Infinite loop?
Phil Pennock
gnupg-users at spodhuis.org
Wed Jun 26 05:03:18 CEST 2019
On 2019-06-25 at 18:47 -0400, Daniel Kahn Gillmor via Gnupg-users wrote:
> Interesting! my pubring.kbx is 147MiB, but GnuPG still should not run
> forever when doing --list-keys. It takes 17s to complete the listing of
> my pubring.kbx, as measured by "time gpg --list-keys > /dev/null"
With GnuPG 2.2.16 :
% ls -ldh ~/.gnupg/pubring.kbx
-rw-r--r-- 1 pdp pdp 241M Jun 22 22:16 /home/pdp/.gnupg/pubring.kbx
% time gpg --list-keys >/dev/null
[...]
gpg --list-keys > /dev/null 1473.99s user 1965.72s system 99% cpu 57:19.85 total
% kbxutil --stats .gnupg/pubring.kbx
Total number of blobs: 5640
header: 1
empty: 0
openpgp: 5638
x509: 1
non flagged: 5638
secret flagged: 0
ephemeral flagged: 1
This is an "Intel(R) Atom(TM) CPU D2500 @ 1.86GHz" and is where I've
long had my high-security keys. One bright side to this box and its
speed: it's immune to speculative prediction attacks. None of that
newfangled nonsense. ;)
I've long been resigned to this being normal. An unthinking import of a
fuller keyring (probably this one) to my recent new work laptop
(Thinkpad X1 Carbon, running Ubuntu) led to confusion as I re-acclimated
to a Linux desktop after years of macOS usage, because core parts of
system preferences appeared to just hang and do nothing. Until I
finally realized the problem and nuked the keyring down to a dozen keys
which most mattered here. I hadn't realize that my GnuPG keyring was
being exposed in my view of the preferences.
In fact, I got so used to seahorse just dying that I adjusted my login
scripts to ignore it and fire up my own ssh-agent so that I wouldn't
lose the ability to log into other machines. I made that conditional
upon the socket being dead and grumpily chalked it up to Linux
flakiness, but I see now that this hasn't been getting triggered
recently.
The X1 Carbon is 8 claimed cores of "Intel(R) Core(TM) i7-8650U CPU @
1.90GHz" and 16GiB RAM. It was definitely not happy at a keyring which
lets me comfortably verify software releases from signers in the strong
set.
> If you still have a copy of the corrupt 20M pubring.gpg, it might be
> interesting to see it as an example, because it sounds like it's
> tickling a bug.
If you're interested, I can share mine; there are no "secret" keys in it
and I'll trust you not to leak the communications graph of which
software I care about verifying :) or the public signatures from the
strong set showing where I've been over the years or the local
signatures for "yeah, I grabbed these fingerprints from a web-page, I'll
trust them locally but won't attest to them publicly".
-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 996 bytes
Desc: Digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190625/f59a6159/attachment.sig>
More information about the Gnupg-users
mailing list