Text (non-binary) keyring format

Alejandro Colomar alx at kernel.org
Fri Sep 13 14:02:54 CEST 2024 

Hi Werner,

On Fri, Sep 13, 2024 at 01:39:08PM GMT, Werner Koch wrote:
> Hi!
> 
> On Thu, 12 Sep 2024 13:28, Alejandro Colomar said:
> 
> > I have my ~/.gnupg keyring under git source control, which helps
> > creating and updating backups, and also having a history of the changes.
> 
> That is not a good idea because the key database (pubring.gpg,
> pubring.kbx, or keyboxd DB) are a binary format which also stores meta
> data which is only used by gnupg itself and not part of an official
> API (e.g. the signature cache).

Maybe you could split the pubring as a directory with many files, have
most of them as text files, and a few that need to be binary could be
kept as binary.

> Thus if you want to put something under version control, it is better to
> do this with exported files.  You may use "--export-option backup" so
> that you get all the internal infos and also non-exportable signed
> signatures ("--export-option export-local-sigs" would be sufficient
> here.

I prefer having the actual keyring under version control, although will
consider that option.

> Although I really like text files, it will be somewhat hard to diff them
> because any property update of a key also requires a new signature and
> that give a lot of diff overhead.

If we had one text file per contact (just like we have now one text file
per private key under `~/.gnupg/private-keys-v1.d`), I wouldn't mind the
diff for the contact to look like an entire (or almost entire) rewrite
of the contact.  That's already better than
"Binary files a/pubring.kbx and b/pubring.kbx differ".

>  This is similar to Libreoffice's fodt
> format - in theory a way to diff things but in practice it is useless.
> 
> We actually moved to an SQL database to speed up things.  If you have
> hundreds of keys with thousands of key signatures it is very helpful to
> have indices; it really speeds up things.
> 
> OpenPGP keys do not allow a rollback by design.  For documentation
> writing a (sorted) key listing to a file might thus be more useful than
> plain text files.

I don't use git to be able to roll back, but rather to know at which
state a backup is.  For example, I gave a backup to a family member last
time I saw him, and I know that backup is N commits behind my current
keyring.

> 
> 
> 
> Shalom-Salam,
> 
>    Werner

Have a lovely day!
Alex

-- 
<https://www.alejandro-colomar.es/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240913/bd095a52/attachment.sig>

More information about the Gnupg-users mailing list