On 7/10/19 12:53 pm, Eli Schwartz wrote:
On 10/6/19 10:42 PM, Allan McRae wrote:
+ if (( $(vercmp "$gpg_ver" 2.2.17) >= 0 )); then + add_gpg_conf_option "$conffile" 'keyserver-options' 'no-self-sigs-only,no-import-clean'
Doesn't import-clean actually do what we want? Strips signatures from keys not in the keyring? Assuming users are not setting up the initial keyring by importing keys manually...
Hmm, on second thought you're right. no-self-sigs-only will prevent the main thing that annoys us, which is getting rid of sigs we want because we have the WoT keys which match it.
no-import-clean would return us to feature parity with the older gnupg releases, but that's not the fundamental goal, and the only benefit it would get us is being able to later on import a master key and have it validate, which seems like an unlikely event. Anyway, it seems like refreshing that key would re-acquire the cleaned signatures.
Do you want to leave the import-clean setting out entirely, or take the opportunity to start having the keyring be guaranteed to be cleaned?
no-self-sigs-only,import-clean seems a good trade off as default