vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-09 11:19:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

adjust gnupg import tps stripping text

Browse source
This commit is contained in:
Heiko Schaefer 2023-12-06 17:36:48 +01:00
parent e6d8dccc7c
commit 0e4997f049
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
book/source/04-certificates.md
View file

@ -439,9 +439,7 @@ Separately, third-party certifications are currently filtered out by the service
##### GnuPG
GnuPG [strips some signatures on key import](https://dev.gnupg.org/T4607#127792).
In addition, GnuPG offers two explicit methods for certificate minimization, described [in the GnuPG manual](https://www.gnupg.org/documentation/manuals/gnupg-devel/OpenPGP-Key-Management.html) as:
GnuPG offers two explicit methods for certificate minimization, described [in the GnuPG manual](https://www.gnupg.org/documentation/manuals/gnupg-devel/OpenPGP-Key-Management.html) as:
*clean*
: *Compact (by removing all signatures except the selfsig) any user ID that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring.*
@ -451,6 +449,10 @@ In addition, GnuPG offers two explicit methods for certificate minimization, des
`clean` removes third-party signatures by certificates that are not present in current keyring, as well as other stale data. `minimize` removes superseded signatures that are not needed at the point when the command is executed.
Independently, GnuPG by default [strips some signatures on key import](https://dev.gnupg.org/T4607#127792)[^gpg-default-strip]. However, a number of Linux distributions change this default behavior, and continue to import signatures without minimization by default. e.g. [Debian](https://dev.gnupg.org/T4628#128513) and Arch Linux.
[^gpg-default-strip]: GnuPG's changes in the default handling of third-party certifications on imports were prompted by the 2019 [keyserver flooding](cert-flooding) event.
#### Limitations that can result from stripping historical self-signatures
Some implementations, such as Sequoia, prefer to rely on the full historical set of self-signatures to construct a view of the certificate over time. This way, signatures can be verified at different reference times. In this model, removing superseded self-signatures can cause problems with the validation of historical signature.