On Tue, 2 Jul 2019 11:00, d...@fifthhorseman.net said: > It sounds like you are saying that the order of operations -- > import-then-clean vs. clean-then-import is part of the API spec that > GnuPG is committed to.
No. What I say is that if we want to clean the keys from bogus signatures we need to get the key for each signature first. Obviously this requires that we do some checking on that key as a weel and this is why I say it is a catch-22. However, if you are only talking about self-signature, there is for sure no problem: We already have the key (it is a self-signature) and thus we can immediately check the signature. Anyway, that takes some time, it is a crypto operation - multiply that by 150000. OTOH, simply removing non-self-signatures does not costs any measurable time because it is just comparing two integers. > But "clean-then-import" is clearly a preferable approach to any of the > workarounds described so far. --import-options import-clean does exactly this. With the latest pacth we fallback to this option and --self-sigs-only if gpg detects that the keyblock is too larger afer some basic checks. > certificate in the keyring. "clean" means that the certificates already > stored in the keyring are used to validate incoming signatures. right? import-clean does this: After import, compact (remove all signatures except the self-signature) any user IDs from the new key that are not usable. Then, remove any signatures from the new key that are not usable. This includes *signatures that were issued by keys that are not* *present on the keyring*. This option is the same as running the --edit-key command "clean" after import. Defaults to no. This import-clean works on all signatures, not just self-signatures. This is what takes time - finding the key in the keyring (slower since 2.1 due to DB correctness improvements). In contrast import-minimal does this Import the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" after import. Defaults to no. But I am sure you know this. What Am I misreading? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users