Just tracked down a very non-obvious issue with gpg --recv-keys:

When dirmngr detects that the local system has a TOR proxy running and hence
auto-enables “TOR mode” it attempts to use TOR for all outgoing connections as
is expected behaviour. If the system TOR node has the SafeSocks 1 option set
however, it will disallow any direct to IP address connections which causes
the SOCKS5 connection request sent by dirmngr to fail.

The only error message in this case is a very unhelpful one-line output from
gpg:

gpg: keyserver receive failed: Permission denied

It is completely unclear from this that it attempted to do the connection via
TOR or that it failed because the SOCKS5 proxy refused the connection (the
“Permission denied“ corresponds to a SOCKS5 error code AFAICT).

The TOR server logs a more helpful message in its own error log, but by the
time you find that you already know what the actual issue was:

Your application (using socks5 to port 53) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks. Rejecting.

Given that dirmngr supposedly already supports using remote hostname
resolution for the purposes of using .onion addresses, is there any reason why
it cannot just use them for all connection attempts?