automatically upgrade from `pubring.gpg` to `pubring.kbx`
Open, NormalPublic


Given that the performance penalties associated with T4592 appear to be the worst when using the traditional keyring format (pubring.gpg), i wonder whether gpg shouldn't automatically convert pubring.gpg into pubring.kbx if it notices that such a thing exists. Furthermore, the kbx format has tighter constraints against DoS.

This would incur a one-time cost to the user, but would put their GnuPG installation in a much better position going forward.

It's not clear what benefit the user gets from retaining the traditional pubring.gpg format, other than co-installation with gpg1, but co-installation doesn't work well anyway -- if the user wants to use gpg1, they should have a distinct homedir for it.

In debian, we ship migrate-pubring-from-classic-gpg to facilitate this transformation -- most people don't know how to do it manually -- but i'd love to be able to drop it if gpg could make the transition happen automatically for the user.


dkg created this task.Jul 3 2019, 4:25 PM
werner added a subscriber: werner.Jul 3 2019, 4:30 PM

I somehow expected such a feature request ;-). However, I do not think that an automatic migration is is appropriate for the stable branch.

A gpg command doing what migrate-pubring-from-classic-gpg does would be possible but the question is whether this should go into 2.2.17 which would delay its release.

dkg added a comment.Jul 3 2019, 6:16 PM

if you want to add a separate subcommand for that, i would be happy to abandon migrate-pubring-from-classic-gpg.

(i note that migrate-pubring-from-classic-gpg itself has a problem i hadn't noticed before, where it fails partway through if pubring.gpg contains any certificate larger than 5MiB, ugh)

werner triaged this task as Normal priority.Jul 4 2019, 4:01 PM
ilf added a subscriber: ilf.Jul 14 2019, 6:06 PM
ilf added a comment.Jul 14 2019, 6:11 PM

Maybe GnuPG could display a prompt if it detects a pubring.gpg and no pubring.kbx. Something like:

Your public keyring is still in an old format and should be converted to the modern keybox format.
To do this, run 'gpg --migrate-pubring-from-classic-gpg'.

werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).Mar 18 2020, 2:22 PM

Given that we may move to yet another format in 2.3 I now doubt that we should add such a feature to 2.2.