Updating All Public Keys in GPG

GPG and other OpenPGP implementations aren’t well known for their ease of use 1 and the general view among many professional cryptographers 2 is that the entire ecosystem is a dud, to be replaced with more modern, specialised tools. Even when signing/encrypting emails⁠—the thing it was designed for, mind⁠—GPG is a letdown.

Recently, mutt alerted me that the public key for a mailing list user had expired. I sent a friendly message letting them know, and received this in return:

What keyserver did you pull from? I pushed a new expiry date at least a month ago.

So even though I set GPG to auto-download keys, it won’t update them. Rather than wade through GPG’s option list, I decided it would be simpler to just extract a list of public keys and feed that to --recv-keys:

#!/bin/sh
# The command expansion outputs a "machine readable" list of public keys
gpg --recv-keys $(gpg --keyid-format long --list-public-keys --with-colons |
                  grep '^fpr' | cut -d ':' -f 10 )

Smugly, I dropped this in my scripts folder and called it a day. Then I bothered to look at the gpg(1) manpage and found that there was in fact an option for this:

--refresh-keys
Request updates from a keyserver for keys that already exist on the local keyring. This is useful for updating a key with the latest signatures, user IDs, etc. Calling this with no arguments will refresh the entire keyring.

This experience has made me question why I put up with this UI hell. My interactions with GPG are limited to email encryption/signing (sparingly) and file encryption via password-store. I used to sign all my commits too like a good boy, before realising that nobody really checks them (especially not from little ol’ me). Recently I’ve moved secure communications to Signal because of its simplicity over PGP. If Filippo can get around to releasing his age tool, then I could finally dispose of this broken ecosystem and fully transition to modern, simpler crypto.


Update: I’ve reflected on this post a bit, and decided to remove the links to my PGP key on my website. I fully believe that PGP is fundamentally broken, and intend to revoke my PGP key when age is released.

References:

  1. Take your pick:

  2. Ditto: