| Walt Mankowski on Thu, 5 Sep 2002 07:20:07 +0200 |
|
As we've discussed at the last two meetings, here are some things you might want to do when upgrading to gnupg 1.0.7: Increasing Performance ====================== This was the big one for me. As Ian mentioned, gpg versions 1.0.6 and earlier get unreasonably slow checking signatures when your keyring starts to get big. The trust validation logic was completely rewritten in version 1.0.7, but you probably won't notice any difference until you do rebuild the trust database. Unfortunately the way to do this is nearly completely undocumented. I could only find mention of it in the announcement for 1.0.7, in the NEWS file that comes with the release (in Debian it's in /usr/doc/gnupg/NEWS.gz), and in some old postings to the gnupg-users mailing list. It turns out to be really simple: 1. Make a backup of your .gnupg directory cd ~ cp -R .gnupg .gnupg_106 This isn't really necessary but it gave me some peace of mind that I could fallback in case I messed something up. 2. Rebuild the trustdb gpg --rebuild-keydb-caches This step might take a while. I think it took about half an hour on my box. Once it's done you should be ready to go. Check a few signatures and be amazed at how fast gpg is now! Ultimately Trust Your Own Key ============================= Your own secret key is no longer ultimately trusted by default. To avoid some annoying and mysterious error messages you need to set the trust explicitly to "ultimate". Run "gpg --edit-key" with your own key, select the "trust" command, then choose "5 = I trust ultimately" from the menu. Automatically Fetch New Signatures ================================== Imagine the following scenario: 1. I create a new GPG key. 2. I exchange signatures with Alice. 3. I exchange signatures with Bob. Bob see Alice's signature because it's already on my key when he signs it. But how does Alice know that Bob signed it? I could send her a new copy of my public key, which she could then reimport. Or, since I keep a copy of my public key on a keyserver, Alice could run gpg --recv-keys periodically to get the latest set of signatures on my key. That's not a big deal with just a few keys, but when you have hundreds of keys in your keyring it starts to become a problem. When I wanted to refresh all my keys in gpg 1.0.6, I ended up putting the following monstrosity in my crontab: gpg -v --recv-keys `gpg --list-keys | grep ^pub | cut -b 12-19` And even that stopped working after a while because the command line got too long. Fortunately this is a *lot* easier in 1.0.7: gpg --refresh-keys Actually I like gpg -v --refresh-keys so I get a little more information about what's being updated. But unfortunately, this is even less documented than --rebuild-keydb-caches. I've only ever seen it mentioned in a few posts to gnupg-users, and in changelog.g10 in the 1.0.7 distribution. Enjoy! Walt Attachment:
pgpMaEYGlUgs3.pgp
|
|