Clean up my gnupg keyring?

Question

My gnupg keyring contains hundreds of unnecessary entries. How would I remove the expired, revoked and unsigned keys from it?

I would like to keep the keys that have signed my key, and import new keys only as required. I'd previously imported the entire web of trust for my key's signatories. It would seem that one of my key signers has picked up a very large number of signatures in his travels, and these are now clogging up my keyring.

I would use https://gpgtools.org/. It does not help to remove expired, though, but definitely eases management of gpg keys — Nick Roz, Jul 11 '16 at 15:01
The title does not match with what you want. You said "clean up my gnupg keyring", that means delete all keyring and the content said you only want to removed expired, revoked and unsinged keys. — MaXi32, Sep 04 '21 at 16:19
I mean the title should say "How to remove expired, revoked and unsigned keys". I keep getting into your post from Google when I search "How to remove all gpg keys". — MaXi32, Sep 04 '21 at 17:47
It's been up for 8 years with no complaints until today. “How to remove *all* gpg keys” is `rm -r ~/.gnupg`. This will remove your private keys too, but you did say *all* … — scruss, Sep 04 '21 at 20:36

score 81 · Answer 1 · edited Apr 26 '17 at 17:39

81

From Charles Lockhart’s GPG Cheat Sheet:

I've used User Name as being the name associated with the key. Sorry that isn't very imaginative. I think gpg is pretty wide in its user assignments, e.g., the name for my private key is “Charles Lockhart”, but I can reference that by just putting in “Lockhart”. That doesn't make any sense, sorry.

︙

to delete a public key (from your public key ring):
$ gpg --delete-key "User Name"
This removes the public key from your public key ring.
NOTE: If there is a private key on your private key ring associated with this public key, you will get an error! You must delete your private key for this key pair from your private key ring first.

to delete a private key (a key on your private key ring):
$ gpg --delete-secret-key "User Name"
This deletes the secret key from your secret key ring.

edited Apr 26 '17 at 17:39

G-Man Says 'Reinstate Monica'

7,678
22
41
87

answered May 11 '13 at 07:11

MelBurslan

1,335
1
9
17

3

Thanks; that's a start, at least. I can use it to find and list the expired keys: `gpg --list-keys | awk '/^pub.* \[expired\: / {id=$2; sub(/^.*\//, "", id); print id}' | fmt -w 999 | sed 's/^/gpg --delete-keys /;'` – scruss May 11 '13 at 14:05
2

`"User Name"` can also be the short public key – nmz787 Sep 17 '18 at 20:42
1

On gpg 2.2.20, the `--delete-key` and `--delete-secret-key` commands don't exist anymore. – Paul Razvan Berg Jun 01 '20 at 09:51
@PaulRazvanBerg - I'm on 2.2.21 and `--delete-secret-key` just worked fine for me – Mark McClelland May 26 '21 at 15:50

Lucas · Answer 2 · 2023-02-16T16:46:11.047

17

The man page of gpg advises against parsing the normal output of --list-keys but it offers parseable output with --with-colons.

This removes all public keys that are expired or revoked:

gpg --list-keys --with-colons \
  | awk -F: '$1 == "pub" && ($2 == "e" || $2 == "r") { print $5 }' \
  | xargs gpg --batch --yes --delete-keys

How does it work?

tell gpg to output keys in a parsable format (the docs for this format are a little hidden: the man page says they are in doc/DETAILS in the source, my distro installed them in /usr/share/doc/gunpg/DETAILS)
tell awk to use colon as field delimiter: -F:
only select lines where the first field is "pub", these are public keys
only select lines where the second field is either "e" or "r", these are revoced or expired keys
print only field five of the selected lines, that is the key id
use xargs to hand the lines to gpg and delete them

edited Feb 16 '23 at 16:46

answered Mar 06 '21 at 22:33

Lucas

271
2
5

3

Perhaps replace `--delete-keys` with `--delete-secret-and-public-key` to get everything. – Jortstek Apr 07 '21 at 22:54
@MaXi32, I just looked at my local man page and it does list that option. – trash80 Sep 08 '21 at 20:08
1

Best answer and `--delete-secret-and-public-key` is the way to go. With that said, it's not a bad idea to keep expired keys in case you need to verify something old. I don't use gpg like that though. – CR. Sep 14 '22 at 20:35
This would make a nice script to run as an annual cron job – Jonathan E. Landrum Oct 24 '22 at 15:33

score 9 · Answer 3 · edited Jan 08 '21 at 14:05

9

I have a bash script scheduled to run weekly from cron to handle this:

#!/bin/bash
# Clean up the GPG Keyring.  Keep it tidy.
# blog.lavall.ee
 
echo -n "Expired Keys: "
for expiredKey in $(gpg2 --list-keys | awk '/^pub.* \[expired\: / {id=$2; sub(/^.*\//, "", id); print id}' | fmt -w 999 ); do
    echo -n "$expiredKey"
    gpg2 --batch --quiet --delete-keys $expiredKey >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "(OK), "
    else
        echo -n "(FAIL), "
    fi
done
echo done.

echo -n "Update Keys: "
for keyid in $(gpg -k | grep ^pub | grep -v expired: | grep -v revoked: | cut -d/ -f2 | cut -d' ' -f1); do
    echo -n "$keyid"
    gpg2 --batch --quiet --edit-key "$keyid" check clean cross-certify save quit > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "(OK), "
    else
        echo -n "(FAIL), "
    fi
done
echo done.

gpg2 --batch --quiet --refresh-keys > /dev/null 2>&1
if [ $? -eq 0 ]; then
    echo "Refresh OK"
else
     echo "Refresh FAIL."
fi

edited Jan 08 '21 at 14:05

dessert

223
3
6

answered Jan 02 '15 at 19:21

Warren Lavallee

101
1
2

1

What is `$2` in the `awk` section of your script ? And while at it, what is `$1` ? Cheers. – Cbhihe Apr 26 '17 at 17:10
Normal awk syntax for second and first (space-separated) field in the current line of input. – fche Dec 11 '17 at 18:09
I don't understand why doing local cleanup of keys and then… downloading all the stuff you just deleted from keyserver again with `--refresh-keys`. I'd put the refresh in the middle of the script, not the end. – lapo Feb 08 '18 at 08:46

score 4 · Answer 4 · answered Sep 12 '14 at 21:15

4

% gpg --edit-key KEYID
gpg> clean
User ID [...]: 139 signatures removed
gpg> save
% gpg --version
gpg (GnuPG) 1.4.18
[...]

answered Sep 12 '14 at 21:15

fche

189
1
5

2

When I follow those steps and then check with ` gpg --list-keys` I keep seing the same old expired keys... – Cbhihe Apr 26 '17 at 16:54
8

`gpg clean` doesn't remove expired keys, only expired signatures – fche Jul 11 '17 at 01:51

score 1 · Answer 5 · edited Jan 09 '21 at 03:08

#!/bin/bash
echo -n "Expired Keys: "
list_expired_keys="$(gpg2 --list-keys | grep -1 pub | sed 'N;s/\n/ /' | awk '/^pub.* \[expired\: / {id=$7; sub(/^.*\//, "", id); print id}' | fmt -w 999)";
list_revoked_keys="$(gpg2 --list-keys | grep -1 pub | sed 'N;s/\n/ /' | awk '/^pub.* \[revoked\: / {id=$7; sub(/^.*\//, "", id); print id}' | fmt -w 999)";
for key in $list_expired_keys $list_revoked_keys; do
    echo -n "$key"
    gpg2 --batch --quiet --delete-keys $key >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "(OK), "
    else
        echo -n "(FAIL), "
    fi
done
echo done.

here is a bash-script doing the job. It is an adaption of https://superuser.com/a/859739 for gpg2 where the key id is in the second line.

pipein to `fmt -w 999` is not needed. – jarno Dec 15 '19 at 00:08 — jarno, Dec 15 '19 at 00:08

Clean up my gnupg keyring?

5 Answers5

How does it work?