Page MenuHome GnuPG
Create Task
Maniphest T7577

GnuPG could not work when TCP congestion provider is set to BBR2 in Windows
Open, NormalPublic
Actions

Description

Hi team,

Just found a problem when using gpg in command line. It seems gpg could not work if TCP congestion provider is BBR2.

My platform is Windows 11 24H2 and gpg 2.5.5.

TCP congestion provider BBR2 was introduced in 23H2. Users can run below command to switch from the default NewReno/CUBIC to the new provider:

>netsh interface tcp set supplemental Template=Compat CongestionProvider=bbr2
>netsh interface tcp set supplemental Template=Datacenter CongestionProvider=bbr2
>netsh interface tcp set supplemental Template=DatacenterCustom CongestionProvider=bbr2
>netsh interface tcp set supplemental Template=Internet CongestionProvider=bbr2
>netsh interface tcp set supplemental Template=InternetCustom CongestionProvider=bbr2

After that, unfortunately gpg is not able to work.

When I tring to generate keys, gpg will keep showing the flashing cursor even I have waiting for more than 30 minutes:

> gpg --full-generate-key
gpg (GnuPG) 2.5.5; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
  (16) ECC and Kyber
Your selection?
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at 03/21/25 01:27:01 Taipei Standard Time
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: test
Email address: test@test.com
Comment:
You selected this USER-ID:
    "test <test@test.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Try another one, but still get the same result:

> gpg --import test.ssb
gpg: key <hidden>: public key "<hidden>" imported

It still keeps showing the flashing cursor.

I switched back from BBR2 to the default NewReno/CUBIC, then gpg works fine immediately.

I have traced the progress, gpg seems not able to show the Pinentry window. The window should be popped after running the command.

Pinentry

Please enter the passphrase to protect your new key.

I'm afraid that Windows will change the default TCP congestion provider in the future, which will break gpg's work. Not sure if gpg uses any internal or socket level network transmission (loopback interface, or IPC?), because I think only the network transport could cause this problem.

Hope this can help, thanks a lot.

Details

Version
2.5.5

Event Timeline

chengr28 created this task.Wed, Mar 19, 7:29 PM
chengr28 updated the task description. (Show Details)Wed, Mar 19, 7:33 PM
werner triaged this task as Normal priority.Fri, Mar 21, 8:43 PM
werner added projects: gnupg, Not A Bug, Support.
werner added a subscriber: werner.

Indeed, GnuPG's IPC uses TCP connections from 127.0.0.1 to 127.0.0.1 taking the destination port (and a cookie) from a file. We can't change that easily to the new Unix socket implementation Windows recently introduced. I hope there is a way to exclude localhost->localhost from congestion control.