GPG maintenance keeps your GnuPG OpenPGP keyring current, by constantly and silently refreshing public keys to fetch updates.
From Riseup OpenPGP Best Practices:
If you do not regularly refresh your public keys, you do not get timely expirations or revocations, both of which are very important to be aware of!
You should not use
gpg --refresh-keysor the refresh keys menu item on your email client because you disclose to anyone listening, and the keyserver operator, the whole set of keys that you are interested in refreshing.
GPG maintenance is a simple shell script taking all public keys in your keyring and refreshing them one at a time, waiting a random interval between five and 21 minutes.
Be sure to set up your GnuPG to use Tor and a Keyserver supporting HKPS.
See this example gpg.conf for an implementation of the OpenPGP Best Practices with GnuPG 1.4. But really, you should be using GnuPG 2.1+ these days.
GPG maintenance is designed to be started automatically on boot, for example via Init Script.
See the example LSBInitScript.sh for an LSB (Linux Standards Base)-compliant Init Script, as used by Debian-based sytems. Be sure to edit the user.
- POSIX compatibility:
grep --after-contextandsort --random-sort - evaluate GnuPG Made Easy instead of GnuPG binary
There's parcimonie doing something similar. But it's Perl. And it's over 9000 Hectobytes.
Since three months after this project was first published, there is also parcimonie.sh, but it currently has over 50 times more SLOC than this.