gabriel rosenkoetter on Thu, 27 Feb 2003 01:01:07 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] GnuPG 1.2.1 trustdb checks for every pubkey import?


On Wed, Feb 26, 2003 at 11:31:20PM -0500, Walt Mankowski wrote:
> Yeah, it's annoying.  I find that running gpg --rebuild-keydb-caches
> periodically helps a bit, but only very briefly.

Testing this. It's going to run longer than I want to be awake,
though. Running that "every so often" really just isn't an option.

> It's particularly annoying when you import a key that's only been
> self-signed, but gpg *STILL* spends over a minute rechecking the
> entire trust db.  A month or so ago I saw something on the gpg-users
> list that someone had added a patch to the development version to
> prevent that behavior.

Well, I suppose. But very few of the keys on my keyring are only
self-signed (not even the bugtraq-related ones; they're usually
signed by various real people who work for the company issuing the
advisory).

> Wow, I'm only going to depth 2.  I wonder what the difference is.

How many connections out you have to go to trace knowledge of keys.
I go to depth 4 (which really isn't that far, I don't think) because
I've grabbed keys of people from a wide variety of mailing lists,
many of whom I've never met, but a fair number of whom I can get to.

GnuPG doesn't give up doing the trustdb check until it finds 0 keys
with any relation to you at a some depth. At least, that's my
understanding.

> Yes, it's also my impression that this is a cpu-bound process, too.  I
> really don't understand what it could possibly be doing that it could
> suck up the cpu of a modern machine for over a minute.  You'd think
> this would be a fairly simple tree traversal algorithm we all learned
> back in our computer science classes.

Well. It's that, PLUS the crypto involved. The latter's what eats
the cycles, I'd assume.

On Wed, Feb 26, 2003 at 11:53:11PM -0500, David Shaw wrote:
> Can you tell me how many keys are in your keyring?

(Redundant, but for completeness:)

uriel:~% gpg --list-keys | grep ^pub | wc -l
    1428

> Also, what happens if you run:
> 
>   gpg --with-colons --list-keys | grep pub | grep :20:

uriel:~% gpg --with-colons --list-keys | grep pub | grep :20:
pub:e:1536:20:809746D01F600BF5:2001-02-28:2002-02-28::-:Stephen D Cope <mail@sdc.org.nz>::esc:
pub:-:2048:20:9009721A2D6DEAE7:2001-03-19:::-:Anders Karlsson (ROCK/UML Project Maintainer) <anders@rocklinux.org>::escESC:

On Thu, Feb 27, 2003 at 12:22:46AM -0500, David Shaw wrote:
> [ 8 keys snipped ]
> 
> Sigh.  Welcome to the hell that is the Elgamal signature key.  They're
> at least one order of magnitude slower than RSA or DSA.  Not much that
> can be done - it's in the nature of the algorithm.  I wish I could pop
> up a big flashing red light when someone generated one of these keys
> explaining all of the reasons why they are a bad idea.

Hrm. I only have two, and yet Walt's describing "a minute" and I'm
seeing nearly three.

Does this just point to "gcc STILL sucks at optimizing PowerPC"?
(Quite possible...)

Is there any reason not to just remove those keys from my keyring?
(They're not people I communicate regularly, but I expect the
rocklinux one at least will get added back in because of Bugtraq.)

You have to go to a pretty great length to create an Elgamal
signature key, don't you? What would make someone do so?

> Try this:
> 
>   gpg --no-sig-cache --rebuild-keydb-caches
> 
> It'll take a very long time, but that will check and cache the
> validity of every signature you have on your keyring, including all
> the deadly Elgamal ones.
> 
> After you do that, let me know if --check-trustdb runs any faster.

Like Walt, I'll let you know tomorrow.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpfxXabzwH24.pgp
Description: PGP signature