command 'KS_GET' failed: Operation not permitted
Open, NormalPublic

Description

root@host:~# gpgconf --kill all
root@host:~# gpg --recv-keys DBA36B5181D0C816F630E889D980A17457F6FB06
gpg: keyserver receive failed: Operation not permitted
root@host:~# cat dirmngr.log 
2018-09-22 07:49:42 dirmngr[6174] listening on socket '/root/.gnupg/S.dirmngr'
2018-09-22 07:49:42 dirmngr[6175.0] permanently loaded certificates: 0
2018-09-22 07:49:42 dirmngr[6175.0]     runtime cached certificates: 0
2018-09-22 07:49:43 dirmngr[6175.6] handler for fd 6 started
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 -> # Home: /root/.gnupg
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 -> # Config: /root/.gnupg/dirmngr.conf
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 -> OK Dirmngr 2.1.18 at your service
2018-09-22 07:49:43 dirmngr[6175.6] connection from process 6160 (0:0)
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 <- GETINFO version
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 -> D 2.1.18
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 -> OK
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 <- KS_GET -- 0xDBA36B5181D0C816F630E889D980A17457F6FB06
2018-09-22 07:49:43 dirmngr[6175.6] DBG: dns: libdns initialized
2018-09-22 07:49:43 dirmngr[6175.6] DBG: dns: getsrv(_pgpkey-https._tcp.hkps.pool.sks-keyservers.net): Operation not permitted
2018-09-22 07:49:43 dirmngr[6175.6] command 'KS_GET' failed: Operation not permitted
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 -> ERR 167805035 Operation not permitted <Dirmngr>
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 <- BYE
2018-09-22 07:49:43 dirmngr[6175.6] DBG: chan_6 -> OK closing connection
2018-09-22 07:49:43 dirmngr[6175.6] handler for fd 6 terminated
ii  gnupg                                          2.1.18-8~deb9u2                            amd64        GNU privacy guard - a free PGP replacement
ii  gnupg-agent                                    2.1.18-8~deb9u2                            amd64        GNU privacy guard - cryptographic agent
ii  gnupg2                                         2.1.18-8~deb9u2                            all          GNU privacy guard - a free PGP replacement (dummy transitional package)

dpkg -l | grep dirm
ii  dirmngr                                        2.1.18-8~deb9u2                            amd64        GNU privacy guard - network certificate management service

Follow up issue: T4153

adrelanos triaged this task as Normal priority.Sep 22 2018, 10:00 AM
adrelanos updated the task description. (Show Details)
werner added a subscriber: werner.Sep 22 2018, 6:44 PM

Please check again with a recent upstream release or report to Debian. The release from Debian is pretty old and has a couple of non-standard patches.

gniibe added a subscriber: gniibe.Thu, Nov 26, 6:50 AM

It is likely that EPERM (Operation not permitted) occurs by a system call connect(2) if you have some firewall rule(s) which forbids network access.
The dirmngr use libdns resolver which directly connects name servers.
If this is the case, you can use `--standard-resolver\ to use system's standard DNS resolver instead.