improvements).  In contrast import-minimal
does this

   Import the smallest key possible. This removes all signatures except
   the most recent self-signature on each user ID. This option is the
   same as running the --edit-key command "minimize" after import.
   Defaults to no.

But I am sure you know this.  What Am I misreading?



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list