A script to refresh your GnuPG public keyring in a piecewise fashion

Do you need to partially refresh your keyring?

Do you use GnuPG to protect your privacy? No?!? You should really begin doing so as soon as possible! In case you already do (well done!), you obviously need to keep your public keyring up-to-date, because people you know go on modifying their public keys (new signatures are added, new identities are created or revoked, expire dates are changed, and so forth...). As you probably know, the easiest way to update your keyring is refreshing it against a publicly accessible keyserver.

So here you go: after configuring your GnuPG to use your favorite keyserver, you are ready to fetch new public keys, and to refresh the ones you already have.
A line like the following:

keyserver hkp://

in your ~/.gnupg/gpg.conf will tell your GnuPG to use a keyserver from that pool, unless otherwise instructed. You can then download my public key, if you have not done it before:

$ gpg --recv-key 3E1C27E11F69BFFE

or update it, if you already have it in your keyring:

$ gpg --refresh-keys 3E1C27E11F69BFFE

OK, but this is boring if done manually for each key in your keyring! Fortunately you can refresh your entire keyring with a single command:

$ gpg --refresh-keys

There's a problem, though. Maybe you have a slow Internet connection and a big keyring. Or, for whatever other reason, you cannot (or do not want to) refresh your entire keyring in a single move.

This is what Refresh-pubring is useful for: refreshing your keyring in a piecewise fashion!

Refresh-pubring: how it works

Refresh-pubring is a little script that refreshes a given number of keys, and remembers which 'point' in your keyring it got to, so that it will be able to move on to new keys, next time it is run.

It is distributed under the terms of the Expat license: you can download version 0.10. Its dependencies are: a POSIX shell, basename(1), head(1), a POSIX grep command, a POSIX AWK interpreter, and, of course, GnuPG.

Refresh-pubring is not difficult to use. Simply run it with no command-line arguments and you will refresh one key:

$ refresh-pubring 
found 305 keys in keyring...
gpg: refreshing 1 key from hkp://
gpg: requesting key XXXXXXXX from hkp server
gpg: key XXXXXXXX: "Alice (in Wonderland) <alice@wonderland.example>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Run it with a (positive integer) number as argument and you will refresh that number of keys:

$ refresh-pubring 4
found 305 keys in keyring...
gpg: refreshing 4 keys from hkp://
gpg: requesting key XXXXXXXX from hkp server
gpg: requesting key YYYYYYYY from hkp server
gpg: requesting key ZZZZZZZZ from hkp server
gpg: requesting key WWWWWWWW from hkp server
gpg: key XXXXXXXX: "Bob Braveheart <Bob.Braveheart@bobnet.example>" not changed
gpg: key YYYYYYYY: "Chuck Crazydog (Chucky) <chucky@crazydogs.example>" 13 new signatures
gpg: key ZZZZZZZZ: "Debra D'Agostino <debra@debby.example>" not changed
gpg: key WWWWWWWW: "Eugene Edward Edmonds <eee@triple-e.example>" 83 new signatures
gpg: Total number processed: 4
gpg:              unchanged: 2
gpg:         new signatures: 96
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   1  signed:  13  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  13  signed:  32  trust: 3-, 0q, 0n, 4m, 6f, 0u
gpg: depth: 2  valid:  19  signed: 109  trust: 17-, 2q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2007-03-03

This work can be redistributed and/or modified under the terms of the Expat license. It comes with absolutely no warranty. See the permission notice for details.