Page MenuHome GnuPG
Create Task
Maniphest T6708

Allow to inhibit the use of a default PGP keyserver
Closed, ResolvedPublic
Actions

Description

Often it is not desirable to use a keyserver,. However, not configuring one will fallback to a hardwired default OpenPGP keyserver. A new value "none" shall be used to disable the keyservers and have dirmngr to return GPG_ERR_NO_KEYSERVER.

Revisions and Commits

rG GnuPG
rG936954a18a2d dirmngr: Relax the detection of the "none" keyserver.
rG4fc745bc43a7 dirmngr: Relax the detection of the "none" keyserver.
rG0aa32e2429bb dirmngr: Allow conf files to disable default keyservers.
rG0ad13023905d dirmngr: Allow conf files to disable default keyservers.

Related Objects

Event Timeline

werner triaged this task as Normal priority.Sep 6 2023, 9:36 AM
werner created this task.
werner created this object with edit policy "Contributor (Project)".
werner added a project: vsd.Sep 6 2023, 9:52 AM
werner moved this task from Backlog to QA on the gnupg22 board.

Note that for vsd we also need to change our default configuration file. The new "none" value provides a better error message than the old default of assuming that the AD carries the keyserver (which it does not in practise).

werner moved this task from Backlog to QA on the gnupg24 board.Sep 6 2023, 9:52 AM
werner added a commit: rG0ad13023905d: dirmngr: Allow conf files to disable default keyservers..Sep 6 2023, 9:53 AM
werner added a commit: rG0aa32e2429bb: dirmngr: Allow conf files to disable default keyservers..
werner added a comment.Sep 6 2023, 9:57 AM

BTW, with one of the recent gpgme fixes we now get

$~/b/gpgme/tests/run-keylist  --extern --verbose foo
run-keylist: file /home/wk/s/gpgme/tests/run-keylist.c line 414: <Dirmngr> No keyserver available

which is what users (and kleopatra) expects.

ebo changed the task status from Open to Testing.Sep 7 2023, 10:50 AM
werner added a commit: rG4fc745bc43a7: dirmngr: Relax the detection of the "none" keyserver..Sep 11 2023, 11:29 AM
werner added a commit: rG936954a18a2d: dirmngr: Relax the detection of the "none" keyserver..Sep 11 2023, 11:32 AM
ebo changed the task status from Testing to Open.Sep 25 2023, 1:18 PM
ebo moved this task from QA to WiP on the gnupg22 board.
ebo added projects: kleopatra, Restricted Project.
ebo added subscribers: aheinecke, ikloecker, ebo.

This works insofar that it is now possible to set "none" (via the registry in VSD):

But it does not speed up the lookup in Kleopatra as much as hoped for, yet, as we are held up by the error message "Suche auf Zertifikatserver fehlgeschlagen. Die Fehlermeldung lautet:
Kein Schlüsselserver verfügbar":

If we explicitly set "none" as a keyserver, there should be no error message because of it.

Only after acknowledging this message window do we get the WKD result.

I additionally suggest showing the WKD result first and only then showing an info window similar to the one we now show for key updates (T5903). This would fit into the scope of Ticket T6493, "Improvements on search window", though. Please consider to raise the prio of it if you want to continue this issue there.

werner moved this task from WiP to QA on the gnupg22 board.Oct 5 2023, 11:35 AM

Form the Gnupg-2.2 commit rG936954a18a2df made sure that the hkps:// prefixing from kleopatra is ignored.

ebo added a comment.Oct 13 2023, 3:59 PM

Well I have looked at this ticket and posted a comment. We should talk about if there is anything left to do or not. I suspect that the gpg side is done and I should open one (or probably better several) ticket(s) for the kleopatra side.

werner added a comment.Oct 16 2023, 1:47 PM

I am pretty sure that we have done everything in gnupg. Now if we only had a workboard for kleopatra.

ikloecker mentioned this in T6761: Kleopatra: Handle special keyserver value "none".Oct 16 2023, 2:14 PM
ikloecker removed a project: kleopatra.

Needed changes in Kleopatra are tracked in T6761.

ebo closed this task as Resolved.Oct 18 2023, 8:56 AM
ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo moved this task from QA to gnupg-2.2.42 on the gnupg22 board.Oct 18 2023, 9:14 AM
ebo edited projects, added gnupg22 (gnupg-2.2.42); removed gnupg22.
werner mentioned this in T6307: Release GnuPG 2.2.42.Nov 28 2023, 4:59 PM
ikloecker mentioned this in T6866: Kleopatra: Remove fallback to keys.gnupg.net if no key server is configured.Dec 5 2023, 10:09 AM
ebo added a comment.EditedJan 18 2024, 12:11 PM

Does not work in Gpg4win-4.2.1-beta178

Inserting "none" as keyserver and saving results in the setting "hkps://none":


Which then causes:

After clicking OK, the search result for WKD is correctly shown though, that part is ok.

ebo reopened this task as Open.Jan 18 2024, 12:12 PM
ebo moved this task from QA to WiP on the gnupg24 board.
ebo added a comment.Jan 18 2024, 3:33 PM

The fix was not included in the Testbuid...

aheinecke added a comment.Jan 18 2024, 3:54 PM

Hi, ebo I would still think this is resolved. Because it was never meant that the user manually enters the value of "none" because there is no hint for the user that "none" is a reserved word. It should either be administratively configured which does not make much sense for Gpg4win or provided by the distribution. If left empty the default of GnuPG should be used. If we really want users to deactivate keyserver access by using "none" in the dirmngr.conf a much better solution would be a checkbox for this. In that case I would open a new issue.

ikloecker added a comment.Jan 19 2024, 8:34 AM

To be clear: This ticket is only about GnuPG (more precisely dirmngr) and the changes are included in VSD and Gpg4win.

Related changes in Kleopatra which are not included in VSD and Gpg4win are tracked in T6761: Kleopatra: Handle special keyserver value "none".

werner added a comment.Jan 19 2024, 9:01 AM

Sorry, it was my fault building the test installer.

werner added a comment.Jan 19 2024, 9:03 AM

I would also suggest that we show the git last git commit in Kleo's About dialog. That makes it far easier to see what we are testing. The Kleo version numbers are a bit arbitrary.

ikloecker added a comment.Jan 19 2024, 9:54 AM
In T6708#181592, @werner wrote:

I would also suggest that we show the git last git commit in Kleo's About dialog. That makes it far easier to see what we are testing. The Kleo version numbers are a bit arbitrary.

It would also be helpful to include the git commit hash (additionally to the date) in the name of the snapshot tarballs used for gpg4win because the date is ambiguous.

aheinecke mentioned this in T6950: Kleopatra: Usability improvements for directory services configuration.Jan 19 2024, 9:13 PM
aheinecke closed this task as Resolved.Jan 19 2024, 9:39 PM
werner moved this task from WiP to gnupg-2.4.4 on the gnupg24 board.Jan 24 2024, 2:20 PM
werner edited projects, added gnupg24 (gnupg-2.4.4); removed gnupg24.
werner added a comment.Jan 24 2024, 2:22 PM

Fixes are already in GnuPG 2.4.4 and can't be easily tested. Thus closing also for gnupg24

werner mentioned this in T6578: Release GnuPG 2.4.4.Jan 25 2024, 11:37 AM