dirmngr's default tor autodetection mode should autodetect on each connection (falling back to non-tor when tor is unavailable)
Open, NormalPublic

Description

If dirmngr starts in tor autodetection mode (no use-tor, no no-use-tor) and the local tor daemon is running, then dirmngr enters a "hard" tor mode that fails when tor goes away, with (for example):

0 dkg@alice:~$ gpg --recv $PGPID
gpg: WARNING: Tor is not running
gpg: keyserver receive failed: Connection refused
2 dkg@alice:~$

This doesn't make much sense from the user's perspective. They never demanded Tor, and were happy to use it opportunistically, but the fact that it was running when dirmngr started now means that they've lost functionality.

Normal users will respond to this by putting no-use-tor in ~/.gnupg/dirmngr.conf because "it fixes the problem" (see for example https://bugs.debian.org/927336). This actually decreases the use of Tor by comparison to a default autodetection mode that will fallback to non-Tor if the tor daemon is unavailable.

Ideally, the default autodetection mode would look for the tor daemon on every access to the outside world, so that if the tor daemon starts up after dirmngr, dirmngr would silently cut over to using it when possible, too.

Users who want to enforce the use of tor can always explicitly put use-tor in dirmngr.conf.

Details

Version
2.2.15
dkg created this task.Apr 19 2019, 4:36 PM
dkg added a comment.Apr 19 2019, 4:47 PM

Note that even sending a HUP to dirmngr, when it is in this autodetection mode that observed tor at the start, is insufficient to have it re-run the autodetection. You have to explicitly terminate dirmngr to get it to unlearn the autodetected presence of Tor. This is subtly hinted at in dirmngr(8), but no justification is given for it.

The default Tor autodection mode should be different from both use-tor and no-use-tor unless the goal is to drive users into explicitly choosing no-use-tor, which i think would be a sad outcome.

dkg added a comment.Apr 19 2019, 5:11 PM

I just noticed that dirmngr(8)'s documentation for its --keyserver option says:

The check for a running Tor is done for each new connection.

So that doesn't sound impossible to me.

werner triaged this task as Normal priority.