keyserver-options: self-sigs-only, import-clean, import-minimal

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jul 2 17:00:26 CEST 2019


On Tue 2019-07-02 12:24:42 +0200, Werner Koch via Gnupg-users wrote:
> On Tue,  2 Jul 2019 10:23, gnupg-users at gnupg.org said:
>
>> Why not make "import-clean" and "import-minimal" strip key signatures
>> before importing a key? That would make "import-minimal" behave like
>
> Because that contradicts what import-clean is supposed to do:
>
>   After import, compact (remove all signatures except the
>   self-signature) any user IDs from the new key that are not usable.
>   Then, remove any signatures from the new key _that are not usable_.
>   This includes signatures that were issued by keys that are not present
>   on the keyring.
>
> To do this gpg needs to check whether the corresponding key exists and
> the verify the signature using that key.  In contrast self-sigs-only
> removes all signature which are not self-signature right away by just
> comparing a 64 bit integer.

It sounds like you are saying that the order of operations --
import-then-clean vs. clean-then-import is part of the API spec that
GnuPG is committed to.

However, as Teemu points out, the order of operations is clearly the
cause of the problem here.

If you're saying that "clean-then-import" is technically difficult to
implemente, that is a different answer -- it would be good to understand
why it is difficult, so that we can consider how to fix it.

But "clean-then-import" is clearly a preferable approach to any of the
workarounds described so far.

>> My opinion: make "keyserver-options import-clean" the default and make
>> it internally never import any unknown signatures.
>
> Sorry, this is a catch-22.  We need the key to verify the signature.

Surely GnuPG could validate each certification without first storing the
certificate in the keyring.  "clean" means that the certificates already
stored in the keyring are used to validate incoming signatures.  right?
or am i misunderstanding something?

            --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190702/8bd52862/attachment.sig>


More information about the Gnupg-users mailing list