-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, For those of us whom use OpenPGP/GPG keys with GNUPG implementation (perhaps everyone whom interacts with SKS servers)... there has been a very long standing technical problem that is currently causing issues. The problem, in a nutshell causes keys to significantly increase in size due to bad data being easily uploaded to the SKS servers without proper validation and consequently severely effecting performance of anything using the public keyring database. If you experience the problem, it will be due to a significant increase of the size of your public keyring file. When processing the public keyring data, the CPU gets pinned at 100% for at least one thread. What I have done is a full export of keys to ASCII armoured files and look at the larger files -- in my case the two largest were for Micah Lee and the Tor Project keys. Delete problematic keys and import fresh sane data for them. Having older backups of the Tor Project's key, I've replaced the key with one that doesn't have the extra bad payload. The former key /may/ not be easily found as the Tor website directs you to an SKS server to collect the data and it doesn't appear to be easily available directly from Tor project's own website. For Micah Lee's key, I got it from keybase.io (micahflee). https://keybase.io/micahflee There are different solutions, keybase.io is but one. In any case the SKS servers are in big trouble as they stand today. A reason for the problem popping up might be related to a simple key refresh; so that is a major problem. It's been said that even just using the keys can cause problems when you don't have any keys with bad data, but I'm not so sure about that. - -- Kind Regards AndrewM Andrew McGlashan -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXRrQBwAKCRCoFmvLt+/i +1XHAQCLxsmNgOlHQYjo283bR1rsA3Y+2RUubBQFiYFeaShcrwEAgOwO3jXOnwPa ibBTYDau9UtIsJt6edk7Shz4kaWUO8c= =6g3D -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
A reason for the problem popping up might be related to a simple key refresh; so that is a major problem. It's been said that even just using the keys can cause problems when you don't have any keys with bad data, but I'm not so sure about that. Without any specific refresh, my Tor Project key grew again.
I've change my gpg.conf now, let's see if that stops the problem. Using an alternate server: keyserver hkp://keys.openpgp.org More details here: https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/ Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXRrxPQAKCRCoFmvLt+/i +0HDAQCTebWX0RvfpqbNXf/9iXvttY97PLjb2VFrCXsmgedaZQEAmq5OSt6y8c4P A1brXOMV4LE/TiTtet2g15WFp7BtZKI= =zu0v -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
A reason for the problem popping up might be related to a simple key refresh; so that is a major problem. It's been said that even just using the keys can cause problems when you don't have any keys with bad data, but I'm not so sure about that. Without any specific refresh, my Tor Project key grew again.
I've change my gpg.conf now, let's see if that stops the problem.
Using an alternate server:
keyserver hkp://keys.openpgp.org
More details here: https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/
This looks interesting too, but unfortunately there are major problems, performance is, but one, of the major problems. https://daniel-lange.com/archives/159-Cleaning-a-broken-GNUpg-gpg-key.ht ml Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXRuMzAAKCRCoFmvLt+/i +xomAP9dQULFPicl9TajqhH0eUMApACV+VsYiukXwRHIruaSlAEAkI9U3AYtvP00 hokJuUe0stNT0Jh9tKaF2VcbH2bkiFA= =u3jW -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
A reason for the problem popping up might be related to a simple key refresh; so that is a major problem. It's been said that even just using the keys can cause problems when you don't have any keys with bad data, but I'm not so sure about that. Without any specific refresh, my Tor Project key grew again.
I've change my gpg.conf now, let's see if that stops the problem.
Using an alternate server:
keyserver hkp://keys.openpgp.org
More details here: https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/
The gpg.conf change didn't help, still got micahflee key growing just with an "automatic, checking trustdb" action, triggered on use of gpg. : ( A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXSBymAAKCRCoFmvLt+/i +2AwAP4zbTK4hebyOSgsb3iG6XOi5ukax0YoAID2Cqq9+cFQtAEAkH6swXaPGLAj 5IUnLkyqyYp+aIKE8WP7II4cQLj+iC0= =v6eJ -----END PGP SIGNATURE-----
Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote:
The gpg.conf change didn't help, still got micahflee key growing just with an "automatic, checking trustdb" action, triggered on use of gpg. :
What happens if you remove that key and retrieve it again - this time from the alternative key server. There's a good subscriber-only LWN article on this issue.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 7/7/19 1:55 am, Jason White via luv-main wrote:
Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote:
The gpg.conf change didn't help, still got micahflee key growing just with an "automatic, checking trustdb" action, triggered on use of gpg. :
What happens if you remove that key and retrieve it again - this time from the alternative key server.
There's a good subscriber-only LWN article on this issue.
The SKS servers are poisoned, it is the /usual/ place to get keys; a better option is sometimes more direct without using any key servers. I had a lesser size key for micahflee and afer deleting the active key and re-importing from a non poisoned .asc file, it still grew when gpg did a "checking trustdb'. If the key is there and there is a means to update it, it will grow. All SKS servers are meant to, normally, distribute data; once you poison a key, it will propagate to all the servers because none of them is doing the sanity checking that is needed and they might not be able to do so anyway if they wanted to. The easiest thing to do right now is to simply delete the bad keys and only import them from clean sources *if* you need to use them, then delete them again when done. *MAYBE* my Enigmail has been part of the problem in refreshing keys, but I don't think so. I've just changed Enigmail settings, to see if that helps. Kind Regards AndrewM -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXSGPXQAKCRCoFmvLt+/i +wjvAP9VQojj9r48rYdvx991Od7YxiyIVEefYQsumTYUE6m2pwD9GCtxYAck5V9b qv6QVJ64JnIue3Uh4Y8VQAWsqSu3GvA= =5fd3 -----END PGP SIGNATURE-----
participants (2)
-
Andrew McGlashan -
Jason White