Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG keyserver becomes exclusive tor hidden service that prevents key import #25

Open
intelemetry opened this issue Nov 9, 2015 · 5 comments
Open

GPG keyserver becomes exclusive tor hidden service that prevents key import #25

intelemetry opened this issue Nov 9, 2015 · 5 comments

Comments

@intelemetry
Copy link

screen shot 2015-11-09 at 1 41 56 pm

screen shot 2015-11-09 at 1 40 49 pm

screen shot 2015-11-09 at 1 40 43 pm
@u451f
Copy link
Contributor

u451f commented Feb 27, 2016

I confirm having the same problem (running on Debian Sid) but I am not sure if this is a Torbirdy bug or a bug in GnuPG and I did not do enough testing to find out. But at first glance it looks like this might be due to some resolving issue (see link to upstream discussion.)

Here is what the command line gives (this leads me to think the bug is not in Torbirdy) :

➜  ~  . torsocks on
➜  ~  gpg --search-keys 451f --keyserver hkp://qdigse2yzvuglcix.onion
gpg: searching for "451f --keyserver hkp://qdigse2yzvuglcix.onion" on hkp server hkps.pool.sks-keyservers.net
gpg: Key "451f --keyserver hkp://qdigse2yzvuglcix.onion" not found on keyserver
➜  ~  gpg --search-keys 451f                                         
gpg: searching for "451f" on hkp server hkps.pool.sks-keyservers.net
(1)  xxxxxxxx <u @ 451f.org>
      4096 bit RSA key 0xB14BB0C38D861CF1, created: 2014-01-30, expires: 2016-12-31

I've found corresponding upstream discussion about this here only https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030446.html and I am not sure if this issue might actually be due to the fact that I might be missing the latest libassuan and GnuPG on Debian Sid. Note that this discussion is not very old yet.

One would need to verify the latest versions of libassuan & GnuPG to check if that's not actually the reason for this behaviour but I lack time to do so. Maybe you could try yourself and report back?

@psivesely
Copy link

So GPG has bad error reporting when it comes to specifying an invalid keyserver. The qdigse2yzvuglcix.onion SKS keyserver mirror went down some weeks ago. IMO opinion, this should be fixed by using the SKS pool with HKPS and passing the self-signed SKS cert to the ca-cert-file keyserver-option to override the default system cert store as Tails does in it's gpg.conf. See freedomofpress/securedrop#1256.

@azadi
Copy link
Collaborator

azadi commented May 2, 2016

Hi,

This seems to work. Is this still an issue? Can @intelemetry or @u451f confirm? Thanks.

@u451f
Copy link
Contributor

u451f commented May 2, 2016

That doesn't work for me. I've imported the PEM and specified the keyserver and certificate to use in gpg.conf and Thunderbird. Still get the same error. Maybe @intelemetry can try?

@dkg
Copy link
Collaborator

dkg commented May 7, 2016

On Tue 2016-03-08 16:22:49 -0500, Noah Vesely wrote:

So GPG has bad error reporting when it comes to specifying an invalid
keyserver. The qdigse2yzvuglcix.onion SKS
keyserver mirror went down some weeks ago.

This keyserver appears to work for me. If there are problems with any
particular keyserver being up, please point them out on
[email protected], where they are more likely to be noticed by somone
who can fix them.

--dkg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dkg @azadi @psivesely @u451f @intelemetry