Someone thought that it would be funny to spam PGP's keyservers with phony signatures, since gpg doesn't scale at all when dealing with keys signed by a couple of thousands of other ones. It's ok, it's not as if this was a novel attack but something that has been common knowledge for years. I mean, who would except any software to not explode when dealing with a couple of megabytes of cryptographic material.
Anyway, I experienced this first hand this morning when gpg decided to eat all my CPU
and crash my email client. So I asked the internet for more details, and
apparently the only solution is to delete the keys with a high number of
signatures, duh. BUT, not a single soul thought that it would be cool to provide a
simple copy-pasteable way to do this, which would be entirely fine if GPG's usability wouldn't be
the absolute fucking
worse.
Smart people even wrote not one ultra famous
paper
on this sole topic, but also a second
one. Nobody
knows how to use it properly, because GPG is composed of a subtle combination
of baroque and old-school concepts that are hard to grasp compared to what
we're used to in 2019, along with the fact that the gpg command has more
than 300 different flags.
So, here is how you can clean your keyring, as simple copy-pasteable commands:
- Run
gpg --list-sigs > out.txtto list all the keys present in your keying with their associate signatures. Go make yourself a cup of tea, read a book, … this is going to take some time. - Take a look at
out.txt, and find the keys that have an abnormally large number of signatures, like several thousands. - Delete them with
gpg --delete-keys $KEYID1 $KEYID2, … - Download the keys again, from a less terrible keyserver that doesn't blindly
accept spam as legitimate content, with
gpg --keyserver keys.openpgp.org --recv-key $KEYID.
And for fucking FSM's sake, try to use something else than GPG with your friends, like Signal, Wire, Threema, Whatsapp, Wickr, …