Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Cleaning up your gpg keyring after the SKS debacle
Sat 13 July 2019 — download

Someone thought that it would be funny to spam PGP's keyservers with phony signatures, since gpg doesn't scale at all when dealing with keys signed by a couple of thousands of other ones. It's ok, it's not as if this was a novel attack but something that has been common knowledge for years. I mean, who would except any software to not explode when dealing with a couple of megabytes of cryptographic material.

Anyway, I experienced this first hand this morning when gpg decided to eat all my CPU and crash my email client. So I asked the internet for more details, and apparently the only solution is to delete the keys with a high number of signatures, duh. BUT, not a single soul thought that it would be cool to provide a simple copy-pasteable way to do this, which would be entirely fine if GPG's usability wouldn't be the absolute fucking worse. Smart people even wrote not one ultra famous paper on this sole topic, but also a second one. Nobody knows how to use it properly, because GPG is composed of a subtle combination of baroque and old-school concepts that are hard to grasp compared to what we're used to in 2019, along with the fact that the gpg command has more than 300 different flags.

So, here is how you can clean your keyring, as simple copy-pasteable commands:

  1. Run gpg --list-sigs > out.txt to list all the keys present in your keying with their associate signatures. Go make yourself a cup of tea, read a book, … this is going to take some time.
  2. Take a look at out.txt, and find the keys that have an abnormally large number of signatures, like several thousands.
  3. Delete them with gpg --delete-keys $KEYID1 $KEYID2, …
  4. Download the keys again, from a less terrible keyserver that doesn't blindly accept spam as legitimate content, with gpg --keyserver keys.openpgp.org --recv-key $KEYID.

And for fucking FSM's sake, try to use something else than GPG with your friends, like Signal, Wire, Threema, Whatsapp, Wickr, …