Page MenuHome GnuPG
Create Task
Maniphest T4605

automatically upgrade from `pubring.gpg` to `pubring.kbx`
Open, NormalPublic
Actions

Description

Given that the performance penalties associated with T4592 appear to be the worst when using the traditional keyring format (pubring.gpg), i wonder whether gpg shouldn't automatically convert pubring.gpg into pubring.kbx if it notices that such a thing exists. Furthermore, the kbx format has tighter constraints against DoS.

This would incur a one-time cost to the user, but would put their GnuPG installation in a much better position going forward.

It's not clear what benefit the user gets from retaining the traditional pubring.gpg format, other than co-installation with gpg1, but co-installation doesn't work well anyway -- if the user wants to use gpg1, they should have a distinct homedir for it.

In debian, we ship migrate-pubring-from-classic-gpg to facilitate this transformation -- most people don't know how to do it manually -- but i'd love to be able to drop it if gpg could make the transition happen automatically for the user.

Details

Version
2.2.16

Related Objects

Event Timeline

dkg created this task.Jul 3 2019, 4:25 PM
werner added a subscriber: werner.Jul 3 2019, 4:30 PM

I somehow expected such a feature request ;-). However, I do not think that an automatic migration is is appropriate for the stable branch.

A gpg command doing what migrate-pubring-from-classic-gpg does would be possible but the question is whether this should go into 2.2.17 which would delay its release.

dkg added a comment.Jul 3 2019, 6:16 PM

if you want to add a separate subcommand for that, i would be happy to abandon migrate-pubring-from-classic-gpg.

(i note that migrate-pubring-from-classic-gpg itself has a problem i hadn't noticed before, where it fails partway through if pubring.gpg contains any certificate larger than 5MiB, ugh)

werner triaged this task as Normal priority.Jul 4 2019, 4:01 PM
ilf added a subscriber: ilf.Jul 14 2019, 6:06 PM
ilf added a comment.Jul 14 2019, 6:11 PM

Maybe GnuPG could display a prompt if it detects a pubring.gpg and no pubring.kbx. Something like:

Your public keyring is still in an old format and should be converted to the modern keybox format.
To do this, run 'gpg --migrate-pubring-from-classic-gpg'.

werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).Mar 18 2020, 2:22 PM

Given that we may move to yet another format in 2.3 I now doubt that we should add such a feature to 2.2.

werner added a project: gnupg24.Dec 13 2022, 11:21 AM
thesamesam added a subscriber: thesamesam.Sep 1 2023, 5:30 AM