Apparently I'm supposed to be blogging once a day, every day, for November. I missed yesterday and doubt I'll have something to say every day, but let's try...

Today I have been playing with the export-clean and import-clean options to gnupg, in particular in conjunction with the debian-keyring. The options result in only signatures that can be verified (ie that are from keys that exist in your keyring) being allowed, and remove signatures other than the revocation from revoked keys/uids.

Why is this interesting to me? Well, a number of reasons:

  • It makes key updates a hell of a lot easier. It cuts down on the number of new signatures to check, for example.
  • It cuts down on the keyring size, meaning smaller uploads for me and smaller downloads for everyone else. The .deb goes from 20M to 6.6M and the installed debian-keyring.gpg from 24M to 7.6M. That's a signficant saving.
  • It makes for "cleaner" keys; only signatures that we know are valid end up remaining on the keys, anything invalid is removed.
There's an argument that this "weakens" the web of trust (after all, we're throwing away signatures from keys), but I'm not really convinced. The full keys can still be downloaded from the keyserver network and it's not like any of the Debian infrastructure scripts make use of web of trust; all that's important is that a key is present in the keyring. I've been asked about export-minimal (i.e. keys + self sigs only) in the past, but I prefer this method of keeping verifiable signatures as it provides some measure of checking key trust for people importing the keyrings locally or auditing the keyring.

(Note I haven't actually rolled any of this out, it's just something I've been playing with locally at present to get a feel for the savings/benefits to be had.)