Apparently I'm supposed to be blogging once a day, every day, for November. I missed yesterday and doubt I'll have something to say every day, but let's try...
Today I have been playing with the export-clean and import-clean options to gnupg, in particular in conjunction with the debian-keyring. The options result in only signatures that can be verified (ie that are from keys that exist in your keyring) being allowed, and remove signatures other than the revocation from revoked keys/uids.
Why is this interesting to me? Well, a number of reasons:
- It makes key updates a hell of a lot easier. It cuts down on the number of new signatures to check, for example.
- It cuts down on the keyring size, meaning smaller uploads for me and smaller downloads for everyone else. The .deb goes from 20M to 6.6M and the installed debian-keyring.gpg from 24M to 7.6M. That's a signficant saving.
- It makes for "cleaner" keys; only signatures that we know are valid end up remaining on the keys, anything invalid is removed.
(Note I haven't actually rolled any of this out, it's just something I've been playing with locally at present to get a feel for the savings/benefits to be had.)