Möhrenfeld

My first GnuPG key was created in 2000, 2000-11-05 to be exact. Ever since then I attended a lot of keysinging sessions and collected a lot of keys. At the moment I have over 200 keys in my keyring and a lot of these were also created many years ago.

Over the time these keys accumulate a lot of signatures and a lot of those cannot be used because the corresponding key is not in the keyring. Still these slow GnuPG down, especially the trustdb calculations.

So the best thing to do is to get rid of those unusable signatures. This can be done with the import-clean option of GnuPG:

import-clean
        After import, compact (remove all signatures except the self-signature)  any
        user  IDs from the new key that are not usable.  Then, remove any signatures
        from the new key that are not usable.  This includes  signatures  that  were
        issued  by keys that are not present on the keyring. This option is the same
        as running the --edit-key command "clean" after import. Defaults to no.

This can be done while refreshing all keys from a keyserver:

gpg --no-options --keyserver pool.sks-keyservers.net --keyserver-options no-honor-keyserver-url,import-clean,export-clean --refresh-keys

In my case this produced the following result the first time I ran it:

gpg: Total number processed: 263
gpg:              unchanged: 19
gpg:     signatures cleaned: 72733
gpg:       user IDs cleaned: 145
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed: 158  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid: 158  signed:  97  trust: 57-, 0q, 0n, 93m, 8f, 0u
gpg: depth: 2  valid:  17  signed:  47  trust: 11-, 3q, 0n, 2m, 1f, 0u
gpg: next trustdb check due at 2015-11-14

So in total 72733 signatures have been removed! Also there are 145 user IDs that were cleaned because they were no longer usable.

While this made trust calculations much faster (at least in my case) you have to keep in mind that whenever you add a new key to your keyring and you also assign a marginal or complete trust to that key you need to refresh all other keys from the keyserver as well to get the matching signatures that the new key made.

In my setup I run the refresh command every night as a cronjob so I get the new trust calculations the next morning.