Since GnuPG 2.1 when dirmngr is queried for the first time and does network access the Windows Firewall pops up and asks the user if dirmngr should be allowed.
Todo here:
| rG GnuPG | |||
| rG72a35ffee022 libdns: Let kernel to decide the local port. | |||
| rG861f1da0731b libdns: Let kernel to decide the local port. | |||
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Resolved | • gniibe | T3374 gpg recv-keys fail if first dns server end up with "Connection refused" | ||
| Resolved | • gniibe | T3803 dirmngr issues malformed DNS queries | ||
| Resolved | • werner | T2348 Improve detection of IPv6 and IPv4 availibility | ||
| Resolved | • werner | T4018 gpg --with-colons --show-keys does not show revocation certificates | ||
| Resolved | • werner | T4014 when verifying signatures, gpg and gpgv should ensure signing capabilities | ||
| Resolved | • werner | T4022 too-large User ID packets result in dropping an entire certificate | ||
| Resolved | • werner | T4053 gpg.exe 2.2.8.52634 crashes in msvcrt.dll | ||
| Wontfix | • werner | T4050 GnuPG fails to decrypt file encrypted with more than one password with any password but the first | ||
| Resolved | • gniibe | T3610 dirmngr: Since 2.1 windows firewall asks about dirmngr access | ||
| Resolved | • werner | T4036 gnupg 2.2.9 release | ||
| Resolved | aheinecke | T4029 Gpg4win 3.1.3 |
This is the question:
If you allow this it will create a rule for dirmngr allowing dirmngr all access to and from any IP to any port. Both for TCP and UDP.
I can trigger this even with a WKD_GET which should only open a local connection. Neither if I allow or if I disallow the connection do I see any difference in a debug-level guru log.
This is very likely dirmngr's DNS resolver which uses UDP by default. Fixies: a) use Tor. b) We add an option to use only TCP queries.
Well the problem is both TCP and UDP. Somehow dirmngr tries to open a listening socket. I think that may be some feature probing in the DNS resolver. Because if the Firewall access is denied I don't see any feature loss.
And it only happens once per dirmngr run, not once per connection.
Werner it would be great if you could look into this. This is currently my most annoying 2.1. regression. Especially with auto-key-locate it is unintuitive when the Firewall question pops up and appears to come out of nowhere (e.g. adding recipients in GpgOL or in Kleopatra).
To reproduce it you can edit the windows firewall settings and remove the dirmngr entries.
I will try to figure out what exactly triggers the firewall. This should really be fixed as it leads to a bad "first contact" with Gpg4win, especially as we do more locate-keys nowadays so the question pops up randomly for the user.
I found dirmngr tries to bind some random port. It might be the cause.
If so, this patch can stop the symptom.
@gniibe Thank you very much!
I've tested the change on Windows 7 and Windows 10 and the Firewall warning is indeed gone with this.
I leave it to you to decide how to commit this. Maybe with an ifdef for windows?
Good. I don't think there is any reason to select the ephemeral port in user space (by default).
So, I disabled the feature for all OSes.
Fixed in master and 2.2.