keyring_search failed and failed to rebuild keyring cache: Legacy key
Closed, ResolvedPublic


After migration from gpg2 to gpg21 and getting and signing some
new certs I've noticed the following error message.

What is the right path to remedy the situation?

LANG=C gpg2 --check-trustdb
gpg: enabled debug flags: memstat
gpg: keyring_search failed: Legacy key
gpg: failed to rebuild keyring cache: Legacy key
gpg: marginals needed: 3 completes needed: 1 trust model: PGP
gpg: depth: 0 val [..]

LANG=C gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5

dpkg -s gnupg2
Architecture: i386
Version: 2.1.11-99intevation2


bernhard set Version to 2.1.11.
bernhard added subscribers: werner, bernhard.
neal added a subscriber: neal.Mar 6 2016, 3:18 PM

Thanks for reporting this. The right solution is for --check-trustdb to ignore
legacy keys.

On Sunday 06 March 2016 at 15:18:54, Neal Walfield via BTS wrote:

is for --check-trustdb

To be extra clear: the failure message also comes if other trustdb
recalculation are taking place, not just with "--check-trustdb".

neal added a comment.Mar 8 2016, 1:23 PM

Sorry, I was using --check-trustdb as a shorthand for the actual function.

gp_ast added a subscriber: gp_ast.May 12 2016, 5:57 PM

We had the same effect here and it was caused by a V3 public key in the
This key does not show up while listing the public keys with GnuPG 2.1.12. We
could only identify and remove it by accessing the keyring with a GnuPG 1.4.x
It should be considered to either

  • display the key also during the list-keys command (to help the user to track

down the problem)

  • ignore it silently while building the trust db.
werner removed werner as the assignee of this task.May 17 2016, 1:49 PM
justus claimed this task.Jul 22 2016, 2:21 PM
justus closed this task as Resolved.