Page MenuHome GnuPG

Allow to inhibit the use of a default PGP keyserver
Closed, ResolvedPublic

Description

Often it is not desirable to use a keyserver,. However, not configuring one will fallback to a hardwired default OpenPGP keyserver. A new value "none" shall be used to disable the keyservers and have dirmngr to return GPG_ERR_NO_KEYSERVER.

Event Timeline

werner triaged this task as Normal priority.Sep 6 2023, 9:36 AM
werner created this task.
werner created this object with edit policy "Contributor (Project)".
werner moved this task from Backlog to QA on the gnupg22 board.

Note that for vsd we also need to change our default configuration file. The new "none" value provides a better error message than the old default of assuming that the AD carries the keyserver (which it does not in practise).

BTW, with one of the recent gpgme fixes we now get

$~/b/gpgme/tests/run-keylist  --extern --verbose foo
run-keylist: file /home/wk/s/gpgme/tests/run-keylist.c line 414: <Dirmngr> No keyserver available

which is what users (and kleopatra) expects.

ebo changed the task status from Open to Testing.Sep 7 2023, 10:50 AM
werner mentioned this in Unknown Object (Event).Sep 11 2023, 8:45 AM
ebo changed the task status from Testing to Open.Sep 25 2023, 1:18 PM
ebo moved this task from QA to WiP on the gnupg22 board.
ebo added projects: kleopatra, Restricted Project.
ebo added subscribers: aheinecke, ikloecker, ebo.

This works insofar that it is now possible to set "none" (via the registry in VSD):

But it does not speed up the lookup in Kleopatra as much as hoped for, yet, as we are held up by the error message "Suche auf Zertifikatserver fehlgeschlagen. Die Fehlermeldung lautet:
Kein Schlüsselserver verfügbar":

If we explicitly set "none" as a keyserver, there should be no error message because of it.

Only after acknowledging this message window do we get the WKD result.

I additionally suggest showing the WKD result first and only then showing an info window similar to the one we now show for key updates (T5903). This would fit into the scope of Ticket T6493, "Improvements on search window", though. Please consider to raise the prio of it if you want to continue this issue there.

ebo mentioned this in Unknown Object (Event).Oct 2 2023, 9:50 AM

Form the Gnupg-2.2 commit rG936954a18a2df made sure that the hkps:// prefixing from kleopatra is ignored.

Well I have looked at this ticket and posted a comment. We should talk about if there is anything left to do or not. I suspect that the gpg side is done and I should open one (or probably better several) ticket(s) for the kleopatra side.

ebo mentioned this in Unknown Object (Event).Oct 16 2023, 9:33 AM

I am pretty sure that we have done everything in gnupg. Now if we only had a workboard for kleopatra.

ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo edited projects, added gnupg22 (gnupg-2.2.42); removed gnupg22.

Does not work in Gpg4win-4.2.1-beta178

Inserting "none" as keyserver and saving results in the setting "hkps://none":


Which then causes:

After clicking OK, the search result for WKD is correctly shown though, that part is ok.

ebo moved this task from QA to WiP on the gnupg24 board.

The fix was not included in the Testbuid...

Hi, ebo I would still think this is resolved. Because it was never meant that the user manually enters the value of "none" because there is no hint for the user that "none" is a reserved word. It should either be administratively configured which does not make much sense for Gpg4win or provided by the distribution. If left empty the default of GnuPG should be used. If we really want users to deactivate keyserver access by using "none" in the dirmngr.conf a much better solution would be a checkbox for this. In that case I would open a new issue.

To be clear: This ticket is only about GnuPG (more precisely dirmngr) and the changes are included in VSD and Gpg4win.

Related changes in Kleopatra which are not included in VSD and Gpg4win are tracked in T6761: Kleopatra: Handle special keyserver value "none".

Sorry, it was my fault building the test installer.

I would also suggest that we show the git last git commit in Kleo's About dialog. That makes it far easier to see what we are testing. The Kleo version numbers are a bit arbitrary.

I would also suggest that we show the git last git commit in Kleo's About dialog. That makes it far easier to see what we are testing. The Kleo version numbers are a bit arbitrary.

It would also be helpful to include the git commit hash (additionally to the date) in the name of the snapshot tarballs used for gpg4win because the date is ambiguous.

Fixes are already in GnuPG 2.4.4 and can't be easily tested. Thus closing also for gnupg24