Page MenuHome GnuPG
Create Task
Maniphest T2297

Refresh keys fails for whole (large) keyring since GnuPG 2.0.27+ (gpg4win only)
Open, NormalPublic
Actions

Description

"gpg --refresh-key" with hkp keyserver (SKS) fails for large keyrings.
Most likely this is a regression as older versions are still okay. Unfortunately
the current gpg4win 2.3.0 is affected and there's no newer version yet.

With GPG 2.0.26 (gpg4win 2.2.3) the refresh of all keys at once is still
possible. 2.0.27 (Gpg4win 2.2.4) fails as well as the most current gpg4win 2.3.0
with GnuPG 2.0.29.

I already scripted something to refresh every single key of the keyring
individually and succeeded with GnuPG 2.0.29 so it should not be a corrupt key.
Probably the error message is misleading...

GnuPG 2.0.29 buggy (current gpg4win): gpg --refresh-keys

gpg: Anzahl insgesamt bearbeiteter Schlüssel: 254
gpg: unverändert: 254
gpg: Schlüsselserver-Datenübertragunsfehler: keyserver helper general error
gpg: Schlüsselserver-Datenübertragunsfehler: Ung³ltiges Public-Key-Verfahren
gpg: Refresh vom Schlüsselserver fehlgeschlagen: Ung³ltiges Public-Key-Verfahren

C:\Users\mech>gpg --version
gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0)
libgcrypt 1.6.4

GnuPG 2.0.27 already buggy: gpg --refresh-keys

gpg: Anzahl insgesamt bearbeiteter Schlüssel: 254
gpg: unverändert: 254
gpg: Schlüsselserver-Datenübertragunsfehler: keyserver helper general error
gpg: Schlüsselserver-Datenübertragunsfehler: Ung³ltiges Public-Key-Verfahren
gpg: Refresh vom Schlüsselserver fehlgeschlagen: Ung³ltiges Public-Key-Verfahren

C:\Users\mech>gpg --version
gpg (GnuPG) 2.0.27 (Gpg4win 2.2.4)
libgcrypt 1.6.3

GnuPG 2.0.26 okay: gpg --refresh-keys

gpg: Anzahl insgesamt bearbeiteter Schlüssel: 254
gpg: unverändert: 254

C:\Users\mech>gpg --version
gpg (GnuPG) 2.0.26 (Gpg4win 2.2.3)
libgcrypt 1.6.2

Event Timeline

mech added a project: Bug Report.Mar 27 2016, 1:35 PM
mech added a subscriber: mech.
mech added a comment.Mar 28 2016, 9:41 AM

Got feedback from users with MacOS GnuPG 2.0.28 and Debian testing GnuPG 2.1.11.
-> not affected despite very similar, if not identical keyring sizes.

So currently only Windows setups having trouble with --refresh-keys.
Will try to get more feedback for Windows with gpg4win.

mech added a comment.Mar 28 2016, 10:32 AM

After some uninstall/install cycles on Win8.1 for several gpg4win versions, I
can tell that only the mentioned gpg4win versions are troublesome as soon as
there's GnuPG 2.0.27+ bundled.

I also tried the plain vanilla gnupg-w32-2.1.11_20160209.exe and everything's
fine, too. As there's no 2.0.x non gpg4win binary on the server, I can't tell if
that's really only a gpg4win whatsoever issue. Pretty strange... For me that's
fine to use, but as most Windows users will stick to gpg4win and the 2.0.x
versions, probably still worth checking.

gpg: Total number processed: 307
gpg: unchanged: 307

C:\Users\mech>gpg --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5

mech renamed this task from Refresh keys fails for whole (large) keyring since GnuPG 2.0.27+ to Refresh keys fails for whole (large) keyring since GnuPG 2.0.27+ (gpg4win only).Mar 28 2016, 10:32 AM
werner added a project: gpg4win.Mar 29 2016, 1:25 PM
mech added a project: gnupg.Apr 18 2016, 9:27 AM

A collegue of mine now has a similar problem with GnuPG on MacOS during gpg
--refesh-keys from an in-house SKS keyserver (set in gpg.conf)

Happens with GnuPG 2.2.28 and GnuPG 2.2.30. Problem disappeared with GnuPG 2.1.11.
Hence changed category back to gnupg as it's no Windows-only problem anymore.
Still assume that it is somewhat related to larger key rings.

gpg: Total number processed: 392
gpg: unchanged: 392
gpg: keyserver communications error: Not found
gpg: keyserver communications error: Bad public key
gpg: keyserver refresh failed: Bad public key

mech removed a project: gpg4win.Apr 18 2016, 9:27 AM
justus added a subscriber: justus.Apr 18 2016, 1:01 PM

Hello. If you are using https to talk to your keyserver, your problem might be
Issue 1950 which we fixed in GnuPG 2.1.10.

justus claimed this task.Apr 18 2016, 1:01 PM
mech added a comment.Apr 18 2016, 1:34 PM

HKPS won't be the reason, we use plain HKP

as of gpg.conf
keyserver hkp://keyserver.int.myCompany.com:11371

BTW. The versions in the previous post should have been 2.0.28 and 2.0.30 vs.
2.1.11, of course.

justus removed justus as the assignee of this task.May 3 2017, 10:34 AM