Thunderbird, srsly?
5MB (or 4.8MiB) import limit. Sure. My modest pubring (111 keys) is 18MB. The Debian keyring is 28MB.
May be, just may be, add another 0 to that if statement?
So, until that happens, workarounds ...
Option 1:
Export each pubkey into a separate file. The import dialog allows to select them all in one go. But - of course - it will ask confirmation for each. So prepare some valerian tea.
gpg --with-colons --list-public-keys | grep ^pub | cut -d : -f 5 | xargs -I {} -n 1 gpg -ao {}.pub --export {};
Option 2:
Strip all the signatures, so Thunderbird gets a smaller file to chew on. This uses pgp-clean
from signing-party.
gpg --with-colons --list-public-keys | grep ^pub | cut -d : -f 5 | xargs pgp-clean -s >> there_you_go_thunderbird.pub
Option 1 will retain the signatures on individual keys, Option 2 will not.
The GnuPG (gpg) ecosystem has been played with a bit in 2019 by adding fake signatures en masse to well known keys. The main result is that the SKS Keyserver network based on the OCaml software of the same name is basically history. A few other keyservers have come up like Hagrid (Rust) and Hockeypuck (Go) but there seems to be no clear winner yet. In case you missed it in 2019, see my take on cleaning these polluted keys.
Now the changed defaults in gpg to "mitigate" this issue are trickling down to even the conservative distributions. Debian Bullseye has self-sigs-only
on gpg 2.2.27 and it looks like Debian Bookworm will get gpg 2.2.40. This would add import-clean
but Daniel Kahn Gillmor patched it out. He argues correctly that this new default could delete data from good locally stored pubkeys.
This all ends in you getting some random combination of self-sigs-only
and / or import-clean
depending on which Linux distribution and version you happen to use.
Better be explicit. I recommend to add:
# disable new gpg defaults
keyserver-options no-self-sigs-only
keyserver-options no-import-clean
to your ~/.gnupg/gpg.conf
to make sure you can manage signatures yourself and receive them from keyservers or local imports as intended.
In case you care: See info gnupg --index-search=keyserver-options
for the fine documentation. Of course apt install info
first to be able to read info pages. 'cause who would still used them in 2023? Oh, wait...