Page MenuHome GnuPG

dirmngr fails `gpg --recv-key` in very non-obious way if local TOR node in SafeSocks mode is running
Closed, WontfixPublic


Just tracked down a very non-obvious issue with gpg --recv-keys:

When dirmngr detects that the local system has a TOR proxy running and hence
auto-enables “TOR mode” it attempts to use TOR for all outgoing connections as
is expected behaviour. If the system TOR node has the SafeSocks 1 option set
however, it will disallow any direct to IP address connections which causes
the SOCKS5 connection request sent by dirmngr to fail.

The only error message in this case is a very unhelpful one-line output from

gpg: keyserver receive failed: Permission denied

It is completely unclear from this that it attempted to do the connection via
TOR or that it failed because the SOCKS5 proxy refused the connection (the
“Permission denied“ corresponds to a SOCKS5 error code AFAICT).

The TOR server logs a more helpful message in its own error log, but by the
time you find that you already know what the actual issue was:

Your application (using socks5 to port 53) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see Rejecting.

Given that dirmngr supposedly already supports using remote hostname
resolution for the purposes of using .onion addresses, is there any reason why
it cannot just use them for all connection attempts?


dirmngr (GnuPG) 2.2.40

Event Timeline

werner claimed this task.
werner edited projects, added Not A Bug, Tor, gnupg; removed Bug Report.
werner added a subscriber: werner.

For various reasons dirmngr requires and implements a full resolver and implements that. This way all DNS queries are passed through Tor. Thus this is a feature and not a bug. The error message could be better but we can only return what SOCKS tells us.