Title: Cleaning up your gpg keyring after the SKS debacle
Date: 2019-07-13 17:00

Someone thought that it would be funny to spam PGP's keyservers with phony
signatures, since gpg doesn't scale at all when dealing with keys signed by
a couple of thousands of other ones. It's ok, it's not as if this was a novel
attack but something that has [been
common knowledge](https://medium.com/@mdrahony/are-sks-keyservers-safe-do-we-need-them-7056b495101c) for years.
I mean, who would except any software to not explode when dealing with a
_couple of megabytes_ of cryptographic material.

Anyway, I experienced this first hand this morning when `gpg` decided to eat all my CPU
and crash my email client. So I asked the internet for more details, and
apparently the only solution is to delete the keys with a high number of
signatures, duh. **BUT**, not a single soul thought that it would be cool to provide a
simple copy-pasteable way to do this, which would be entirely fine if GPG's usability wouldn't be
the [absolute](https://moxie.org/blog/gpg-and-me/) [fucking](https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html)
[worse](https://www.vice.com/en_us/article/vvbw9a/even-the-inventor-of-pgp-doesnt-use-pgp).
Smart people even wrote not one [ultra famous
paper](https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50)
on this sole topic, but also a [second
one](http://www.chariotsfire.com/pub/sheng-poster_abstract.pdf). Nobody
knows how to use it properly, because GPG is composed of a subtle combination
of baroque and old-school concepts that are hard to grasp compared to what
we're used to in 2019, along with the fact that the `gpg` command has __more
than 300 different flags__.

So, here is how you can clean your keyring, as simple copy-pasteable commands:

1. Run `gpg --list-sigs > out.txt` to list all the keys present in your keying with their
	 associate signatures. Go make yourself a cup of tea, read a book, … this is
	 going to take some time.
2. Take a look at `out.txt`, and find the keys that have an *abnormally large*
	 number of signatures, like several thousands.
3. Delete them with `gpg --delete-keys $KEYID1 $KEYID2, …`
4. Download the keys again, from a less terrible keyserver that doesn't blindly
	 accept spam as legitimate content, with `gpg --keyserver keys.openpgp.org
	 --recv-key $KEYID`. 

And for fucking [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster)'s sake,
try to use something else than GPG with your friends, like [Signal](https://signal.org),
[Wire](https://wire.com), [Threema](https://threema.ch/en/),
[Whatsapp](https://www.whatsapp.com/), [Wickr](https://wickr.com/), …