Page MenuHome GnuPG
Create Task
Maniphest T7866

Allow separate LDAP keyserver for uploading
Open, NormalPublic
Actions

Description

For certain environments it is useful to distinguish between LDAP keyservers (*PGP) for download and upload. This can easily be implemented by using a new flag (say "upload") to identity the key to use only for upload.

Revisions and Commits

rG GnuPG
rG31de5d0d8cd5 dirmngr: New LDAP keyserver flag "upload"

Related Objects

Event Timeline

werner triaged this task as Normal priority.Oct 21 2025, 10:42 AM
werner created this task.
werner added a commit: rG31de5d0d8cd5: dirmngr: New LDAP keyserver flag "upload".Oct 21 2025, 10:47 AM
werner changed the task status from Open to Testing.Oct 21 2025, 10:48 AM
werner moved this task from Backlog to WIP on the gnupg26 board.

Implemented but not tested at all.

werner mentioned this in T7869: Release GnuPG 2.5.14.Oct 22 2025, 2:18 PM
werner mentioned this in T7801: Release GnuPG 2.5.13.Oct 22 2025, 2:21 PM
werner moved this task from WIP to QA on the gnupg26 board.Oct 22 2025, 2:24 PM
werner merged a task: T7779: dirmngr: use different keyserver for sending and receiving certificates.Oct 23 2025, 1:40 PM
werner added a subscriber: alexk.
werner added a project: vsd34.Fri, Nov 21, 4:08 PM
alexk added a project: gnupg22.Fri, Nov 21, 4:09 PM
timegrid changed the task status from Testing to Open.Thu, Nov 27, 2:04 PM
timegrid added a subscriber: timegrid.

Tested on gpg4win-5.0.0-beta413 @ win11 with the following entries in dirmngr.conf:

keyserver upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:upload
keyserver ldap.gnupg.test:389:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:

Done:

  • Independent of keyserver order in dirmngr.conf the keyserver with the upload flag is used for upload

Issues found:

  • Although the upload server is used for upload, the gpg message still displays the first keyserver:
gpg --send-keys 04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6
gpg: sende Schlüssel C07E0A4FF028F5D6 auf ldap.gnupg.test:389
  • Independent of keyserver order in dirmngr.conf, --search-keys still offers keys from the upload server, but the download fails:
> gpg --search-keys 04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6
(1)     LDAP test (TEST) <ldap@gnupg.test>
          255 bit key C07E0A4FF028F5D6, erzeugt: 2025-11-27, verfällt: 2026-11-27
Keys 1-1 of 1 for "04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6".  Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > 1
gpg: Schlüssel "04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6" wurde auf dem Schlüsselserver nicht gefunden
gpg: Suche auf dem Schlüsselserver fehlgeschlagen: Nicht gefunden
2025-11-27 13:48:00 dirmngr[4640] Es wird auf Socket `C:\\Users\\g10\\AppData\\Local\\gnupg\\S.dirmngr' gehört
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `ROOT': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `CA': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640] Fehler beim Laden des Zertifikats `CA': Zertifikat abgelaufen
2025-11-27 13:48:00 dirmngr[4640]    dauerhaft geladene Zertifikate: 27
2025-11-27 13:48:00 dirmngr[4640]  zwischengespeicherte Zertifikate: 0
2025-11-27 13:48:00 dirmngr[4640]     vertrauenswürdige Zertifikate: 27 (27,0,0,0)
2025-11-27 13:48:00 dirmngr[4640] Handhabungsroutine f r fd 704 gestartet
2025-11-27 13:48:04 dirmngr[4640] ldap connect to 'upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:*****:dc=gnupg,dc=test:plain'
2025-11-27 13:48:04 dirmngr[4640] ldap timeout set to 15s
2025-11-27 13:48:04 dirmngr[4640] DBG: my_ldap_connect: ldap_bind to 'uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test' succeeded
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: searched for 'cn=pgpServerInfo,dc=gnupg,dc=test': ldaprc=0
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: baseDN='ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: pgpSoftware: 	GnuPG
2025-11-27 13:48:04 dirmngr[4640] DBG: interrogate_ldap_dn: pgpVersion:	2 schema2
2025-11-27 13:48:04 dirmngr[4640] DBG: my_ldap_connect: serverinfo set to realldap; basedn 'ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:48:04 dirmngr[4640] DBG: ldap_conn: 0x00000000008be9e8
2025-11-27 13:48:04 dirmngr[4640] DBG: server_type: LDAP
2025-11-27 13:48:04 dirmngr[4640] DBG: basedn: ou=GnuPG Keys,dc=gnupg,dc=test
2025-11-27 13:48:04 dirmngr[4640] DBG: pgpkeyattr: pgpKey
2025-11-27 13:48:04 dirmngr[4640] DBG: SEARCH '04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6' => '(|(gpgFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6)(gpgSubFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6))' BEGIN
2025-11-27 13:48:04 dirmngr[4640] DBG: SEARCH 04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6 END
2025-11-27 13:58:20 dirmngr[4640] Handhabungsroutine f r fd 800 gestartet
2025-11-27 13:58:25 dirmngr[4640] DBG: skipping upload-only server 'upload.ldap.gnupg.test:390:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:upload'
2025-11-27 13:58:25 dirmngr[4640] ldap connect to 'ldap.gnupg.test:389:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:*****:dc=gnupg,dc=test:plain'
2025-11-27 13:58:25 dirmngr[4640] ldap timeout set to 15s
2025-11-27 13:58:25 dirmngr[4640] DBG: my_ldap_connect: ldap_bind to 'uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test' succeeded
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: searched for 'cn=pgpServerInfo,dc=gnupg,dc=test': ldaprc=0
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: baseDN='ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: pgpSoftware: 	GnuPG
2025-11-27 13:58:25 dirmngr[4640] DBG: interrogate_ldap_dn: pgpVersion:	2 schema2
2025-11-27 13:58:25 dirmngr[4640] DBG: my_ldap_connect: serverinfo set to realldap; basedn 'ou=GnuPG Keys,dc=gnupg,dc=test'
2025-11-27 13:58:25 dirmngr[4640] DBG: ldap_conn: 0x00000000008be9e8
2025-11-27 13:58:25 dirmngr[4640] DBG: server_type: LDAP
2025-11-27 13:58:25 dirmngr[4640] DBG: basedn: ou=GnuPG Keys,dc=gnupg,dc=test
2025-11-27 13:58:25 dirmngr[4640] DBG: pgpkeyattr: pgpKey
2025-11-27 13:58:25 dirmngr[4640] DBG: ks-ldap: using filter: (|(gpgFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6)(gpgSubFingerprint=04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6))
2025-11-27 13:58:25 dirmngr[4640] ks-ldap: '0x04138CEB73FAB16DC0EFC990C07E0A4FF028F5D6' not found on LDAP server
2025-11-27 13:58:25 dirmngr[4640] command 'KS_GET' failed: Keine Daten
2025-11-27 13:58:25 dirmngr[4640] Handhabungsroutine f r den fd 800 beendet
2025-11-27 13:58:25 dirmngr[4640] Handhabungsroutine f r den fd 704 beendet
2025-11-27 13:59:00 dirmngr[4640] running scheduled tasks