keyserver-options: self-sigs-only, import-clean, import-minimal

Teemu Likonen tlikonen at
Wed Jul 3 13:26:11 CEST 2019

Werner Koch [2019-07-03 12:04:55+02:00] wrote:

> On Wed,  3 Jul 2019 10:38, tlikonen at said:
>> I think everyone would prefer that import-clean would do all the
>> checking and cleaning before importing certificates to the local
>> keyring. The same thing with import-minimal.
> It does this. However for 150k signatures it even takes quite some
> time to check whether the key does not exist locally so that the
> signature won't be imported.

Good. So in principle it works well. Thanks you.

I downloaded (--receive-key) a poisoned key into an empty keyring using
two different keyserver-options. The duration was practically the same.

    import-clean:   1 min 28 s
    import-minimal: 1 min 25 s

I would expect import-minimal be much faster or actually both quite fast
as my test keyring was empty on both tries. Anyway, it works and those
options seem to protect keyring from getting poisonous certificates.
There is the DOS aspect of course as it takes quite long.

The same --receive-key without any keyserver-options hits gpg's limits
at 26 seconds:

gpg: key [...]: 4 duplicate signatures removed
gpg: key [...]: 54614 signatures not checked due to missing keys
gpg: key [...]: 4 signatures reordered
gpg: error writing keyring '[...]/pubring.kbx': Provided object is too large
gpg: key [...]: public key "[User ID not found]" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:           not imported: 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list