Page MenuHome GnuPG
Create Task
Maniphest T7866

Allow separate LDAP keyserver for uploading
Open, NormalPublic
Actions

Description

For certain environments it is useful to distinguish between LDAP keyservers (*PGP) for download and upload. This can easily be implemented by using a new flag (say "upload") to identity the key to use only for upload.

Revisions and Commits

rG GnuPG
rG31de5d0d8cd5 dirmngr: New LDAP keyserver flag "upload"

Related Objects
Search...

Event Timeline

werner triaged this task as Normal priority.Oct 21 2025, 10:42 AM
werner created this task.
werner added a commit: rG31de5d0d8cd5: dirmngr: New LDAP keyserver flag "upload".Oct 21 2025, 10:47 AM
werner changed the task status from Open to Testing.Oct 21 2025, 10:48 AM
werner moved this task from Backlog to WIP on the gnupg26 board.

Implemented but not tested at all.

werner mentioned this in T7869: Release GnuPG 2.5.14.Oct 22 2025, 2:18 PM
werner mentioned this in T7801: Release GnuPG 2.5.13.Oct 22 2025, 2:21 PM
werner moved this task from WIP to QA on the gnupg26 board.Oct 22 2025, 2:24 PM
werner merged a task: T7779: dirmngr: use different keyserver for sending and receiving certificates.Oct 23 2025, 1:40 PM
werner added a subscriber: alexk.
werner added a project: vsd34.Nov 21 2025, 4:08 PM
alexk added a project: gnupg22.Nov 21 2025, 4:09 PM
timegrid changed the task status from Testing to Open.Nov 27 2025, 2:04 PM
timegrid added a subscriber: timegrid.

Tested on gpg4win-5.0.0-beta413 @ win11 with the following entries in dirmngr.conf:

keyserver upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:upload
keyserver ldap.gnupg.test:389:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:

Done:

  • Independent of keyserver order in dirmngr.conf the keyserver with the upload flag is used for upload

Issues found:

  • Although the upload server is used for upload, the gpg message still displays the first keyserver:
gpg --send-keys 04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6
gpg: sende Schlüssel C07E0A4FF028F5D6 auf ldap.gnupg.test:389
  • Independent of keyserver order in dirmngr.conf, --search-keys still offers keys from the upload server, but the download fails:
> gpg --search-keys 04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6
(1)     LDAP test (TEST) <ldap@gnupg.test>
          255 bit key C07E0A4FF028F5D6, erzeugt: 2025-11-27, verfällt: 2026-11-27
Keys 1-1 of 1 for "04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6".  Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > 1
gpg: Schlüssel "04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6" wurde auf dem Schlüsselserver nicht gefunden
gpg: Suche auf dem Schlüsselserver fehlgeschlagen: Nicht gefunden
2025-11-27 13:48:00 dirmngr[4640] Es wird auf Socket `C:\\Users\\g10\\AppData\\Local\\gnupg\\S.dirmngr' gehört
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `CA': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `CA': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640]    dauerhaft geladene Zertifikate: 27
2025-11-27 13:48:00 dirmngr[4640]  zwischengespeicherte Zertifikate: 0
2025-11-27 13:48:00 dirmngr[4640]     vertrauenswürdige Zertifikate: 27 (27,0,0,0)
2025-11-27 13:48:00 dirmngr[4640] Handhabungsroutine f r fd 704 gestartet
2025-11-27 13:48:04 dirmngr[4640] ldap connect to 'upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:*****:dc=gnupg,dc=test:plain'
2025-11-27 13:48:04 dirmngr[4640] ldap timeout set to 15s
2025-11-27 13:48:04 dirmngr[4640] DBG: my_ldap_connect: ldap_bind to 'uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test' succeeded
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: searched for 'cn=pgpServerInfo,dc=gnupg,dc=test': ldaprc=0
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: baseDN='ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: pgpSoftware: 	GnuPG
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: pgpVersion:	2 schema2
2025-11-27 13:48:04 dirmngr[4640] DBG: my_ldap_connect: serverinfo set to realldap; basedn 'ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:48:04 dirmngr[4640] DBG: ldap_conn: 0x00000000008be9e8
2025-11-27 13:48:04 dirmngr[4640] DBG: server_type: LDAP
2025-11-27 13:48:04 dirmngr[4640] DBG: basedn: ou=GnuPG Keys,dc=gnupg,dc=test
2025-11-27 13:48:04 dirmngr[4640] DBG: pgpkeyattr: pgpKey
2025-11-27 13:48:04 dirmngr[4640] DBG: SEARCH '04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6' => '(|(gpgFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6)(gpgSubFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6))' BEGIN
2025-11-27 13:48:04 dirmngr[4640] DBG: SEARCH 04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6 END
2025-11-27 13:58:20 dirmngr[4640] Handhabungsroutine f r fd 800 gestartet
2025-11-27 13:58:25 dirmngr[4640] DBG: skipping upload-only server 'upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:upload'
2025-11-27 13:58:25 dirmngr[4640] ldap connect to 'ldap.gnupg.test:389:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:*****:dc=gnupg,dc=test:plain'
2025-11-27 13:58:25 dirmngr[4640] ldap timeout set to 15s
2025-11-27 13:58:25 dirmngr[4640] DBG: my_ldap_connect: ldap_bind to 'uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test' succeeded
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: searched for 'cn=pgpServerInfo,dc=gnupg,dc=test': ldaprc=0
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: baseDN='ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: pgpSoftware: 	GnuPG
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: pgpVersion:	2 schema2
2025-11-27 13:58:25 dirmngr[4640] DBG: my_ldap_connect: serverinfo set to realldap; basedn 'ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:58:25 dirmngr[4640] DBG: ldap_conn: 0x00000000008be9e8
2025-11-27 13:58:25 dirmngr[4640] DBG: server_type: LDAP
2025-11-27 13:58:25 dirmngr[4640] DBG: basedn: ou=GnuPG Keys,dc=gnupg,dc=test
2025-11-27 13:58:25 dirmngr[4640] DBG: pgpkeyattr: pgpKey
2025-11-27 13:58:25 dirmngr[4640] DBG: ks-ldap: using filter: (|(gpgFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6)(gpgSubFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6))
2025-11-27 13:58:25 dirmngr[4640] ks-ldap: '0x04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6' not found on LDAP server
2025-11-27 13:58:25 dirmngr[4640] command 'KS_GET' failed: Keine Daten
2025-11-27 13:58:25 dirmngr[4640] Handhabungsroutine f r den fd 800 beendet
2025-11-27 13:58:25 dirmngr[4640] Handhabungsroutine f r den fd 704 beendet
2025-11-27 13:59:00 dirmngr[4640] running scheduled tasks
werner added a comment.Fri, Jan 9, 1:28 PM

For "Although the upload server is used for upload, the gpg message still displays the first keyserver" see T8025

werner added a comment.Fri, Jan 9, 1:35 PM

Independent of keyserver order in dirmngr.conf, --search-keys still offers keys from the upload server, but the download fails:

I can't see from the log that this happens: The upload server is skipped and the search takes only place on the standard server. Can you please repeat with "debug ipc" in dirmngr.conf so that we can see the commands send to dirmngr?

timegrid added a comment.Fri, Jan 9, 2:17 PM

The behaviour might have changed a bit because of the ldap: prefix i use now, or i have missed this case the last time:
Given some cert on the "download" server, I can find it, if dirmngr.conf contains only the "download" server, or if the "download" server is listed first:

C:\Users\g10>gpg --search-keys 45B50EE5F6FCAF821B293C53440857D04B65BDDB
(1)     team cv25519 <team.cv25519@gnupg.test>
          255 bit key 440857D04B65BDDB, created: 2026-01-09, expires: 2029-01-09
Keys 1-1 of 1 for "45B50EE5F6FCAF821B293C53440857D04B65BDDB".  Enter number(s), N)ext, or Q)uit >

If the upload server is listed first, I get no result (command entered twice because of T8012: Missing error on first key search without keyserver):

C:\Users\g10>gpg --search-keys 45B50EE5F6FCAF821B293C53440857D04B65BDDB

C:\Users\g10>gpg --search-keys 45B50EE5F6FCAF821B293C53440857D04B65BDDB
gpg: key "45B50EE5F6FCAF821B293C53440857D04B65BDDB" not found on keyserver

dirmngr log:

2026-01-09 14:05:16 dirmngr[8336] listening on socket 'C:\\Users\\g10\\AppData\\Local\\gnupg\\S.dirmngr'
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'CA': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] error loading certificate 'CA': Certificate expired
2026-01-09 14:05:16 dirmngr[8336] permanently loaded certificates: 27
2026-01-09 14:05:16 dirmngr[8336]     runtime cached certificates: 0
2026-01-09 14:05:16 dirmngr[8336]            trusted certificates: 27 (27,0,0,0)
2026-01-09 14:05:16 dirmngr[8336] handler for fd 732 started
2026-01-09 14:05:16 dirmngr[8336] DBG: chan_0x00000000000002dc -> # Home: C:\Users\g10\AppData\Roaming\gnupg
2026-01-09 14:05:16 dirmngr[8336] DBG: chan_0x00000000000002dc -> # Config: C:/Users/g10/AppData/Roaming/gnupg/dirmngr.conf
2026-01-09 14:05:16 dirmngr[8336] DBG: chan_0x00000000000002dc -> OK Dirmngr 2.5.16 at your service, process 8336
2026-01-09 14:05:16 dirmngr[8336] DBG: chan_0x00000000000002dc <- GETINFO version
2026-01-09 14:05:16 dirmngr[8336] DBG: chan_0x00000000000002dc -> D 2.5.16
2026-01-09 14:05:16 dirmngr[8336] DBG: chan_0x00000000000002dc -> OK
2026-01-09 14:05:16 dirmngr[8336] DBG: chan_0x00000000000002dc <- KS_SEARCH -- 45B50EE5F6FCAF821B293C53440857D04B65BDDB
2026-01-09 14:05:20 dirmngr[8336] ldap connect to 'upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:*****:dc=gnupg,dc=test:plain'
2026-01-09 14:05:20 dirmngr[8336] ldap timeout set to 15s
2026-01-09 14:05:20 dirmngr[8336] DBG: chan_0x00000000000002dc -> D info:1:0%0A
2026-01-09 14:05:20 dirmngr[8336] DBG: chan_0x00000000000002dc -> OK
2026-01-09 14:05:20 dirmngr[8336] DBG: chan_0x00000000000002dc <- BYE
2026-01-09 14:05:20 dirmngr[8336] DBG: chan_0x00000000000002dc -> OK closing connection
2026-01-09 14:05:20 dirmngr[8336] handler for fd 732 terminated
2026-01-09 14:05:23 dirmngr[8336] handler for fd 748 started
2026-01-09 14:05:23 dirmngr[8336] DBG: chan_0x00000000000002ec -> # Home: C:\Users\g10\AppData\Roaming\gnupg
2026-01-09 14:05:23 dirmngr[8336] DBG: chan_0x00000000000002ec -> # Config: C:/Users/g10/AppData/Roaming/gnupg/dirmngr.conf
2026-01-09 14:05:23 dirmngr[8336] DBG: chan_0x00000000000002ec -> OK Dirmngr 2.5.16 at your service, process 8336
2026-01-09 14:05:23 dirmngr[8336] DBG: chan_0x00000000000002ec <- GETINFO version
2026-01-09 14:05:23 dirmngr[8336] DBG: chan_0x00000000000002ec -> D 2.5.16
2026-01-09 14:05:23 dirmngr[8336] DBG: chan_0x00000000000002ec -> OK
2026-01-09 14:05:23 dirmngr[8336] DBG: chan_0x00000000000002ec <- KS_SEARCH -- 45B50EE5F6FCAF821B293C53440857D04B65BDDB
2026-01-09 14:05:27 dirmngr[8336] ldap connect to 'upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:*****:dc=gnupg,dc=test:plain'
2026-01-09 14:05:27 dirmngr[8336] ldap timeout set to 15s
2026-01-09 14:05:27 dirmngr[8336] DBG: chan_0x00000000000002ec -> D info:1:0%0A
2026-01-09 14:05:27 dirmngr[8336] DBG: chan_0x00000000000002ec -> OK
2026-01-09 14:05:27 dirmngr[8336] DBG: chan_0x00000000000002ec <- BYE
2026-01-09 14:05:27 dirmngr[8336] DBG: chan_0x00000000000002ec -> OK closing connection
2026-01-09 14:05:27 dirmngr[8336] handler for fd 748 terminated

Regarding your original request for the logs for the offered keys on the upload server :

Given:

  • "download" ldap
  • upload ldap
  • dirmngr.conf
keyserver ldap:upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:upload
keyserver ldap:ldap.gnupg.test:389:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:

command (key only on upload server):

C:\Users\g10>gpg --search-keys 98111E67AE06F2BEFD2BDE10C5D6C919005F36A4
(1)     Ted Tester <Ted.Tester@demo.gnupg.com>
          3072 bit RSA key C5D6C919005F36A4, created: 2023-03-08
Keys 1-1 of 1 for "98111E67AE06F2BEFD2BDE10C5D6C919005F36A4".  Enter number(s), N)ext, or Q)uit >

dirmngr log:

2026-01-09 14:15:11 dirmngr[9752] listening on socket 'C:\\Users\\g10\\AppData\\Local\\gnupg\\S.dirmngr'
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'ROOT': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'CA': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] error loading certificate 'CA': Certificate expired
2026-01-09 14:15:11 dirmngr[9752] permanently loaded certificates: 27
2026-01-09 14:15:11 dirmngr[9752]     runtime cached certificates: 0
2026-01-09 14:15:11 dirmngr[9752]            trusted certificates: 27 (27,0,0,0)
2026-01-09 14:15:11 dirmngr[9752] handler for fd 716 started
2026-01-09 14:15:11 dirmngr[9752] DBG: chan_0x00000000000002cc -> # Home: C:\Users\g10\AppData\Roaming\gnupg
2026-01-09 14:15:11 dirmngr[9752] DBG: chan_0x00000000000002cc -> # Config: C:/Users/g10/AppData/Roaming/gnupg/dirmngr.conf
2026-01-09 14:15:11 dirmngr[9752] DBG: chan_0x00000000000002cc -> OK Dirmngr 2.5.16 at your service, process 9752
2026-01-09 14:15:11 dirmngr[9752] DBG: chan_0x00000000000002cc <- GETINFO version
2026-01-09 14:15:11 dirmngr[9752] DBG: chan_0x00000000000002cc -> D 2.5.16
2026-01-09 14:15:11 dirmngr[9752] DBG: chan_0x00000000000002cc -> OK
2026-01-09 14:15:11 dirmngr[9752] DBG: chan_0x00000000000002cc <- KS_SEARCH -- 98111E67AE06F2BEFD2BDE10C5D6C919005F36A4
2026-01-09 14:15:15 dirmngr[9752] ldap connect to 'upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:*****:dc=gnupg,dc=test:plain'
2026-01-09 14:15:15 dirmngr[9752] ldap timeout set to 15s
2026-01-09 14:15:15 dirmngr[9752] DBG: chan_0x00000000000002cc -> D info:1:1%0A
2026-01-09 14:15:15 dirmngr[9752] DBG: chan_0x00000000000002cc -> D pub:98111E67AE06F2BEFD2BDE10C5D6C919005F36A4:1:3072:1678273795:::20260109T130839%0A
2026-01-09 14:15:15 dirmngr[9752] DBG: chan_0x00000000000002cc -> D uid:Ted Tester <Ted.Tester@demo.gnupg.com>%0A
2026-01-09 14:15:15 dirmngr[9752] DBG: chan_0x00000000000002cc -> OK
werner moved this task from QA to WIP on the gnupg26 board.Fri, Jan 9, 3:50 PM