Page MenuHome GnuPG

Evolution cant work with gnupg
Closed, ResolvedPublic

Description

as describet in the titel Evolution cant check for keys on a server (a selfe hostet Hagrid server) if i check with "gpg --search <email>" it works fine if i try the same commad as Evolution (gpg --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=162 --encrypt --armor -u MYKEYID -r <user@no.where> -r MYKEYID --output -) it dosnt work the guys from Evolution say the broblem is on you. In the gpg.conf i made the entry "keyserver hkp://<my-server>:8080" and "auto-key-locate keyserver"

Details

Version
gnupg 2.2.27, evolution 3.40.1

Event Timeline

It could also be a problem of the keyserver (some hagrid instances are known to deliberately break RFC4880), can you try with a different keyserver, e.g. http://keys2.andreas-puls.de/.

This key server also dosnt work

Can you show the output of the command that works and the command that does not (and gets called by evolution),
please also add a "-v" to the options.

The comand that works says:

gpg --search -v email
gpg: data source: keyserver
(1) Name <email>

Name <2email>
  4096 bit RSA key key id, created: date

Keys 1-1 of 1 for "email". Enter number(s), N)ext, or Q)uit >

the other command:

gpg2 --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=2 --encrypt --armor -u MYKEYID -r email -r MYKEYID --output -
gpg: using subkey subkeykeyid instead of primary key primarykeyid
[GNUPG: ] KEY_CONSIDERED mykeyid 0
gpg: using pgp trust model
gpg: This key belongs to us
gpg: error retrieving 'email' via Local: No public key
gpg: error retrieving 'email' via WKD: No data //it woud be best if i can get it to check the keyserver instad
gpg: email: skipped: Network error
[GNUPG: ] INV_RECP 0 email
[GNUPG: ] FAILURE encrypt 167772208
gpg: [stdin]: encryption failed: No data

Did you try "--auto-key-retrieve"?

Tried it myself, getting the pubkey seems to work here.
Debian gnupg Version: 2.2.27-2~bpo10+1

pushd ~/tmp
rm -r dot.gnupg/ ; and mkdir dot.gnupg
LANG=C GNUPGHOME=~/tmp/dot.gnupg gpg -v --auto-key-locate keyserver --keyserver keys2.andreas-puls.de --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=2 --encrypt --armor  -r  bernhard@intevation.de

[..]
gpg: data source: http://keys2.andreas-puls.de:11371
gpg: armor header: Comment: Hostname: keys2.andreas-puls.de
gpg: armor header: Version: Hockeypuck 2.1.0
gpg: key 2B7BA3BF9BC3A554: number of dropped non-self-signatures: 7
gpg: pub  rsa3072/2B7BA3BF9BC3A554 2020-06-11  Bernhard Reiter <bernhard@intevation.de>
gpg: /home/bern/tmp/dot.gnupg/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: key 2B7BA3BF9BC3A554: public key "Bernhard Reiter <bernhard@intevation.de>" imported
[GNUPG:] IMPORTED 2B7BA3BF9BC3A554 Bernhard Reiter <bernhard@intevation.de>
[GNUPG:] IMPORT_OK 1 BDD957F9C4FE0FDC583DCD6D2B7BA3BF9BC3A554
[..]

there is something going wrong later for the above example, because I think there are several pubkeys for my email address, but the import itself via the keyserver has worked.

Because of the "gpg: email: skipped: Network error" in your output, maybe there there is something else wrong. From my perspective the next analysis step is to look at the dirmngr log. Dirmngr does the connect to the keyserver.

Here is an idea:

echo "log-file /home/bern/tmp/dirmngr.log" > ~/tmp/dot.gnupg/dirmngr.conf
echo "debug-level advanced" >> ~/tmp/dot.gnupg/dirmngr.conf
LANG=C GNUPGHOME=~/tmp/dot.gnupg gpgconf --reload dirmngr
tail -f ~/tmp/dirmngr.log

i dont have one what shoud i put in it

i dont have one what shoud i put in it

If you refer to the dirmngr, that is the gnupg component that accesses the keyserver.

Create a file "dirmngr.conf" in the relevant GNUPGHOME directory, by default this is ~/.gnupg.
Put in (at least) the following lines

log-file /to/a/place/you/have/write/access/dirmngr.log
debug-level advanced

Then restart your dirmngr, with something like

gpgconf --reload dirmngr

Check the contents of the log to see some entries there.
Now try your commands again and see the log file to get more diagnostics.

For the evolution command i get:
2021-07-21 03:04:06 dirmngr[2421] listening on socket '/run/user/1000/gnupg/S.dirmngr'
2021-07-21 03:04:06 dirmngr[2422.0] permanently loaded certificates: 129
2021-07-21 03:04:06 dirmngr[2422.0] runtime cached certificates: 0
2021-07-21 03:04:06 dirmngr[2422.0] trusted certificates: 129 (128,0,0,1)
2021-07-21 03:04:06 dirmngr[2422.6] handler for fd 6 started
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 -> # Home: /home/<user>/.gnupg
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 -> # Config: /home/<user>/.gnupg/dirmngr.conf
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 -> OK Dirmngr 2.2.27 at your service
2021-07-21 03:04:06 dirmngr[2422.6] connection from process 2419 (1000:1000)
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 <- GETINFO version
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 -> D 2.2.27
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 -> OK
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 <- KEYSERVER --clear hkp://<keyserver>:8080
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 -> OK
2021-07-21 03:04:06 dirmngr[2422.6] DBG: chan_6 <- WKD_GET -- <email>
2021-07-21 03:04:37 dirmngr[2422.6] DBG: chan_6 -> S SOURCE https://<domain> #the domain dosnt has a WKD service
2021-07-21 03:04:37 dirmngr[2422.6] number of system provided CAs: 143
2021-07-21 03:04:47 dirmngr[2422.6] DBG: http.c:request:
2021-07-21 03:04:47 dirmngr[2422.6] DBG: >> GET /.well- known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-part>
HTTP/1.0\r\n
2021-07-21 03:04:47 dirmngr[2422.6] DBG: >> Host: <domain>\r\n
2021-07-21 03:04:47 dirmngr[2422.6] DBG: http.c:request-header:
2021-07-21 03:04:47 dirmngr[2422.6] DBG: >> \r\n
2021-07-21 03:04:47 dirmngr[2422.6] DBG: http.c:response:
2021-07-21 03:04:47 dirmngr[2422.6] DBG: >> HTTP/1.1 302 Found\r\n
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: 'date: Wed, 21 Jul
2021 07:04:45 GMT'
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: 'server: Apache/2.4.41 (Ubuntu)'
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: 'location: https://www.<domain>/.well-known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-part>'
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: 'content-length: 347'
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: 'content-type: text/html; charset=iso-8859-1'
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: 'strict-transport- security: max-age=15768000'
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: 'connection: close'
2021-07-21 03:04:47 dirmngr[2422.6] http.c:RESP: ''
2021-07-21 03:04:47 dirmngr[2422.6] URL 'https://www.<domain>/.well-known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-part>' redirected to 'https://www.<domain>/.well-known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-part>' (302)
2021-07-21 03:04:47 dirmngr[2422.6] redirection changed to 'https://www.<domain>/.well-known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-part>'
2021-07-21 03:04:47 dirmngr[2422.6] DBG: chan_6 -> S WARNING http_redirect_cleanup 0 changed from 'https://<domain>/.well-known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-host>' to 'https://www.<domain>/.well-known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-part>'
2021-07-21 03:04:57 dirmngr[2422.6] DBG: http.c:request:
2021-07-21 03:04:57 dirmngr[2422.6] DBG: >> GET /.well- known/openpgpkey/hu/qhff8o86zx5pf4qa1w59eh6ohtnb8w44?l=<local-part>
HTTP/1.0\r\n
2021-07-21 03:04:57 dirmngr[2422.6] DBG: >> Host: [http://www.<domain>\r\n]www.<domain>\r\n
2021-07-21 03:04:57 dirmngr[2422.6] DBG: http.c:request-header:
2021-07-21 03:04:57 dirmngr[2422.6] DBG: >> \r\n
2021-07-21 03:04:57 dirmngr[2422.6] DBG: chan_6 -> S PROGRESS tick ? 0 0
2021-07-21 03:04:57 dirmngr[2422.6] DBG: http.c:response:
2021-07-21 03:04:57 dirmngr[2422.6] DBG: >> HTTP/1.1 404 Not Found\r\n
2021-07-21 03:04:57 dirmngr[2422.6] http.c:RESP: 'date: Wed, 21 Jul
2021 07:04:55 GMT'
2021-07-21 03:04:57 dirmngr[2422.6] http.c:RESP: 'server: Apache/2.4.41

Hmm your log does not seem to indicate that the key is requested by GnuPG,
e.g. something like

rmngr[6077.5]: DBG: chan_5 <- KS_GET -- =bernhard@intevation.de

is missing.

If gpg does not ask for it, dirmngr cannot provide it. So the question is: why isn't gpg asking for the key of an email address in your setting?

Can you try in the gnupg configuration file to disable wkd and only enable keyserver and then check both outputs:

auto-key-locate clear,keyserver

now its importing keys but it dosent trust them do you know how to fix this?
gpg2 --verbose --no-secmem-warning --no-greeting --auto-key-retrieve --no-tty --batch --yes --status-fd=2 --encrypt --armor -u <key-id> -r <email> -r <key-id> --output -
gpg: using subkey <sub-key> instead of primary key <primary-key>
[GNUPG:] KEY_CONSIDERED <key-id> 0
gpg: using pgp trust model
gpg: This key belongs to us
gpg: data source: <keyserver>
gpg: armor header: Comment: <key-id>
gpg: armor header: Comment: Name <email>
gpg: pub rsa4096/<key-id> <date> <name> <email>
gpg: key <key-id>: public key "<name> <email>"
imported
[GNUPG:] IMPORTED <key-id> <name> <email>
[GNUPG:] IMPORT_OK 1 <key-id>
gpg: Total number processed: 1
gpg: imported: 1
[GNUPG:] IMPORT_RES 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0
gpg: auto-key-locate found fingerprint <fingerprint>
gpg: using subkey <sub-key> instead of primary key <primary-key>
[GNUPG:] KEY_CONSIDERED <fingerprint> 0
gpg: automatically retrieved '<email>' via keyserver
gpg: <sub-key>: There is no assurance this key belongs to the named user
[GNUPG:] INV_RECP 10 <email>
[GNUPG:] FAILURE encrypt 53
gpg: [stdin]: encryption failed: Unusable public key

and thanks for the help

ok i found it just add "trust-model always" in gpg.conf

again thanks for your help

ok i found it just add "trust-model always" in gpg.conf

Yes (if you know what you are doing, it would be a good behaviour, if the email client asks back and then sets this, after having searched for the pubkey.)

again thanks for your help

You are welcome!

bernhard claimed this task.