Page MenuHome GnuPG
Create Task
Maniphest T7308

Speed up the X.509 key listings
Closed, ResolvedPublic
Actions

Description

On large keyrings with a lot of X.509 certificates the validated key listing is not very fast. It scan's the keyrings far too often. With a certain 37 MiB keyring having about 1200 PGP and 900 X.509 certificates a

gpgsm --disable-dirmngr --with-validation -k >/dev/null

takes about 11 seconds on a i7-1370P and a fast NVME.

Revisions and Commits

rG GnuPG
rG9087c1d3637c gpgsm: Implement a cache for the KEYINFO queries.
rG09d4b8f496dd gpgsm: Use a cache for ISTRUSTED queries.
rG241971fac0fc gpgsm: Implement a cache for the KEYINFO queries.
rGef2be95258d2 gpgsm: Use a cache for ISTRUSTED queries.
rGdcee2db36ba4 gpgsm: Use a cache to speed up parent certificate lookup.
rGce0580a599ec gpgsm: Use a cache to speed up parent certificate lookup.
rG9543b3567b04 sm: Optmize clearing of the ephemeral flag.
rGcb6c506e4e41 sm: Optmize clearing of the ephemeral flag.

Related Objects

Event Timeline

werner triaged this task as High priority.Sep 27 2024, 3:47 PM
werner created this task.
werner created this object with edit policy "Contributor (Project)".
werner added a commit: rGcb6c506e4e41: sm: Optmize clearing of the ephemeral flag..Sep 27 2024, 3:49 PM
werner added a comment.EditedSep 27 2024, 3:49 PM

With that patch we are down to about 6 seconds.

werner added a commit: rG9543b3567b04: sm: Optmize clearing of the ephemeral flag..Sep 27 2024, 4:06 PM
werner mentioned this in T6424: GpgOL: Move resolver code into Kleopatra.Sep 27 2024, 4:07 PM
werner added a commit: rGce0580a599ec: gpgsm: Use a cache to speed up parent certificate lookup..Sep 30 2024, 6:36 PM
werner added a comment.EditedSep 30 2024, 6:49 PM

Now we are at 4 seconds. Available in master and 2.2.

Note that when using --list-chain instead of k, we actually cache all certificates. This could be improved by modifying the walk_chain function to take an depth arg.

werner added a commit: rGdcee2db36ba4: gpgsm: Use a cache to speed up parent certificate lookup..Sep 30 2024, 7:04 PM
werner closed this task as Resolved.Sep 30 2024, 7:08 PM
werner claimed this task.

Will be available in 2.2.45 and 2.5.2

werner mentioned this in T7255: Release GnuPG 2.2.45.Oct 1 2024, 1:59 PM
werner added a commit: rGef2be95258d2: gpgsm: Use a cache for ISTRUSTED queries..Oct 2 2024, 5:52 PM
werner added a commit: rG241971fac0fc: gpgsm: Implement a cache for the KEYINFO queries..
zablockil mentioned this in T7319: gpgsm/dirmngr: Improve forward path-building via http AIA extension in x.509 certificates.Oct 2 2024, 11:04 PM
werner added a comment.Oct 4 2024, 12:05 PM

Overall effect of these changes tested on a small Windows VM is only 47 -> 26 seconds. Did also tests with --kbx-buffer-size but that does not make it better than the default, either.

werner added a commit: rG09d4b8f496dd: gpgsm: Use a cache for ISTRUSTED queries..Oct 4 2024, 12:19 PM
werner added a commit: rG9087c1d3637c: gpgsm: Implement a cache for the KEYINFO queries..
werner added a comment.Oct 4 2024, 3:03 PM

Test on a dedicated Windows box (T 460, i5-6300U@2.40GHz, harddisk):

VSD Versiongpg versionLoad time
3.1.262.2.411:59
3.2.4 beta-22.2.45 beta 250:46

Load time from the start of the Kleopatra progressbar until the cert list is shown.

werner mentioned this in T7289: Release GnuPG 2.5.2.Thu, Dec 5, 11:47 AM