Werner Koch [2019-07-03 12:04:55+02:00] wrote: > On Wed, 3 Jul 2019 10:38, tliko...@iki.fi said: >> I think everyone would prefer that import-clean would do all the >> checking and cleaning before importing certificates to the local >> keyring. The same thing with import-minimal. > > It does this. However for 150k signatures it even takes quite some > time to check whether the key does not exist locally so that the > signature won't be imported.
Good. So in principle it works well. Thanks you. I downloaded (--receive-key) a poisoned key into an empty keyring using two different keyserver-options. The duration was practically the same. import-clean: 1 min 28 s import-minimal: 1 min 25 s I would expect import-minimal be much faster or actually both quite fast as my test keyring was empty on both tries. Anyway, it works and those options seem to protect keyring from getting poisonous certificates. There is the DOS aspect of course as it takes quite long. The same --receive-key without any keyserver-options hits gpg's limits at 26 seconds: gpg: key [...]: 4 duplicate signatures removed gpg: key [...]: 54614 signatures not checked due to missing keys gpg: key [...]: 4 signatures reordered gpg: error writing keyring '[...]/pubring.kbx': Provided object is too large gpg: key [...]: public key "[User ID not found]" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: not imported: 1
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users