dirmngr keyserver option (and legacy gpg --keyserver) should assume `hkps://` or `hkp://` if no scheme is present
Open, LowPublic


I've seen several reports of people who have bare hostnames (e.g. keys.example.net) for keyserver in their configurations for dirmngr.conf (they've often ported it from gpg.conf as recommended).

The current implementation appears to demand a full URI, failing on a bare hostname with:

0 dkg@alice:~$ gpg --recv $PGPID
gpg: keyserver receive failed: Syntax error in URI
2 dkg@alice:~$

If a bare hostname is present, dirmngr should first try it with an hkps:// prefix, and fall back to an hkp:// prefix if hkps is not available. It should probably also emit a warning that it is doing this rewriting, which the user can avoid by explicitly specifying the full URI in dirmngr.conf.

As an easier/simpler fix, we could not do the hkp:// fallback, and that would still be an improvement over the status quo.



Related Objects

dkg created this task.Apr 19 2019, 5:26 PM
werner triaged this task as Low priority.Apr 23 2019, 9:05 AM
dkg updated the task description. (Show Details)May 13 2019, 11:32 PM

further testing suggests that the invalid URI issue is only present for dirmngr's --keyserver option, and gpg's deprecated --keyserver option actually accepts schema-less hostnames.

however, both options should accept schema-less hostnames, and should prefer hkps://

steve added a subscriber: steve.Jul 3 2019, 4:53 PM