Clean up my gnupg keyring?

46

22

My gnupg keyring contains hundreds of unnecessary entries. How would I remove the expired, revoked and unsigned keys from it?

I would like to keep the keys that have signed my key, and import new keys only as required. I'd previously imported the entire web of trust for my key's signatories. It would seem that one of my key signers has picked up a very large number of signatures in his travels, and these are now clogging up my keyring.

scruss

Posted 2013-05-10T23:15:30.047

Reputation: 583

1

I would use https://gpgtools.org/. It does not help to remove expired, though, but definitely eases management of gpg keys

– Nick Roz – 2016-07-11T15:01:18.157

Answers

37

From Charles Lockhart’s GPG Cheat Sheet:

I've used User Name as being the name associated with the key.  Sorry that isn't very imaginative.  I think gpg is pretty wide in its user assignments, e.g., the name for my private key is “Charles Lockhart”, but I can reference that by just putting in “Lockhart”.  That doesn't make any sense, sorry.

            ︙

to delete a public key (from your public key ring):

$ gpg --delete-key "User Name"

This removes the public key from your public key ring.
NOTE: If there is a private key on your private key ring associated with this public key, you will get an error! You must delete your private key for this key pair from your private key ring first.

to delete a private key (a key on your private key ring):

$ gpg --delete-secret-key "User Name"

This deletes the secret key from your secret key ring.

MelBurslan

Posted 2013-05-10T23:15:30.047

Reputation: 835

"User Name" can also be the short public key – nmz787 – 2018-09-17T20:42:50.850

2Thanks; that's a start, at least. I can use it to find and list the expired keys: gpg --list-keys | awk '/^pub.* \[expired\: / {id=$2; sub(/^.*\//, "", id); print id}' | fmt -w 999 | sed 's/^/gpg --delete-keys /;' – scruss – 2013-05-11T14:05:27.140

8

I have a bash script scheduled to run weekly from cron to handle this:

#!/bin/bash
# Clean up the GPG Keyring.  Keep it tidy.
# blog.lavall.ee

echo -n "Expired Keys: "
for expiredKey in $(gpg2 --list-keys | awk '/^pub.* \[expired\: / {id=$2; sub(/^.*\//, "", id); print id}' | fmt -w 999 ); do
    echo -n "$expiredKey"
    gpg2 --batch --quiet --delete-keys $expiredKey >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "(OK), "
    else
        echo -n "(FAIL), "
    fi
done
echo done.

echo -n "Update Keys: "
for keyid in $(gpg -k | grep ^pub | grep -v expired: | grep -v revoked: | cut -d/ -f2 | cut -d' ' -f1); do
    echo -n "$keyid"
    gpg2 --batch --quiet --edit-key "$keyid" check clean cross-certify save quit > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "(OK), "
    else
        echo -n "(FAIL), "
    fi
done
echo done.

gpg2 --batch --quiet --refresh-keys > /dev/null 2>&1
if [ $? -eq 0 ]; then
    echo "Refresh OK"
else
     echo "Refresh FAIL."
fi

Warren Lavallee

Posted 2013-05-10T23:15:30.047

Reputation: 91

What is $2 in the awk section of your script ? And while at it, what is $1 ? Cheers. – Cbhihe – 2017-04-26T17:10:23.397

Normal awk syntax for second and first (space-separated) field in the current line of input. – fche – 2017-12-11T18:09:28.877

I don't understand why doing local cleanup of keys and then… downloading all the stuff you just deleted from keyserver again with --refresh-keys. I'd put the refresh in the middle of the script, not the end. – lapo – 2018-02-08T08:46:26.610

4

% gpg --edit-key KEYID
gpg> clean
User ID [...]: 139 signatures removed
gpg> save
% gpg --version
gpg (GnuPG) 1.4.18
[...]

fche

Posted 2013-05-10T23:15:30.047

Reputation: 187

1When I follow those steps and then check with gpg --list-keys I keep seing the same old expired keys... – Cbhihe – 2017-04-26T16:54:55.707

5gpg clean doesn't remove expired keys, only expired signatures – fche – 2017-07-11T01:51:55.723

1

echo -n "Expired Keys: "
list_expired_keys="$(gpg2 --list-keys | grep -1 pub | sed 'N;s/\n/ /' | awk '/^pub.* \[expired\: / {id=$7; sub(/^.*\//, "", id); print id}' | fmt -w 999)";
list_revoked_keys="$(gpg2 --list-keys | grep -1 pub | sed 'N;s/\n/ /' | awk '/^pub.* \[revoked\: / {id=$7; sub(/^.*\//, "", id); print id}' | fmt -w 999)";
for key in $list_expired_keys $list_revoked_keys; do
    echo -n "$key"
    gpg2 --batch --quiet --delete-keys $key >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "(OK), "
    else
        echo -n "(FAIL), "
    fi
done
echo done.

here is a bash-script doing the job. It is an adaption of https://superuser.com/a/859739 for gpg2 where the key id is in the second line.

Brian

Posted 2013-05-10T23:15:30.047

Reputation: 11

pipein to fmt -w 999 is not needed. – jarno – 2019-12-15T00:08:05.287

Asked: 2013-05-10T23:15:30.047

Viewed: 67 093 times

Active: 2019-04-17T16:40:33.980