Page MenuHome GnuPG
Create Task
Maniphest T5639

dirmngr uses the wrong Let's encrypt chain
Closed, ResolvedPublic
Actions

Description

dirmngr's certificate chain validation does not handle the new let's Encrypt root certificate correctly. When looking for the issuer of the intermediate certificate the first match ing certificate is used which might be the old second intermediate certificate then leading to the Root which expired on 2021-09-21. What we need to do is the same as what can be done with OpenSSL: Prefer trusted certificates ober the first found.. This way the old second intermediate certificate is not used but the new root.

Without a fix it is not possible to lookup any key with WKD or Keyservers because LE certificates are in such widespread use.
A workaround for this bug is to remove the intermediate certificate

     S/N: 4001772137D4E942B8EE76AA3C640AB7
  Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
 Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
sha1_fpr: 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF

from the system's cert store.

We should also check the validation code in gpgsm.

Revisions and Commits

rG GnuPG
rG323a20399d90 dirmngr: New option --ignore-cert
rG341ab0123a8f dirmngr: Fix Let's Encrypt certificate chain validation.
rG687993788597 dirmngr: Fix Let's Encrypt certificate chain validation.
rG4b3e9a44b58e dirmngr: New option --ignore-cert

Related Objects
Search...

Event Timeline

werner triaged this task as High priority.Oct 6 2021, 9:23 AM
werner created this task.
werner added a commit: rG687993788597: dirmngr: Fix Let's Encrypt certificate chain validation..Oct 6 2021, 10:41 AM
werner added a commit: rG4b3e9a44b58e: dirmngr: New option --ignore-cert.
werner added a commit: rG341ab0123a8f: dirmngr: Fix Let's Encrypt certificate chain validation..Oct 6 2021, 11:58 AM
werner added a commit: rG323a20399d90: dirmngr: New option --ignore-cert.
werner mentioned this in T5487: GnuPG 2.2.28 not working with Yubikey NEO.Oct 6 2021, 5:53 PM
werner mentioned this in T5571: Release GnuPG 2.2.31.Oct 6 2021, 5:57 PM
werner closed this task as Resolved.Oct 6 2021, 9:19 PM
werner mentioned this in T5601: Release GnuPG 2.2.32.
bernhard added a subscriber: bernhard.Oct 7 2021, 9:30 AM

If there is no easy way to install a new version of GnuPG, e.g. for Gpg4win or for GNU/Linux distributions: It may make sense to have instructions for the workaround ready.

Is it correct that all previously released GnuPG versions have this problem?

bernhard added a comment.Oct 7 2021, 1:59 PM

One problem I see is that keyserver.ubuntu.com delivers a problematic intermediate(?) certificate:

gnutls-cli --save-cert x.txt keyserver.ubuntu.com -p 443  
Processed 126 CA certificate(s).
Resolving 'keyserver.ubuntu.com:443'...
Connecting to '162.213.33.8:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=hockeypuck.ubuntu.com', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x043a7a7d66505f2b9dbb80b101fef796ee86, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-07-26 03:50:43 UTC', expires `2021-10-24 03:50:41 UTC', pin-sha256="LFd2hATKYAYR9DlJ05rqFUKfIYaAQKtHZX5P1SxuYS4="
        Public Key ID:
                sha1:ae7cd9982bc61bf5198c9e43735b2cdf0c7eae88
                sha256:2c57768404ca600611f43949d39aea15429f21868040ab47657e4fd52c6e612e
        Public Key PIN:
                pin-sha256:LFd2hATKYAYR9DlJ05rqFUKfIYaAQKtHZX5P1SxuYS4=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.

There are three certificates saved in x.txt, when cut into single files the third one is

openssl x509 -in y3 -text -fingerprint 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
                    33:43:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Authority Information Access: 
                CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

            X509v3 Authority Key Identifier: 
                keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.root-x1.letsencrypt.org

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

            X509v3 Subject Key Identifier: 
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
    Signature Algorithm: sha256WithRSAEncryption
         0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06:ad:2f:
         a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb:6f:9b:f4:b4:
         4f:c2:44:88:08:75:cc:eb:07:9b:14:62:6e:78:de:ec:27:ba:
         39:5c:f5:a2:a1:6e:56:94:70:10:53:b1:bb:e4:af:d0:a2:c3:
         2b:01:d4:96:f4:c5:20:35:33:f9:d8:61:36:e0:71:8d:b4:b8:
         b5:aa:82:45:95:c0:f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:
         43:2c:aa:1b:93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:
         ca:4d:55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58:
         6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3:5c:0e:
         94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0:85:92:eb:06:
         3b:6c:29:23:09:60:dc:45:02:4c:12:18:3b:e9:fb:0e:de:dc:
         44:f8:58:98:ae:ea:bd:45:45:a1:88:5d:66:ca:fe:10:e9:6f:
         82:c8:11:42:0d:fb:e9:ec:e3:86:00:de:9d:10:e3:38:fa:a4:
         7d:b1:d8:e8:49:82:84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:
         f9:dd:e7:39
SHA1 Fingerprint=93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
werner added a comment.Oct 7 2021, 5:33 PM

The LE web site has instruction on how to do this. However, it is complicated and depends on your system. The intermediate cert you listed is signed by the expired old root cert. If you remove this intermediate cert the other root cert will be found and we are done. The old LE certs had a 4 tier chain and the new one a 3 tier.
See https://dev.gnupg.org/rG341ab0123a8fa386565ecf13f6462a73a137e6a4 and https://letsencrypt.org/images/isrg-hierarchy.png

ikloecker added a subscriber: ikloecker.Oct 8 2021, 9:16 AM

Removing an intermediate cert from your local system doesn't help because any correctly configured server will send you all necessary intermediate certs together with the server cert. You'd have to remove the expired root certificate instead (see Workaround 1 on https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/). The problem is that this will break certificate verification for any servers that still use the old intermediate cert, e.g. keyserver.ubuntu.com.

Interestingly, when I check the certificate chain of https://keyserver.ubuntu.com with Firefox then I get the new 3-cert-chain with the self-signed ISRG Root X1 certificate. Might be caused by a load balancer and some servers with new cert-chain and others with the old cert-chain.

bernhard added a comment.EditedOct 8 2021, 12:01 PM

My experience on a Window 10 system (with Gpg4win 3.1.15 which has GnuPG 2.2.27) was, that removing the expired root certificate did not help with https://keyserver.ubuntu.com and the intermediate certificate was not in the windows store, so it could not be removed.

My fear is that we are missing something here, because

  • Microsoft had the expired root certificate in their current list of root certificates (in my attempt to update them via Microsoft's means). So it may get reinstalled under some circumstances.
  • Let's encrypt writes about a "special cross-sign from DST Root CA X3 that extends past that root’s expiration.", see https://letsencrypt.org/2020/12/21/extending-android-compatibility.html This hack seems to trigger the unwanted dirmngr behaviour.

*sigh* this may need another Gpg4win 3.1.x release.

werner added a comment.Oct 8 2021, 3:18 PM

There won't be any other 3.1 release - install GnuPG 2.2.32 on top of Gpg4win 3.1.16

If you can't remove the intermediate cert you need to use a fixed version of dirmngr. It is the same problem as with OpenSSL 1.0. When building the certificate chain dirmngr looks for the signing certificate using the SKI. However, both the new root cert and the old intermediate cert have the same SKI (the cross signing trick). If dirmngr finds the old intermediate cert first, it will then go on and find the now expired root. There is no backtracking to fix this. Instead the new strategy is to sort look for all signer certificates and select the one which is a trusted root cert..

werner mentioned this in T5565: Release GnuPG 2.3.3.Oct 12 2021, 6:16 PM
ikloecker merged a task: T5675: Kleopatra 3.1.16 / Keyservers related functions are not working.Nov 3 2021, 1:53 PM
ikloecker added a subscriber: HannesESS.
ikloecker mentioned this in T5675: Kleopatra 3.1.16 / Keyservers related functions are not working.Nov 4 2021, 2:45 PM
alexnadtoka added a subscriber: alexnadtoka.Dec 21 2021, 9:28 AM

Guys I am facing similar issue but my Lets ecnrypt certificates are all ok. What is the problem with my gpg4win client? When connecting to openpgp server it says certificate is expired. Anybody can help me?

ikloecker added a comment.Dec 21 2021, 2:57 PM

@alexnadtoka, did you do what Werner wrote in T5639#150626?

bernhard added a comment.Dec 23 2021, 10:05 AM

@alexnadtoka When using Gpg4win-4.0.0 or 3.3.16 with an updated GnuPG the validation of dirmngr works fine with the Let's encrypt certificates again. If you have one of these versions, and you still have problems, you need to be more specific about which connection you are referring to.
Maybe it is best to ask on one of community channels (e.g. the gnupg-users mailinglist, see https://gnupg.org/documentation/mailing-lists.html )

alexnadtoka added a comment.Dec 23 2021, 10:41 AM

@bernhard yeah thank you. both versions had issues(( and send two requests to RU and EN comunity . No answer for two days already
The log clearlys says certificate is expired(( but it is not at least for keyserver... May be it is reffering to gpg key... I dont know... but it is not expired either. Probably I am missing something. Will try to contact community again.

2021-12-23 11:27:30 gpg[12864] using character set 'utf-8'
2021-12-23 11:27:30 gpg[12864] Note: RFC4880bis features are enabled.
2021-12-23 11:27:30 gpg[12864] enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
2021-12-23 11:27:30 gpg[12864] DBG: [no clock] start
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- # Home: C:\Users\Oleksandr\AppData\Roaming\gnupg
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- # Config: C:/Users/Oleksandr/AppData/Roaming/gnupg/dirmngr.conf
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- OK Dirmngr 2.3.4 at your service
2021-12-23 11:27:30 gpg[12864] DBG: connection to the dirmngr established
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> GETINFO version
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- D 2.3.4
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- OK
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> KEYSERVER --clear hkps://gpg.example.com/
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- OK
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> KS_SEARCH -- oleksandr@example.com
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- ERR 167772261 Certificate expired <Dirmngr>
2021-12-23 11:27:30 gpg[12864] error searching keyserver: Certificate expired
2021-12-23 11:27:30 gpg[12864] keyserver search failed: Certificate expired
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> BYE
2021-12-23 11:27:30 gpg[12864] DBG: [no clock] stop
2021-12-23 11:27:30 gpg[12864] keydb: handles=0 locks=0 parse=0 get=0
2021-12-23 11:27:30 gpg[12864] build=0 update=0 insert=0 delete=0
2021-12-23 11:27:30 gpg[12864] reset=0 found=0 not=0 cache=0 not=0
2021-12-23 11:27:30 gpg[12864] kid_not_found_cache: count=0 peak=0 flushes=0
2021-12-23 11:27:30 gpg[12864] sig_cache: total=0 cached=0 good=0 bad=0
2021-12-23 11:27:30 gpg[12864] objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
2021-12-23 11:27:30 gpg[12864] objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
2021-12-23 11:27:30 gpg[12864] random usage: poolsize=600 mixed=0 polls=0/0 added=0/0

outmix=0 getlvl1=0/0 getlvl2=0/0

2021-12-23 11:27:30 gpg[12864] rndjent stat: collector=0x00000000 calls=0 bytes=0
2021-12-23 11:27:30 gpg[12864] secmem usage: 0/32768 bytes in 0 blocks

bernhard added a comment.Dec 23 2021, 11:06 AM

@alexnadtoka wrote:

both versions had issues(( and send two requests to RU and EN comunity . No answer for two days already

Just looked and did not see an email about this to gnupg-users@-mailinglist, maybe you did not subscribe to it before posting?

The log clearlys says certificate is expired(( but it is not at least for keyserver... May be it is reffering to gpg key... I dont know... but it is not expired either. Probably I am missing something. Will try to contact community again.

Seems like it is the TLS connection certificate. You can add more output by using the dirmngr.conf debugging flags.

ikloecker added a comment.Dec 23 2021, 11:32 AM

@alexnadtoka, please stop adding the same information to two different issues. Let's use T5744: Issue with connecting to GPG server for any further comments.

alexnadtoka added a subscriber: bernard.Dec 23 2021, 11:34 AM

@bernard Right sorry. I have sent request to mailing lists

I think I have enabled MAx debug already. If you need full log then it is

2021-12-23 11:27:15 gpg[17680] using character set 'utf-8'
2021-12-23 11:27:15 gpg[17680] Note: RFC4880bis features are enabled.
2021-12-23 11:27:15 gpg[17680] enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] start
2021-12-23 11:27:15 gpg[17680] using pgp trust model
2021-12-23 11:27:15 gpg[17680] key F82A7011A81784E3: accepted as trusted key
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_new
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_search_reset
2021-12-23 11:27:15 gpg[17680] DBG: keydb_search_reset (hd=0x0089c678)
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_search enter
2021-12-23 11:27:15 gpg[17680] DBG: keydb_search: 1 search descriptions:
2021-12-23 11:27:15 gpg[17680] DBG: keydb_search   0: FIRST
2021-12-23 11:27:15 gpg[17680] DBG: internal_keydb_search: searching keybox (resource 0 of 1)
2021-12-23 11:27:15 gpg[17680] DBG: internal_keydb_search: searched keybox (resource 0 of 1) => Success
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_search leave (found)
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_get_keyblock enter
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=6 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=13 length=47 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=2 length=468 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=2 length=566 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=14 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=2 length=444 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=1): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: iobuf-1.0: underflow: buffer size: 2388; still buffered: 0 => space for 2388 bytes
2021-12-23 11:27:15 gpg[17680] DBG: iobuf-1.0: close '?'
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_get_keyblock leave
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=6
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=13
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=14
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_search enter
2021-12-23 11:27:15 gpg[17680] DBG: keydb_search: 1 search descriptions:
2021-12-23 11:27:15 gpg[17680] DBG: keydb_search   0: NEXT
2021-12-23 11:27:15 gpg[17680] DBG: internal_keydb_search: searching keybox (resource 0 of 1)
2021-12-23 11:27:15 gpg[17680] DBG: internal_keydb_search: searched keybox (resource 0 of 1) => Success
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_search leave (found)
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_get_keyblock enter
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=6 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=13 length=31 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=2 length=472 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=14 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=2 length=444 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: parse_packet(iob=2): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[17680] DBG: iobuf-2.0: underflow: buffer size: 1799; still buffered: 0 => space for 1799 bytes
2021-12-23 11:27:15 gpg[17680] DBG: iobuf-2.0: close '?'
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_get_keyblock leave
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffff003031300d0609608648016503040201050004207d \
2021-12-23 11:27:15 gpg[17680] DBG:                  9a68e639a33113a5d96e6e603c922e3819aca5dc26611c15e24909988c8a7f
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify  sig:+090da0d3f65b75d4ea3f8672d0a9836c5e5578bc54275ca49336157569bd8bcf \
2021-12-23 11:27:15 gpg[17680] DBG:                  4bd78791867a9d6b6a7235ac74a7172490d9b2cf8d204753e7a27e81db949e49 \
2021-12-23 11:27:15 gpg[17680] DBG:                  80e7f0b2c28ec1e06e34eb4a86cbe41bf74ce4354b01e9f1b05637788b0f2831 \
2021-12-23 11:27:15 gpg[17680] DBG:                  647ba8c66aee7d89248a9685b170c71c2374baf49eb53bff97c25489ad074521 \
2021-12-23 11:27:15 gpg[17680] DBG:                  44dfdc325d04478525c014569a54bdb5890db28d282f308af9f4d25b119031f5 \
2021-12-23 11:27:15 gpg[17680] DBG:                  54a5cc75587566c04b7a152a4b22b7d3d920c486e635f482ffc5de32bc15c25e \
2021-12-23 11:27:15 gpg[17680] DBG:                  131d11d1ec1572421d4decc7443c67546a1715fbacdbc683cadb4279bd0180c1 \
2021-12-23 11:27:15 gpg[17680] DBG:                  28d6c319f50a0375243befca9e15f25be25d126c47c5215b276e4813aab38d6a \
2021-12-23 11:27:15 gpg[17680] DBG:                  569ed09c42be135339058cce8e9e10a7defba0224b85e3c1c0c493979d5ada67 \
2021-12-23 11:27:15 gpg[17680] DBG:                  221c024e452ffa89d7f7c9028aeb06513d1991080f2368e9f5a9453b7a4d573c \
2021-12-23 11:27:15 gpg[17680] DBG:                  13d114650780163e7377616b01529727f17c646fb3d12b503c0741693020a44a \
2021-12-23 11:27:15 gpg[17680] DBG:                  81b3b2d2f6f6c5cdd9e661c2410515faa23e3a66a7b83f4a1ee4ff8af6422a58
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify    n:+d2429b711a2026f990e0149167c6f5ff8ee0666b51836d4787b28c24cbfeb3ed \
2021-12-23 11:27:15 gpg[17680] DBG:                  700075abd721112c0c83fafb48153e0f54cca6e5e9f2223584a61e879facc16e \
2021-12-23 11:27:15 gpg[17680] DBG:                  3b322419bc575e9d2c66561a9560b8f18787410d4d5afe1b30c7f269e4bd4a34 \
2021-12-23 11:27:15 gpg[17680] DBG:                  593879181c8fd65547886f6daa04ae9c3e377bd01993440d308fa588ddeffa8e \
2021-12-23 11:27:15 gpg[17680] DBG:                  7fbec190a85716e2cc10558f2dad18027816904dc33a47814064c7697be34708 \
2021-12-23 11:27:15 gpg[17680] DBG:                  217791bbd357f9ac5136451b4e167825514a87d3a820e2b95788508153de9f1a \
2021-12-23 11:27:15 gpg[17680] DBG:                  4ed21cd5c9f5f87d042dbf65225eb4206729128f7e20cdc014a04b1ef342c9fe \
2021-12-23 11:27:15 gpg[17680] DBG:                  186746c68388a09676cdd5ec4e21a0c3f673c15014464c8e7c69eb343aa00638 \
2021-12-23 11:27:15 gpg[17680] DBG:                  2331d3e2cb8a0ffb6c655b98f85961f6a2397dd18c794d9102f7df8aa7e06a27 \
2021-12-23 11:27:15 gpg[17680] DBG:                  ddf6e78ed934b7e5fad06f044228d7bacb865e33bdcf842c3c2d8d4277b77a55 \
2021-12-23 11:27:15 gpg[17680] DBG:                  975b8bf6e24bc6516dc09df3968339eac1170839991cb50276665c1c2c323cfc \
2021-12-23 11:27:15 gpg[17680] DBG:                  5093ede4f29fc24a83dfb4e1a80e89eeed8070f9c46084a91493590b0c9e09e3
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify    e:+010001
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffff003031300d0609608648016503040201050004207d \
2021-12-23 11:27:15 gpg[17680] DBG:                  9a68e639a33113a5d96e6e603c922e3819aca5dc26611c15e24909988c8a7f
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify    => Good
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffff003031300d060960864801650304020105000420e0 \
2021-12-23 11:27:15 gpg[17680] DBG:                  25c36493f6a0b0b9d387652d947b7ebfa44c8e84f696331b475fec9720806f
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify  sig:+21aebadc451c681cf4badb2db3bc66470e2c62687a8b92af65b86a1c6b73d804 \
2021-12-23 11:27:15 gpg[17680] DBG:                  55e40d88750a1cc6fb5337639ef28d5869a5349d408bd9e20b795de26c9969e7 \
2021-12-23 11:27:15 gpg[17680] DBG:                  067cc3d7ce4b7c86456464e9dd6e47b839536932fe521b3bdbd50bed9dbe8c79 \
2021-12-23 11:27:15 gpg[17680] DBG:                  1b3005ef6875850ddbeb52aad860641f28eaa98ef4b8857ddc343264afa5d4cf \
2021-12-23 11:27:15 gpg[17680] DBG:                  2eaef03414d428ba61d1f853bae52b201efb96a0bbd53ac983828dd496dea58d \
2021-12-23 11:27:15 gpg[17680] DBG:                  eccce4abea90a71d458503560610e56695c7fceb184d90cb58b630455fd06575 \
2021-12-23 11:27:15 gpg[17680] DBG:                  12a5936701be736b2a9a25c3a8dcdf978943fa4fe8bb68e83a9056f6e728307a \
2021-12-23 11:27:15 gpg[17680] DBG:                  c62bbddd1f7dd43d32d4bf91ad21f9b529d3848dcb68bba3e52375d3e3ad3dd4 \
2021-12-23 11:27:15 gpg[17680] DBG:                  583104f4036545b7392a8d2a0aceca1afc9e255988c3d61dd8533626b5bea305 \
2021-12-23 11:27:15 gpg[17680] DBG:                  e99dc419867ffbf4595b5ba46002710a6a4b674bb59067f5f365ef5593f61a6a \
2021-12-23 11:27:15 gpg[17680] DBG:                  4368509e2cc76d7b40e117b1de712ae0ee3ab18fa67feaa912859d6ccd0fb409 \
2021-12-23 11:27:15 gpg[17680] DBG:                  815ececc524de605bf5add5ee6110b618276c7b266ccdf8eac978884d8277529
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify    n:+d2429b711a2026f990e0149167c6f5ff8ee0666b51836d4787b28c24cbfeb3ed \
2021-12-23 11:27:15 gpg[17680] DBG:                  700075abd721112c0c83fafb48153e0f54cca6e5e9f2223584a61e879facc16e \
2021-12-23 11:27:15 gpg[17680] DBG:                  3b322419bc575e9d2c66561a9560b8f18787410d4d5afe1b30c7f269e4bd4a34 \
2021-12-23 11:27:15 gpg[17680] DBG:                  593879181c8fd65547886f6daa04ae9c3e377bd01993440d308fa588ddeffa8e \
2021-12-23 11:27:15 gpg[17680] DBG:                  7fbec190a85716e2cc10558f2dad18027816904dc33a47814064c7697be34708 \
2021-12-23 11:27:15 gpg[17680] DBG:                  217791bbd357f9ac5136451b4e167825514a87d3a820e2b95788508153de9f1a \
2021-12-23 11:27:15 gpg[17680] DBG:                  4ed21cd5c9f5f87d042dbf65225eb4206729128f7e20cdc014a04b1ef342c9fe \
2021-12-23 11:27:15 gpg[17680] DBG:                  186746c68388a09676cdd5ec4e21a0c3f673c15014464c8e7c69eb343aa00638 \
2021-12-23 11:27:15 gpg[17680] DBG:                  2331d3e2cb8a0ffb6c655b98f85961f6a2397dd18c794d9102f7df8aa7e06a27 \
2021-12-23 11:27:15 gpg[17680] DBG:                  ddf6e78ed934b7e5fad06f044228d7bacb865e33bdcf842c3c2d8d4277b77a55 \
2021-12-23 11:27:15 gpg[17680] DBG:                  975b8bf6e24bc6516dc09df3968339eac1170839991cb50276665c1c2c323cfc \
2021-12-23 11:27:15 gpg[17680] DBG:                  5093ede4f29fc24a83dfb4e1a80e89eeed8070f9c46084a91493590b0c9e09e3
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify    e:+010001
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[17680] DBG:                  ffffffffffffffffffffff003031300d060960864801650304020105000420e0 \
2021-12-23 11:27:15 gpg[17680] DBG:                  25c36493f6a0b0b9d387652d947b7ebfa44c8e84f696331b475fec9720806f
2021-12-23 11:27:15 gpg[17680] DBG: rsa_verify    => Good
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=6
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=13
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=14
2021-12-23 11:27:15 gpg[17680] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_search enter
2021-12-23 11:27:15 gpg[17680] DBG: keydb_search: 1 search descriptions:
2021-12-23 11:27:15 gpg[17680] DBG: keydb_search   0: NEXT
2021-12-23 11:27:15 gpg[17680] DBG: internal_keydb_search: searching keybox (resource 0 of 1)
2021-12-23 11:27:15 gpg[17680] DBG: internal_keydb_search: searched keybox (resource 0 of 1) => EOF
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_search leave (not found)
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] keydb_release
2021-12-23 11:27:15 gpg[17680] DBG: [no clock] stop
2021-12-23 11:27:15 gpg[17680] keydb: handles=1 locks=0 parse=2 get=2
2021-12-23 11:27:15 gpg[17680]        build=0 update=0 insert=0 delete=0
2021-12-23 11:27:15 gpg[17680]        reset=1 found=2 not=1 cache=0 not=0
2021-12-23 11:27:15 gpg[17680] kid_not_found_cache: count=0 peak=0 flushes=0
2021-12-23 11:27:15 gpg[17680] sig_cache: total=4 cached=2 good=2 bad=0
2021-12-23 11:27:15 gpg[17680] objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
2021-12-23 11:27:15 gpg[17680] objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
2021-12-23 11:27:15 gpg[17680] random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
2021-12-23 11:27:15 gpg[17680] rndjent stat: collector=0x00000000 calls=0 bytes=0
2021-12-23 11:27:15 gpg[17680] secmem usage: 0/32768 bytes in 0 blocks
2021-12-23 11:27:15 gpg[18260] using character set 'utf-8'
2021-12-23 11:27:15 gpg[18260] Note: RFC4880bis features are enabled.
2021-12-23 11:27:15 gpg[18260] enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] start
2021-12-23 11:27:15 gpg[18260] using pgp trust model
2021-12-23 11:27:15 gpg[18260] key F82A7011A81784E3: accepted as trusted key
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_new
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_search_reset
2021-12-23 11:27:15 gpg[18260] DBG: keydb_search_reset (hd=0x02b1a2e0)
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_search enter
2021-12-23 11:27:15 gpg[18260] DBG: keydb_search: 1 search descriptions:
2021-12-23 11:27:15 gpg[18260] DBG: keydb_search   0: FIRST
2021-12-23 11:27:15 gpg[18260] DBG: internal_keydb_search: searching keybox (resource 0 of 1)
2021-12-23 11:27:15 gpg[18260] DBG: internal_keydb_search: searched keybox (resource 0 of 1) => Success
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_search leave (found)
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_get_keyblock enter
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=6 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=13 length=47 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=2 length=468 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=2 length=566 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=14 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=2 length=444 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=1): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: iobuf-1.0: underflow: buffer size: 2388; still buffered: 0 => space for 2388 bytes
2021-12-23 11:27:15 gpg[18260] DBG: iobuf-1.0: close '?'
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_get_keyblock leave
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK Pleased to meet you
2021-12-23 11:27:15 gpg[18260] DBG: connection to the gpg-agent established
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> RESET
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> OPTION ttyname=/dev/tty
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> GETINFO version
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- D 2.3.4
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> OPTION allow-pinentry-notify
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> OPTION agent-awareness=2.1.0
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> HAVEKEY --list=1000
2021-12-23 11:27:15 gpg[18260] DBG: chan_0000026C <- [ 44 20 16 7e 99 2a d0 5c e3 78 5d aa dd 48 f7 36 ...(28 byte(s) skipped) ]
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: get_keygrip for public key
2021-12-23 11:27:15 gpg[18260] DBG: keygrip= b5c5d84ced38925bff90debb4d828de8aa003d84
2021-12-23 11:27:15 gpg[18260] DBG: get_keygrip for public key
2021-12-23 11:27:15 gpg[18260] DBG: keygrip= cc55afcc2c73df7231a53171c5e8a3192ad6eca8
2021-12-23 11:27:15 gpg[18260] DBG: get_keygrip for public key
2021-12-23 11:27:15 gpg[18260] DBG: keygrip= b5c5d84ced38925bff90debb4d828de8aa003d84
2021-12-23 11:27:15 gpg[18260] DBG: get_keygrip for public key
2021-12-23 11:27:15 gpg[18260] DBG: keygrip= cc55afcc2c73df7231a53171c5e8a3192ad6eca8
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=6
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=13
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=14
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_search enter
2021-12-23 11:27:15 gpg[18260] DBG: keydb_search: 1 search descriptions:
2021-12-23 11:27:15 gpg[18260] DBG: keydb_search   0: NEXT
2021-12-23 11:27:15 gpg[18260] DBG: internal_keydb_search: searching keybox (resource 0 of 1)
2021-12-23 11:27:15 gpg[18260] DBG: internal_keydb_search: searched keybox (resource 0 of 1) => Success
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_search leave (found)
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_get_keyblock enter
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=6 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=13 length=31 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=12 length=12 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=2 length=472 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=14 length=397 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=2 length=444 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: parse_packet(iob=2): type=12 length=6 (parse./home/wk/b/gnupg/dist/PLAY-release/gnupg-w32-2.3.4/g10/keydb.c.1161)
2021-12-23 11:27:15 gpg[18260] DBG: iobuf-2.0: underflow: buffer size: 1799; still buffered: 0 => space for 1799 bytes
2021-12-23 11:27:15 gpg[18260] DBG: iobuf-2.0: close '?'
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_get_keyblock leave
2021-12-23 11:27:15 gpg[18260] DBG: get_keygrip for public key
2021-12-23 11:27:15 gpg[18260] DBG: keygrip= a04d691688b19d284309134aecaf4f1c4584f52a
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffff003031300d0609608648016503040201050004207d \
2021-12-23 11:27:15 gpg[18260] DBG:                  9a68e639a33113a5d96e6e603c922e3819aca5dc26611c15e24909988c8a7f
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify  sig:+090da0d3f65b75d4ea3f8672d0a9836c5e5578bc54275ca49336157569bd8bcf \
2021-12-23 11:27:15 gpg[18260] DBG:                  4bd78791867a9d6b6a7235ac74a7172490d9b2cf8d204753e7a27e81db949e49 \
2021-12-23 11:27:15 gpg[18260] DBG:                  80e7f0b2c28ec1e06e34eb4a86cbe41bf74ce4354b01e9f1b05637788b0f2831 \
2021-12-23 11:27:15 gpg[18260] DBG:                  647ba8c66aee7d89248a9685b170c71c2374baf49eb53bff97c25489ad074521 \
2021-12-23 11:27:15 gpg[18260] DBG:                  44dfdc325d04478525c014569a54bdb5890db28d282f308af9f4d25b119031f5 \
2021-12-23 11:27:15 gpg[18260] DBG:                  54a5cc75587566c04b7a152a4b22b7d3d920c486e635f482ffc5de32bc15c25e \
2021-12-23 11:27:15 gpg[18260] DBG:                  131d11d1ec1572421d4decc7443c67546a1715fbacdbc683cadb4279bd0180c1 \
2021-12-23 11:27:15 gpg[18260] DBG:                  28d6c319f50a0375243befca9e15f25be25d126c47c5215b276e4813aab38d6a \
2021-12-23 11:27:15 gpg[18260] DBG:                  569ed09c42be135339058cce8e9e10a7defba0224b85e3c1c0c493979d5ada67 \
2021-12-23 11:27:15 gpg[18260] DBG:                  221c024e452ffa89d7f7c9028aeb06513d1991080f2368e9f5a9453b7a4d573c \
2021-12-23 11:27:15 gpg[18260] DBG:                  13d114650780163e7377616b01529727f17c646fb3d12b503c0741693020a44a \
2021-12-23 11:27:15 gpg[18260] DBG:                  81b3b2d2f6f6c5cdd9e661c2410515faa23e3a66a7b83f4a1ee4ff8af6422a58
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify    n:+d2429b711a2026f990e0149167c6f5ff8ee0666b51836d4787b28c24cbfeb3ed \
2021-12-23 11:27:15 gpg[18260] DBG:                  700075abd721112c0c83fafb48153e0f54cca6e5e9f2223584a61e879facc16e \
2021-12-23 11:27:15 gpg[18260] DBG:                  3b322419bc575e9d2c66561a9560b8f18787410d4d5afe1b30c7f269e4bd4a34 \
2021-12-23 11:27:15 gpg[18260] DBG:                  593879181c8fd65547886f6daa04ae9c3e377bd01993440d308fa588ddeffa8e \
2021-12-23 11:27:15 gpg[18260] DBG:                  7fbec190a85716e2cc10558f2dad18027816904dc33a47814064c7697be34708 \
2021-12-23 11:27:15 gpg[18260] DBG:                  217791bbd357f9ac5136451b4e167825514a87d3a820e2b95788508153de9f1a \
2021-12-23 11:27:15 gpg[18260] DBG:                  4ed21cd5c9f5f87d042dbf65225eb4206729128f7e20cdc014a04b1ef342c9fe \
2021-12-23 11:27:15 gpg[18260] DBG:                  186746c68388a09676cdd5ec4e21a0c3f673c15014464c8e7c69eb343aa00638 \
2021-12-23 11:27:15 gpg[18260] DBG:                  2331d3e2cb8a0ffb6c655b98f85961f6a2397dd18c794d9102f7df8aa7e06a27 \
2021-12-23 11:27:15 gpg[18260] DBG:                  ddf6e78ed934b7e5fad06f044228d7bacb865e33bdcf842c3c2d8d4277b77a55 \
2021-12-23 11:27:15 gpg[18260] DBG:                  975b8bf6e24bc6516dc09df3968339eac1170839991cb50276665c1c2c323cfc \
2021-12-23 11:27:15 gpg[18260] DBG:                  5093ede4f29fc24a83dfb4e1a80e89eeed8070f9c46084a91493590b0c9e09e3
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify    e:+010001
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffff003031300d0609608648016503040201050004207d \
2021-12-23 11:27:15 gpg[18260] DBG:                  9a68e639a33113a5d96e6e603c922e3819aca5dc26611c15e24909988c8a7f
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify    => Good
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffff003031300d060960864801650304020105000420e0 \
2021-12-23 11:27:15 gpg[18260] DBG:                  25c36493f6a0b0b9d387652d947b7ebfa44c8e84f696331b475fec9720806f
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify  sig:+21aebadc451c681cf4badb2db3bc66470e2c62687a8b92af65b86a1c6b73d804 \
2021-12-23 11:27:15 gpg[18260] DBG:                  55e40d88750a1cc6fb5337639ef28d5869a5349d408bd9e20b795de26c9969e7 \
2021-12-23 11:27:15 gpg[18260] DBG:                  067cc3d7ce4b7c86456464e9dd6e47b839536932fe521b3bdbd50bed9dbe8c79 \
2021-12-23 11:27:15 gpg[18260] DBG:                  1b3005ef6875850ddbeb52aad860641f28eaa98ef4b8857ddc343264afa5d4cf \
2021-12-23 11:27:15 gpg[18260] DBG:                  2eaef03414d428ba61d1f853bae52b201efb96a0bbd53ac983828dd496dea58d \
2021-12-23 11:27:15 gpg[18260] DBG:                  eccce4abea90a71d458503560610e56695c7fceb184d90cb58b630455fd06575 \
2021-12-23 11:27:15 gpg[18260] DBG:                  12a5936701be736b2a9a25c3a8dcdf978943fa4fe8bb68e83a9056f6e728307a \
2021-12-23 11:27:15 gpg[18260] DBG:                  c62bbddd1f7dd43d32d4bf91ad21f9b529d3848dcb68bba3e52375d3e3ad3dd4 \
2021-12-23 11:27:15 gpg[18260] DBG:                  583104f4036545b7392a8d2a0aceca1afc9e255988c3d61dd8533626b5bea305 \
2021-12-23 11:27:15 gpg[18260] DBG:                  e99dc419867ffbf4595b5ba46002710a6a4b674bb59067f5f365ef5593f61a6a \
2021-12-23 11:27:15 gpg[18260] DBG:                  4368509e2cc76d7b40e117b1de712ae0ee3ab18fa67feaa912859d6ccd0fb409 \
2021-12-23 11:27:15 gpg[18260] DBG:                  815ececc524de605bf5add5ee6110b618276c7b266ccdf8eac978884d8277529
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify    n:+d2429b711a2026f990e0149167c6f5ff8ee0666b51836d4787b28c24cbfeb3ed \
2021-12-23 11:27:15 gpg[18260] DBG:                  700075abd721112c0c83fafb48153e0f54cca6e5e9f2223584a61e879facc16e \
2021-12-23 11:27:15 gpg[18260] DBG:                  3b322419bc575e9d2c66561a9560b8f18787410d4d5afe1b30c7f269e4bd4a34 \
2021-12-23 11:27:15 gpg[18260] DBG:                  593879181c8fd65547886f6daa04ae9c3e377bd01993440d308fa588ddeffa8e \
2021-12-23 11:27:15 gpg[18260] DBG:                  7fbec190a85716e2cc10558f2dad18027816904dc33a47814064c7697be34708 \
2021-12-23 11:27:15 gpg[18260] DBG:                  217791bbd357f9ac5136451b4e167825514a87d3a820e2b95788508153de9f1a \
2021-12-23 11:27:15 gpg[18260] DBG:                  4ed21cd5c9f5f87d042dbf65225eb4206729128f7e20cdc014a04b1ef342c9fe \
2021-12-23 11:27:15 gpg[18260] DBG:                  186746c68388a09676cdd5ec4e21a0c3f673c15014464c8e7c69eb343aa00638 \
2021-12-23 11:27:15 gpg[18260] DBG:                  2331d3e2cb8a0ffb6c655b98f85961f6a2397dd18c794d9102f7df8aa7e06a27 \
2021-12-23 11:27:15 gpg[18260] DBG:                  ddf6e78ed934b7e5fad06f044228d7bacb865e33bdcf842c3c2d8d4277b77a55 \
2021-12-23 11:27:15 gpg[18260] DBG:                  975b8bf6e24bc6516dc09df3968339eac1170839991cb50276665c1c2c323cfc \
2021-12-23 11:27:15 gpg[18260] DBG:                  5093ede4f29fc24a83dfb4e1a80e89eeed8070f9c46084a91493590b0c9e09e3
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify    e:+010001
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2021-12-23 11:27:15 gpg[18260] DBG:                  ffffffffffffffffffffff003031300d060960864801650304020105000420e0 \
2021-12-23 11:27:15 gpg[18260] DBG:                  25c36493f6a0b0b9d387652d947b7ebfa44c8e84f696331b475fec9720806f
2021-12-23 11:27:15 gpg[18260] DBG: rsa_verify    => Good
2021-12-23 11:27:15 gpg[18260] DBG: get_keygrip for public key
2021-12-23 11:27:15 gpg[18260] DBG: keygrip= a04d691688b19d284309134aecaf4f1c4584f52a
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> KEYINFO A04D691688B19D284309134AECAF4F1C4584F52A
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- S KEYINFO A04D691688B19D284309134AECAF4F1C4584F52A D - - - P - - -
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: get_keygrip for public key
2021-12-23 11:27:15 gpg[18260] DBG: keygrip= 167e992ad05ce3785daadd48f736fc0d1283e241
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c -> KEYINFO 167E992AD05CE3785DAADD48F736FC0D1283E241
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- S KEYINFO 167E992AD05CE3785DAADD48F736FC0D1283E241 D - - - P - - -
2021-12-23 11:27:15 gpg[18260] DBG: chan_0x0000026c <- OK
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=6
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=13
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=14
2021-12-23 11:27:15 gpg[18260] DBG: free_packet() type=2
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_search enter
2021-12-23 11:27:15 gpg[18260] DBG: keydb_search: 1 search descriptions:
2021-12-23 11:27:15 gpg[18260] DBG: keydb_search   0: NEXT
2021-12-23 11:27:15 gpg[18260] DBG: internal_keydb_search: searching keybox (resource 0 of 1)
2021-12-23 11:27:15 gpg[18260] DBG: internal_keydb_search: searched keybox (resource 0 of 1) => EOF
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_search leave (not found)
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] keydb_release
2021-12-23 11:27:15 gpg[18260] DBG: [no clock] stop
2021-12-23 11:27:15 gpg[18260] keydb: handles=1 locks=0 parse=2 get=2
2021-12-23 11:27:15 gpg[18260]        build=0 update=0 insert=0 delete=0
2021-12-23 11:27:15 gpg[18260]        reset=1 found=2 not=1 cache=0 not=0
2021-12-23 11:27:15 gpg[18260] kid_not_found_cache: count=0 peak=0 flushes=0
2021-12-23 11:27:15 gpg[18260] sig_cache: total=4 cached=2 good=2 bad=0
2021-12-23 11:27:15 gpg[18260] objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
2021-12-23 11:27:15 gpg[18260] objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
2021-12-23 11:27:15 gpg[18260] random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
2021-12-23 11:27:15 gpg[18260] rndjent stat: collector=0x00000000 calls=0 bytes=0
2021-12-23 11:27:15 gpg[18260] secmem usage: 0/32768 bytes in 0 blocks
2021-12-23 11:27:30 gpg[12864] using character set 'utf-8'
2021-12-23 11:27:30 gpg[12864] Note: RFC4880bis features are enabled.
2021-12-23 11:27:30 gpg[12864] enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
2021-12-23 11:27:30 gpg[12864] DBG: [no clock] start
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- # Home: C:\Users\Oleksandr\AppData\Roaming\gnupg
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- # Config: C:/Users/Oleksandr/AppData/Roaming/gnupg/dirmngr.conf
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- OK Dirmngr 2.3.4 at your service
2021-12-23 11:27:30 gpg[12864] DBG: connection to the dirmngr established
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> GETINFO version
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- D 2.3.4
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- OK
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> KEYSERVER --clear hkps://gpg.example.com/
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- OK
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> KS_SEARCH -- oleksandr@example.com
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c <- ERR 167772261 Certificate expired <Dirmngr>
2021-12-23 11:27:30 gpg[12864] error searching keyserver: Certificate expired
2021-12-23 11:27:30 gpg[12864] keyserver search failed: Certificate expired
2021-12-23 11:27:30 gpg[12864] DBG: chan_0x0000025c -> BYE
2021-12-23 11:27:30 gpg[12864] DBG: [no clock] stop
2021-12-23 11:27:30 gpg[12864] keydb: handles=0 locks=0 parse=0 get=0
2021-12-23 11:27:30 gpg[12864]        build=0 update=0 insert=0 delete=0
2021-12-23 11:27:30 gpg[12864]        reset=0 found=0 not=0 cache=0 not=0
2021-12-23 11:27:30 gpg[12864] kid_not_found_cache: count=0 peak=0 flushes=0
2021-12-23 11:27:30 gpg[12864] sig_cache: total=0 cached=0 good=0 bad=0
2021-12-23 11:27:30 gpg[12864] objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
2021-12-23 11:27:30 gpg[12864] objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
2021-12-23 11:27:30 gpg[12864] random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
2021-12-23 11:27:30 gpg[12864] rndjent stat: collector=0x00000000 calls=0 bytes=0
2021-12-23 11:27:30 gpg[12864] secmem usage: 0/32768 bytes in 0 blocks
alexnadtoka added a comment.Dec 23 2021, 11:35 AM

@ikloecker yes sorry ok

TheParanoidProgrammer added a subscriber: TheParanoidProgrammer.Jan 17 2022, 9:17 PM
NoSubstitute added a subscriber: NoSubstitute.Feb 21 2022, 3:35 PM

Hello.
@bernard has been so kind to try and help me with this exact issue over in the gpg4win forum, and it seems I'm not the only one who still has problems with the "broken" LE certificate chain and hkps://keyserver.ubuntu.com.

I've produced a bunch of logs for bernard (with various tls-debug levels), and they all show that dirmngr is using the expired chain.

So, something is going on that we can't quite pinpoint.
And my experience is that it stopped working when I installed gpg 2.3.4 and gpg4win 4.0.0. But, I think instead it's just been me who haven't actually used gpg or gpg4win on my Windows computer since LE's expiration.

I mainly run gpg in Linux or WSL (Ubuntu) and there it works just fine.

Anyway, here's my dirmngr log of my most recent attempt to run a simple key search with gpg in cmd on Windows 10.

2022-02-21 15:30:58 dirmngr[28628] listening on socket 'C:/Users/Kim/AppData/Roaming/gnupg/S.dirmngr'
2022-02-21 15:30:58 dirmngr[28628] permanently loaded certificates: 181
2022-02-21 15:30:58 dirmngr[28628] runtime cached certificates: 0
2022-02-21 15:30:58 dirmngr[28628] trusted certificates: 181 (180,0,0,1)
2022-02-21 15:30:58 dirmngr[28628] handler for fd 728 started
2022-02-21 15:30:58 dirmngr[28628] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
2022-02-21 15:30:58 dirmngr[28628] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
2022-02-21 15:30:58 dirmngr[28628] detected interfaces: IPv4
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): handshake
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): client state: 0 (hello_request)
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): flush output
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): client state: 1 (client_hello)
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): flush output
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): write client_hello
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, max version: [3:3]
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, current time: 1645453858
2022-02-21 15:30:58 dirmngr[28628] DBG: client_hello, random bytes: 6213a2226607c527bb2cfa5e99f09bb364a9d904707866c54beaa65bc01215f3
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, session id len.: 0
2022-02-21 15:30:58 dirmngr[28628] DBG: client_hello, session id:
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, got 78 ciphersuites
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, compress len.: 2
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, compress alg.: 1 0
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, adding server name extension: 'keyserver.ubuntu.com'
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, adding signature_algorithms extension
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client hello, adding supported_elliptic_curves extension
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client hello, adding supported_point_formats extension
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, adding session ticket extension
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): client_hello, total extension length: 83
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): write record
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): output record: msgtype = 22, version = [3:3], msglen = 285
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): flush output
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): message length: 290, out_left: 290
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): es_write returned: success
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): client state: 2 (server_hello)
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): flush output
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): read server_hello
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): read record
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): fetch input
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): es_read returned: success
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 65
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): fetch input
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): in_left: 5, nb_want: 70
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): es_read returned: success
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): handshake message: msglen = 65, type = 2, hslen = 65
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): server_hello, current time: 3980250003
2022-02-21 15:30:58 dirmngr[28628] DBG: server_hello, random bytes: ed3dcb93ad6109d1c7f0750351bfe355c555712aafa3746e444f574e47524401
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): server_hello, session id len.: 0
2022-02-21 15:30:58 dirmngr[28628] DBG: server_hello, session id:
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): no session has been resumed
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): server_hello, compress alg.: 0
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): server_hello, total extension length: 21
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): found renegotiation extension
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): unknown extension found: 0 (ignoring)
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): found supported_point_formats extension
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): found session_ticket extension
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): client state: 3 (server_certificate)
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): flush output
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): read certificate
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): read record
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): fetch input
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): es_read returned: success
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 4056
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): fetch input
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): in_left: 5, nb_want: 4061
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): es_read returned: success
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(3): handshake message: msglen = 4056, type = 11, hslen = 4056
2022-02-21 15:30:58 dirmngr[28628] ntbtls: peer certificate: chain length=3
2022-02-21 15:30:58 dirmngr[28628]ntbtls: serial: 04cc227c37c5112c6c1b538b751a18451bf6
2022-02-21 15:30:58 dirmngr[28628] ntbtls: issuer: CN=R3,O=Let's Encrypt,C=US
2022-02-21 15:30:58 dirmngr[28628] ntbtls: subject: CN=hockeypuck.ubuntu.com
2022-02-21 15:30:58 dirmngr[28628] ntbtls: aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-21 15:30:58 dirmngr[28628] ntbtls: aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-21 15:30:58 dirmngr[28628] ntbtls: notBefore: 2021-12-25 03:20:36
2022-02-21 15:30:58 dirmngr[28628] ntbtls: notAfter: 2022-03-25 03:20:35
2022-02-21 15:30:58 dirmngr[28628] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 15:30:58 dirmngr[28628]ntbtls: serial: 00912b084acf0c18a753f6d62e25a75f5a
2022-02-21 15:30:58 dirmngr[28628] ntbtls: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 15:30:58 dirmngr[28628] ntbtls: subject: CN=R3,O=Let's Encrypt,C=US
2022-02-21 15:30:58 dirmngr[28628] ntbtls: notBefore: 2020-09-04 00:00:00
2022-02-21 15:30:58 dirmngr[28628] ntbtls: notAfter: 2025-09-15 16:00:00
2022-02-21 15:30:58 dirmngr[28628] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 15:30:58 dirmngr[28628]ntbtls: serial: 4001772137d4e942b8ee76aa3c640ab7
2022-02-21 15:30:58 dirmngr[28628] ntbtls: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-21 15:30:58 dirmngr[28628] ntbtls: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 15:30:58 dirmngr[28628] ntbtls: notBefore: 2021-01-20 19:14:03
2022-02-21 15:30:58 dirmngr[28628] ntbtls: notAfter: 2024-09-30 18:14:03
2022-02-21 15:30:58 dirmngr[28628] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(1): comparing hostname 'hockeypuck.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(1): comparing hostname 'keyserver.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 15:30:58 dirmngr[28628] certificate already cached
2022-02-21 15:30:58 dirmngr[28628] certificate cached
2022-02-21 15:30:58 dirmngr[28628] Note: non-critical certificate policy not allowed
2022-02-21 15:30:58 dirmngr[28628] certificate is good
2022-02-21 15:30:58 dirmngr[28628] certificate has expired
2022-02-21 15:30:58 dirmngr[28628] (expired at 2021-09-29 19:21:40)
2022-02-21 15:30:58 dirmngr[28628] Note: non-critical certificate policy not allowed
2022-02-21 15:30:58 dirmngr[28628] certificate is good
2022-02-21 15:30:58 dirmngr[28628] certificate has expired
2022-02-21 15:30:58 dirmngr[28628] (expired at 2021-09-30 14:01:15)
2022-02-21 15:30:58 dirmngr[28628] root certificate is good and trusted
2022-02-21 15:30:58 dirmngr[28628] target certificate is NOT valid
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(1): error from the verify callback returned: Certificate expired <Dirmngr>
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): handshake ready
2022-02-21 15:30:58 dirmngr[28628] TLS handshake failed: Certificate expired <Dirmngr>
2022-02-21 15:30:58 dirmngr[28628] error connecting to 'https://162.213.33.9:443': Certificate expired
2022-02-21 15:30:58 dirmngr[28628] DBG: ntbtls(2): release
2022-02-21 15:30:58 dirmngr[28628] command 'KS_SEARCH' failed: Certificate expired
2022-02-21 15:30:58 dirmngr[28628] handler for fd 728 terminated

TheParanoidProgrammer added a comment.Feb 21 2022, 10:05 PM

Alright, in the hope it helps to pin this down, trying to sum up what I tried during and after my conversation with @bernhard so far:

  • Windows 10 keeps both the old and new root CA in the store and manual edits to the root certificate store are undone by the OS sooner or later
  • ignoring the intermediate certificate with dirmngr --ignore-cert 48504E974C0DAC5B5CD476C8202274B24C8C7172 fixes the problem as a workaround, but is not a satisfying solution
  • I cloned the repository and took a look at the original patch; while it seems that we only check validity of certificates without considering the expiration date, the patch does fix the original bug which I confirmed by compiling gpg from source at the commit containing the patch and another version at the commit prior to the patch. That is, the patch successfully fixes this on my Ubuntu machine. On my Windows 10 machine the bug persists no matter if using a self-compiled version from those commits or the official versions from gpg4win.
  • During exploring the source code and finding out how to compile and test from source I found out that I can reproduce the bug on Ubuntu if I compile gpg with the patch applied, but with a GnuTLS version that does not have their patch for this issue. Since this is the case with the default GnuTLS dev sources in Ubuntu 20.04., I had to get GnuTLS library from the project itself in order to successfully compile gpg for Ubuntu. For Windows the problem persists, however. I did not find GnuTLS or any other TLS library in the application directory of the GPG install on Windows nor in the installer itself. So I'm wondering if the remaining issue on Windows is actually with the used TLS library there. Does gpg4win ship a TLS library with gpg or does it use a system default?
  • The fixed version of GnuTLS is 3.6.14 for the project itself, there are backports of this patch for Ubuntu Xenial and Bionic, unfortunately not for Focal yet.
bernhard added a comment.Feb 22 2022, 8:59 AM

Does gpg4win ship a TLS library with gpg or does it use a system default?

As far as I know it uses https://git.gnupg.org/cgi-bin/gitweb.cgi?p=ntbtls.git;a=summary (this is also why it does it's own validation on the chain of certificates).

What I wonder is: In a number of tests in our machines (mostly virtual machines), the TLS access to keyserver.ubuntu.com does work. I have yet to see a VM where it does not. So there must be a difference.
I wonder it we should compare detailed debug logs to see about what is the deciding difference? (We could look for all certificates from the windows trust store, or their order, or some other version for software components.)

bernhard added a comment.Feb 22 2022, 9:02 AM

Ah, just seeing that this issue is resolved. Shall we open a new one to be well structured?
(If we reopen this one, there is a lot of old information in here that does not apply anymore before the fixes that went into dirmngr/gnupg).

hakan-int added a subscriber: hakan-int.Feb 22 2022, 9:18 AM
NoSubstitute added a comment.Feb 22 2022, 10:14 AM

@bernard - well, that's the kicker, isn't it.

The topic of this thread is very simple, and to the point, and since it seems that it actually isn't resolved, how will a new issue make it easier to follow?

True, there were changes made after this issue was reported, but it doesn't seem that the actual topic is resolved, and you have also connected a few other issues to this thread.

In my opinion the "ignore cert" option isn't a proper solution to the actual problem.

Still, feel free to ignore me and start a new issue, if that will help you developers to fix the real problem. That is the ultimate goal for all of us.

bernhard added a comment.Feb 22 2022, 10:27 AM

@NoSubstitute It is okay for me to keep this issue, if most people prefer it this way, was just asking.

In my opinion the "ignore cert" option isn't a proper solution to the actual problem.

I agree. It is working in some conditions though and we need to find out what breaks it.

bernhard reopened this task as Open.Feb 22 2022, 10:27 AM
Garnag added a subscriber: Garnag.Feb 23 2022, 5:41 PM
TheParanoidProgrammer added a comment.Feb 23 2022, 9:33 PM

Not a solution yet, but some more insights.
Starting from @NoSubstitute 's log output and from @bernhard 's statement that we use ntbTLS I verified that my dirmngr.exe was indeed compiled with NTBTLS 0.2.0. I did so by running strings "C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" | grep TLS which returned "This is NTBTLS 0.2.0 - Not Too Bad TLS" among other strings. I also grepped for some debug strings introduced in newer commits to verify that the NTBTLS version used is not the current HEAD of master, but at least some commit before 64f895dba734802662cbb81b64cd0b4af198ee71. I will just assume it is the actual 0.2.0 release for now.

As can be seen from the log output ntbtls hands off certificate validation to dirmngr. The corresponding source functions seem to be (not exactly sure how best to visualize this, I hope you can follow):
dirmngr->ks-engine-hkp.c->send_request(), this calls dirmngr->http.c->http_session_new() and in this function registers dirmngr->http-ntbtls.c->gnupg_http_tls_verify_cb() as callback for ntbtls to use for certificate verification. I won't go into the details of callback registration here, trust me that it happens or check in the code on your own if you must. Assuming that the callback is executed for verification, we proceed in gnupg_http_tls_verify_cb() until it calls dirmngr->validate.c->validate_cert_chain() and in this function we actually check the expiration timestamps.

That's what I got so far, I will investigate further as time allows it, but maybe this already helps some of you to start further investigations from.

TheParanoidProgrammer added a comment.Feb 23 2022, 9:37 PM

What I wonder is: In a number of tests in our machines (mostly virtual machines), the TLS access to keyserver.ubuntu.com does work. I have yet to see a VM where it does not. So there must be a difference.

@bernhard Do those VMs also contain the old root certificate in the store? I'm currently on Windows 10 Pro 21H2 if that matters, first tests were made with 21H1.

TheParanoidProgrammer added a comment.Feb 23 2022, 10:18 PM

Ok, I may see three potential problems in dirmngr->validate.c->validate_cert_chain(), but it may also be my limited familiarity with the gnupg source.

  • Here we leave the certificate validation loop at the first trusted root certificate, even if it is expired as we only mark this fact for later evaluation.
  • Here we seem to only ever go up the chain, never sideways as is the case in the original patch for this bug.
  • And probably most impactful, here we fail the whole validation if any of the previously checked certificates is expired, so that even if we would fix the second point by checking sibling certificates, we would still get an overall failure.

I did not yet check the code where that certificate chain came from, but assuming it is the chain as presented by the server for now.

TheParanoidProgrammer added a comment.Feb 24 2022, 1:05 AM

On a side note, it turns out that Ubuntu Maintainers ship gpg with GnuTLS dynamically linked, so that's why I went down that road first. I compiled gpg from source for Ubuntu with ntbtls for further tests. Interesting insight is that find_cert_bysubject returns different certificates on first try on my Ubuntu Machine compared to my Windows 10 Machine:

Ubuntu:

2022-02-24 00:38:12 dirmngr[186901.6] DBG: ntbtls(1): comparing hostname 'hockeypuck.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-24 00:38:12 dirmngr[186901.6] DBG: ntbtls(1): comparing hostname 'keyserver.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-24 00:38:12 dirmngr[186901.6] certificate cached
2022-02-24 00:38:12 dirmngr[186901.6] certificate cached
2022-02-24 00:38:12 dirmngr[186901.6] DBG: BEGIN Certificate 'subject':
2022-02-24 00:38:12 dirmngr[186901.6] DBG:      serial: 04CC227C37C5112C6C1B538B751A18451BF6
2022-02-24 00:38:12 dirmngr[186901.6] DBG:   notBefore: 2021-12-25 03:20:36
2022-02-24 00:38:12 dirmngr[186901.6] DBG:    notAfter: 2022-03-25 03:20:35
2022-02-24 00:38:12 dirmngr[186901.6] DBG:      issuer: CN=R3,O=Let's Encrypt,C=US
2022-02-24 00:38:12 dirmngr[186901.6] DBG:     subject: CN=hockeypuck.ubuntu.com
2022-02-24 00:38:12 dirmngr[186901.6] DBG:         aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-24 00:38:12 dirmngr[186901.6] DBG:         aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-24 00:38:12 dirmngr[186901.6] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-02-24 00:38:12 dirmngr[186901.6] DBG:   SHA1 fingerprint: E3CACEDA898D4EB97D5FA5875FC5D1B6EACB5CCC
2022-02-24 00:38:12 dirmngr[186901.6] DBG: END Certificate
2022-02-24 00:38:12 dirmngr[186901.6] Note: non-critical certificate policy not allowed
2022-02-24 00:38:12 dirmngr[186901.6] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2022-02-24 00:38:12 dirmngr[186901.6] DBG: got issuer's certificate:
2022-02-24 00:38:12 dirmngr[186901.6] DBG: BEGIN Certificate 'issuer':
2022-02-24 00:38:12 dirmngr[186901.6] DBG:      serial: 00912B084ACF0C18A753F6D62E25A75F5A
2022-02-24 00:38:12 dirmngr[186901.6] DBG:   notBefore: 2020-09-04 00:00:00
2022-02-24 00:38:12 dirmngr[186901.6] DBG:    notAfter: 2025-09-15 16:00:00
2022-02-24 00:38:12 dirmngr[186901.6] DBG:      issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-24 00:38:12 dirmngr[186901.6] DBG:     subject: CN=R3,O=Let's Encrypt,C=US
2022-02-24 00:38:12 dirmngr[186901.6] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-02-24 00:38:12 dirmngr[186901.6] DBG:   SHA1 fingerprint: A053375BFE84E8B748782C7CEE15827A6AF5A405
2022-02-24 00:38:12 dirmngr[186901.6] DBG: END Certificate

Windows:

2022-02-24 00:47:18 dirmngr[7384] DBG: ntbtls(1): comparing hostname 'hockeypuck.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-24 00:47:18 dirmngr[7384] DBG: ntbtls(1): comparing hostname 'keyserver.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-24 00:47:18 dirmngr[7384] Zertifikat ist bereits im Zwischenspeicher
2022-02-24 00:47:18 dirmngr[7384] Zertifikat wurde zwischengespeichert
2022-02-24 00:47:18 dirmngr[7384] DBG: BEGIN Certificate 'subject':
2022-02-24 00:47:18 dirmngr[7384] DBG:      serial: 04CC227C37C5112C6C1B538B751A18451BF6
2022-02-24 00:47:18 dirmngr[7384] DBG:   notBefore: 2021-12-25 03:20:36
2022-02-24 00:47:18 dirmngr[7384] DBG:    notAfter: 2022-03-25 03:20:35
2022-02-24 00:47:18 dirmngr[7384] DBG:      issuer: CN=R3,O=Let's Encrypt,C=US
2022-02-24 00:47:18 dirmngr[7384] DBG:     subject: CN=hockeypuck.ubuntu.com
2022-02-24 00:47:18 dirmngr[7384] DBG:         aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-24 00:47:18 dirmngr[7384] DBG:         aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-24 00:47:18 dirmngr[7384] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-02-24 00:47:18 dirmngr[7384] DBG:   SHA1 fingerprint: E3CACEDA898D4EB97D5FA5875FC5D1B6EACB5CCC
2022-02-24 00:47:18 dirmngr[7384] DBG: END Certificate
2022-02-24 00:47:18 dirmngr[7384] Hinweis: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt
2022-02-24 00:47:18 dirmngr[7384] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2022-02-24 00:47:18 dirmngr[7384] DBG: got issuer's certificate:
2022-02-24 00:47:18 dirmngr[7384] DBG: BEGIN Certificate 'issuer':
2022-02-24 00:47:18 dirmngr[7384] DBG:      serial: 400175048314A4C8218C84A90C16CDDF
2022-02-24 00:47:18 dirmngr[7384] DBG:   notBefore: 2020-10-07 19:21:40
2022-02-24 00:47:18 dirmngr[7384] DBG:    notAfter: 2021-09-29 19:21:40
2022-02-24 00:47:18 dirmngr[7384] DBG:      issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-24 00:47:18 dirmngr[7384] DBG:     subject: CN=R3,O=Let's Encrypt,C=US
2022-02-24 00:47:18 dirmngr[7384] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-02-24 00:47:18 dirmngr[7384] DBG:   SHA1 fingerprint: 48504E974C0DAC5B5CD476C8202274B24C8C7172
2022-02-24 00:47:18 dirmngr[7384] DBG: END Certificate

So on my Ubuntu machine the same validate_cert_chain() method can go the happy path only ever encountering valid certificates on the first try while my Windows machine runs into expired certificates and now the potential issues I mentioned in my previous post come into play. Since find_cert_bysubject() loops over certs returned from get_cert_bysubject() and this just loops through the cert cache starting from index 0, the order in which the certificates are loaded from the store is critical to reproduce this bug. Maybe this is why it happens on some Windows machines but not in the test VMs?

bernhard added a comment.Feb 24 2022, 9:16 AM

@TheParanoidProgrammer thanks for investigating further. It is highly appreciated!

Do those VMs also contain the old root certificate in the store?

Don't know. And today I probably cannot look into it.

TheParanoidProgrammer added a comment.Feb 24 2022, 10:26 PM

Ok, so order of loading is not a problem since the cache does not store them by insertion order, but instead indexes them by the first byte of their fingerprint.
So, I think the problem here is that the expired intermediate certificate (48504E974C0DAC5B5CD476C8202274B24C8C7172) is somehow loaded in Windows and since its fingerprint's first byte is less than the server-supplied intermediate (A053375BFE84E8B748782C7CEE15827A6AF5A405) Windows chooses this one. I can see that the expired intermediate certificate is indeed loaded on Windows if I increase verbosity of dirmngr logs. However, I am still unsure where this certificate lives. The log says it comes from the "CA" store, but searching for it visually or by fingerprint search in Windows Certificates Snap-In (MMC) does not let me find it.
I will keep looking, but if you want to reproduce in your VMs, I suppose adding the expired intermediate certificate and the expired root certificate to the system store should make this reproducible.

TheParanoidProgrammer added a comment.Feb 24 2022, 10:43 PM

Ok, I managed to find 48504E974C0DAC5B5CD476C8202274B24C8C7172 via Powershell. It was in the CA store of my non-privileged user and since I always checked the certificate store as administrator it did not show up there. After removal of this intermediate certificate I am able to use hkps://keyserver.ubuntu.com.

Still, while this does solve the issue, it's not so much better a solution than ignoring this cert by fingerprint. The root cause in dirmngr would remain and I think we should fix this once and for all. The way I see it from my recent analysis of the source code the proper solution would be to rewrite validate_cert_chain() to explore all possible paths until reaching a trusted and non-expired root certificate. It would also need to backtrack if it reaches a non-trusted or expired root certificate, but there would be other intermediate certificates available with good root certificates. To be fair, I do not know how common it is for SSL certificates to have multiple possible validation paths, so this may be a lot of refactoring for some rare edge case.

bernhard added a comment.Feb 25 2022, 8:57 AM

@TheParanoidProgrammer this looks like a very good and thorough analysis, thanks again!

A few questions:

since its fingerprint's first byte is less than the server-supplied intermediate (A053375BFE84E8B748782C7CEE15827A6AF5A405) Windows chooses this one.

do you mean "dirmngr on Windows choses this one"? As in my mental model, dirmngr only loads all certifices from the windows stores on startup, but not during operations when requests come in (I maybe wrong though, I did not inspect the source code on this).

So I conclude correctly that if we'd add all the certificates to the dirmngr setup on a GNU/Linux system like Ubuntu, we'd see the same problem?

Did you find a good reliable way to extract the windows certificates from their stores (at least priviledged and user) on the windows command line? This could be turned into a recipe to diagnose if people still have this problem and need to apply the workaround (if they cannot upgrade to a fixed dirmngr.) Can you share it? :)

werner added a comment.Feb 25 2022, 9:10 AM
echo BYE | dirmngr -vv --server 2>certs.log

Lists all certificates

NoSubstitute added a comment.Feb 26 2022, 2:41 PM
In T5639#155478, @werner wrote:
echo BYE | dirmngr -vv --server 2>certs.log

Lists all certificates

That works on Ubuntu (WSL in Windows 10), but in CMD on Windows 10 I get an empty certs.log file.
In WSL/Ubuntu I get 128 certificates in the certs.log file.

$ cat certs.log | grep subject | wc -l
128

But in Windows 10 I get nothing in the certs.log file.

However, since I have logging enabled in the dirmngr.conf, I do get stuff in my c:\test\dirmngr.log.
Last four lines.

2022-02-26 14:34:09 [2004] permanently loaded certificates: 181
2022-02-26 14:34:09 [2004] runtime cached certificates: 0
2022-02-26 14:34:09 [2004] trusted certificates: 181 (181,0,0,0)
2022-02-26 14:34:09 [2004] ldap_wrapper_wait_connections: Ooops: signaling condition failed: Input/output error

TheParanoidProgrammer added a comment.Feb 28 2022, 12:20 PM

But in Windows 10 I get nothing in the certs.log file.

@NoSubstitute You probably still have the log-file option in your dirmngr.conf? You need to remove this to get the certs in certs.log, otherwise the output is rerouted to the logfile instead.

TheParanoidProgrammer added a comment.Feb 28 2022, 12:35 PM

do you mean "dirmngr on Windows choses this one"? As in my mental model, dirmngr only loads all certifices from the windows stores on startup, but not during operations when requests come in (I maybe wrong though, I did not inspect the source code on this).

dirmngr loads them from windows stores on startup and trusts them as system certificates, yes. In fact the certificates transmitted from the server are also in the cache because of gnupg_http_tls_verify_cb(), but they are not getting the trust flags. However, since the expired intermediate came from my current user's system store, it was loaded on startup anyway. I suppose even if the expired intermediate's fingerprint's first byte would be greater than the one from the server chain, it would still be selected on Windows because it has the system trust flag set and the original patch for this bug introduced preferall of trusted certs over the first found cert.

So I conclude correctly that if we'd add all the certificates to the dirmngr setup on a GNU/Linux system like Ubuntu, we'd see the same problem?

I suspect that would be the case, I can try to verify later.

For a list of certs loaded by dirmngr Werner's command works fine. If you want to search for a specific cert and where it is located in the Windows certificate stores, you can do so with Powershell:

Get-ChildItem -path 'Cert:\*CertificateThumbprintWithoutAnySpaces' -Recurse

So for the problematic intermediate:

Get-ChildItem -path 'Cert:\*48504E974C0DAC5B5CD476C8202274B24C8C7172' -Recurse
gniibe added a parent task: T5882: Cross signing certificate in X.509 support.Mar 17 2022, 12:46 AM
gniibe added a subscriber: gniibe.Mar 17 2022, 1:15 AM

I think that the particular issue of Let's Encrypt Certificate was handled correctly already.

That is, for the use case of dirmngr with NTBTLS:

  • By the commit rG687993788597: When a server sends old intermediate certificate (fingerprint: 48504E974C0DAC5B5CD476C8202274B24C8C7172) for interoperability, system certificate of new ISRG Root X1 (if available) is preferred over that.
  • By the commit rG4b3e9a44b58e: When system still offers old certificate (of 48504E974C0DAC5B5CD476C8202274B24C8C7172), a user can specify --ignore-cert option to ignore that.

For the fundamental issue of supporting cross-signing certificate in X.509, I created the task: T5882: Cross signing certificate in X.509 support

There might be a possible case (or other cases), like:

  • New certificate of ISRG Root X1 is not yet available in a user's system for some reason

For this case, all that we can do is adding documentation to ask update of system certificates.

If there are other buggy cases like dirmngr with GnuTLS, please create new ticket to avoid further confusion.

olf added a subscriber: olf.Mar 18 2022, 4:45 AM
gniibe mentioned this in T5882: Cross signing certificate in X.509 support.Mar 28 2022, 8:37 AM
werner closed this task as Resolved.Apr 14 2022, 2:00 PM

We have a solulion for this bug. For further improvements we will use T5882.