My first GnuPG key was created in 2000, 2000-11-05 to be exact. Ever since then I attended a lot of keysinging sessions and collected a lot of keys. At the moment I have over 200 keys in my keyring and a lot of these were also created many years ago.
Over the time these keys accumulate a lot of signatures and a lot of those cannot be used because the corresponding key is not in the keyring. Still these slow GnuPG down, especially the trustdb calculations.
So the best thing to do is to get rid of those unusable signatures. This
can be done with the
import-clean option of GnuPG:
import-clean After import, compact (remove all signatures except the self-signature) any user IDs from the new key that are not usable. Then, remove any signatures from the new key that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the --edit-key command "clean" after import. Defaults to no.
This can be done while refreshing all keys from a keyserver:
gpg --no-options --keyserver pool.sks-keyservers.net --keyserver-options no-honor-keyserver-url,import-clean,export-clean --refresh-keys
In my case this produced the following result the first time I ran it:
gpg: Total number processed: 263 gpg: unchanged: 19 gpg: signatures cleaned: 72733 gpg: user IDs cleaned: 145 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 158 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 158 signed: 97 trust: 57-, 0q, 0n, 93m, 8f, 0u gpg: depth: 2 valid: 17 signed: 47 trust: 11-, 3q, 0n, 2m, 1f, 0u gpg: next trustdb check due at 2015-11-14
So in total 72733 signatures have been removed! Also there are 145 user IDs that were cleaned because they were no longer usable.
While this made trust calculations much faster (at least in my case) you have to keep in mind that whenever you add a new key to your keyring and you also assign a marginal or complete trust to that key you need to refresh all other keys from the keyserver as well to get the matching signatures that the new key made.
In my setup I run the refresh command every night as a cronjob so I get the new trust calculations the next morning.