Page MenuHome GnuPG
Feed Advanced Search

Feb 10 2021

werner closed T2964: dirmngr and gpg-agent should work automatically even when GNUPGHOME is larger than sun_path as Resolved.

The now used /var/run thingy solves all these problems nicely. In fact we may eventually remove the use fallback of using sockets in the GNUPGHOMEDIR.

Feb 10 2021, 11:29 AM · Stalled, scd, gpgagent, Bug Report, gnupg, dirmngr
werner closed T2836: dirmngr: wakes up periodically as Resolved.

The other patches don't make sense because of future plans for dirmngr.

Feb 10 2021, 11:07 AM · gnupg, gnupg (gpg23), Bug Report, dirmngr

Jan 27 2021

aheinecke reopened T5068: LDAP keyserver does not support lookup by fingerprint as "Open".
Jan 27 2021, 12:19 PM · LDAP, dirmngr, gnupg (gpg22)
aheinecke changed the visibility for T5068: LDAP keyserver does not support lookup by fingerprint.
Jan 27 2021, 12:19 PM · LDAP, dirmngr, gnupg (gpg22)
Jab closed T5068: LDAP keyserver does not support lookup by fingerprint as Spite.
Jan 27 2021, 11:56 AM · LDAP, dirmngr, gnupg (gpg22)

Jan 11 2021

werner created T5235: Delays in dirmngr http connections on Windows.
Jan 11 2021, 8:52 PM · can't replicate, dirmngr, ntbtls, Windows, gnupg (gpg22)

Jan 8 2021

werner closed T4447: Fix addition of new GPG keys to LDAP as Resolved.

The code has been reworked to also support the updated schema which also stores the fingerprints and a parsed down mail address. See gnupg/doc/ldap/ . These changes are in master and 2.2.26. Sorry for taking so long to fix that.

Jan 8 2021, 9:56 AM · gnupg (gpg23), patch, LDAP, dirmngr, Bug Report

Dec 22 2020

pert added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

Granted I'm not familiar with the functions and it may not be applicable, but the DNS resolver functions in the GNU C Library have semi-recently gained parameters (RES_USE_DNSSEC) to check for DNSSEC validation IIRC. Recent versions of glibc also don't trust the 'ad' bit unless an indication of its trustworthiness is set in /etc/resolv.conf, say if using a local validating resolver, so one can be sure that it's trustworthy. It also appears musl libc may support this.

Dec 22 2020, 5:35 AM · dns, dirmngr

Nov 27 2020

werner lowered the priority of T3392: keyserver default should include pool onionbalance hkp://jirk5u4osbsr34t5.onion from Normal to Wishlist.
Nov 27 2020, 5:39 PM · Too Old, Keyserver, Feature Request, dirmngr

Nov 26 2020

gniibe added a parent task for T3168: dirmngr: gpg: keyserver receive failed: No keyserver available: T3517: dirmngr: retry without SRV due to buggy routers.
Nov 26 2020, 7:51 AM · dns, dirmngr
gniibe added a subtask for T3517: dirmngr: retry without SRV due to buggy routers: T3168: dirmngr: gpg: keyserver receive failed: No keyserver available.
Nov 26 2020, 7:51 AM · Feature Request, dns, dirmngr
gniibe merged T3722: gpg "No name" error into T3517: dirmngr: retry without SRV due to buggy routers.
Nov 26 2020, 7:31 AM · Feature Request, dns, dirmngr
gniibe merged T4817: dirmgr keys.openpgp.org:443 Address family not supported by protocol into T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.
Nov 26 2020, 7:15 AM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report

Sep 15 2020

werner created T5068: LDAP keyserver does not support lookup by fingerprint.
Sep 15 2020, 2:24 PM · LDAP, dirmngr, gnupg (gpg22)

Aug 28 2020

gniibe closed T4934: Returning automatic variable buffer from a function as Resolved.
Aug 28 2020, 2:58 AM · dirmngr, Restricted Project, Bug Report

Aug 27 2020

werner closed T4977: dirmngr not working with linux kernel parameter ipv6.disable=1 as Resolved.
Aug 27 2020, 3:03 PM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report

Aug 18 2020

bernhard added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

Just reading this issue in detail.

Aug 18 2020, 4:43 PM · gnupg (gpg22), Bug Report, dirmngr

Jul 13 2020

gniibe triaged T4977: dirmngr not working with linux kernel parameter ipv6.disable=1 as Normal priority.
Jul 13 2020, 3:14 AM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report
gniibe changed the status of T4977: dirmngr not working with linux kernel parameter ipv6.disable=1 from Open to Testing.

Pushed fix to master and STABLE-BRANCH-2-2.

Jul 13 2020, 3:13 AM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report
gniibe added a comment to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.

Thanks for your log.

Jul 13 2020, 2:54 AM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report

Jul 11 2020

iyanmv added a comment to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.

$ cat /run/user/1000/dirmngr.log

2020-07-11 19:33:44 dirmngr[2305.0] permanently loaded certificates: 140
2020-07-11 19:33:44 dirmngr[2305.0]     runtime cached certificates: 0
2020-07-11 19:33:44 dirmngr[2305.0]            trusted certificates: 140 (139,0,0,1)
2020-07-11 19:39:24 dirmngr[2305.6] force-crl-refresh active for issuer id CE04B58CBA5B8069AA0D503634B861593BE86F20; update required
2020-07-11 19:39:24 dirmngr[2305.6] number of system provided CAs: 148
2020-07-11 19:39:24 dirmngr[2305.6] error creating socket: Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] error connecting to 'http://cdp1.pca.dfn.de/global-root-g2-ca/pub/crl/cacrl.crl': Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] error retrieving 'http://cdp1.pca.dfn.de/global-root-g2-ca/pub/crl/cacrl.crl': Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] crl_fetch via DP failed: Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] command 'ISVALID' failed: Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] force-crl-refresh active for issuer id 3476EB7C1E02B3BAF954EEE2EFD321F7B8E49D18; update required
2020-07-11 19:39:24 dirmngr[2305.6] error creating socket: Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] error connecting to 'http://pki0336.telesec.de/rl/TeleSec_GlobalRoot_Class_2.crl': Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] error retrieving 'http://pki0336.telesec.de/rl/TeleSec_GlobalRoot_Class_2.crl': Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] crl_fetch via DP failed: Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] command 'ISVALID' failed: Address family not supported by protocol
2020-07-11 19:39:24 dirmngr[2305.6] force-crl-refresh active for issuer id 70F42DB9235EC84DC35D445B3407CABF4324291C; update required
2020-07-11 19:39:24 dirmngr[2305.6] error creating socket: Address family not supported by protocol
Jul 11 2020, 7:42 PM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report
iyanmv added a comment to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.

@gniibe I saw that you didn't understand what I meant by "dirmngr stops working properly" in E663.
Have a look at this post in Archlinux forum.

Jul 11 2020, 7:29 PM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report

Jul 2 2020

werner closed T4758: gnupg-2.2.18/dirmngr/ldap-parse-uri.c:57:27: style: Same expression on both sides of '||'. as Resolved.

Fixed; In master the code already uses our generic scheme parser.

Jul 2 2020, 4:10 PM · LDAP, dirmngr, Bug Report

Jul 1 2020

werner closed T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures as Wontfix.
Jul 1 2020, 2:10 PM · dns, dirmngr
werner added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

DANE for OpenPGP is an experimental RFC (RFC-7929) and it is likely that we will remove the support because it is too hard for most users to add keys to a zone. Further a validating resolver on the desktop is too hard to maintain and the cause of too many other failures. And no, unbound etc is not an option because it is not usable by the majority of GnuPG users.

Jul 1 2020, 2:10 PM · dns, dirmngr

Jun 30 2020

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

The same concern has been reported at https://bugs.debian.org/964033 -- if dirmngr is not going to follow the specification, it should at least document (and maybe warn?) about how it is divergent.

Jun 30 2020, 9:30 PM · dns, dirmngr

Jun 26 2020

gniibe added a comment to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.

When I test it on Debian, disabling by,

Jun 26 2020, 7:25 AM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report
gniibe claimed T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.
Jun 26 2020, 7:06 AM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report
gniibe added a comment to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.

Please get log of dirmngr, by putting

log-file /run/user/<YOURNUMBER-LIKE-1000>/dirmngr.log
Jun 26 2020, 7:04 AM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report

Jun 25 2020

dkg added a comment to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.

Can you characterize the failure when ipv6.disable=1 ? The straightforward failure (connect() fails with EHOSTUNREACH after a few seconds) should presumably be treated the same as if some other host happened to be offline. That should result in dirmngr failing over to the next available address for the configured keyserver, right?

Jun 25 2020, 7:28 PM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report

Jun 22 2020

werner added a comment to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1.

The problem is that I have not yet found a _portable_ way to detect proper working v6 or v4 networking without doing a test connection. For privacy reasons we don't want to do that.

Jun 22 2020, 3:32 PM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report
werner added projects to T4977: dirmngr not working with linux kernel parameter ipv6.disable=1: dirmngr, gnupg (gpg22).
Jun 22 2020, 3:20 PM · Restricted Project, gnupg (gpg22), dirmngr, Bug Report

May 21 2020

gniibe changed the status of T4934: Returning automatic variable buffer from a function from Open to Testing.

Fixed in master and applied to 2.2 branch too.

May 21 2020, 7:39 AM · dirmngr, Restricted Project, Bug Report

Apr 16 2020

werner closed T4898: auto import CA certs with authInfo.caIssuers as Resolved.

We do this now always if --auto-issuer-key-retrieve is set. Also backported to 2.2

Apr 16 2020, 6:02 PM · dirmngr, S/MIME, gnupg (gpg23)

Apr 14 2020

werner closed T4538: Support PSS signed CRLs as Resolved.

Data (ie.e CMS) signatures do now also work.

Apr 14 2020, 4:26 PM · dirmngr, S/MIME, libksba

Apr 9 2020

Moonchild added a comment to T4249: No connection to Keyserver possible.

I'm honestly surprised this isn't being given any sort of priority.
gnupg for windows is simply broken. Even Kleopatra, its supplied and designated key management application doesn't work re: keyserver communication.

Apr 9 2020, 11:16 PM · gnupg, dirmngr, Bug Report, gpg4win
werner added a comment to T4538: Support PSS signed CRLs.

Okay certificate and CRL checking does now work with rsaPSS. Need to work on data signatures and check the compliance modes.

Apr 9 2020, 1:09 PM · dirmngr, S/MIME, libksba

Apr 8 2020

werner claimed T4538: Support PSS signed CRLs.

I started to work on it so that I can actually use the certificates on my new D-Trust card. This will be a verify-only implementation.

Apr 8 2020, 8:37 PM · dirmngr, S/MIME, libksba

Mar 31 2020

werner triaged T4898: auto import CA certs with authInfo.caIssuers as Normal priority.
Mar 31 2020, 12:04 PM · dirmngr, S/MIME, gnupg (gpg23)
werner created T4898: auto import CA certs with authInfo.caIssuers.
Mar 31 2020, 12:04 PM · dirmngr, S/MIME, gnupg (gpg23)

Mar 9 2020

Moonchild added a comment to T4249: No connection to Keyserver possible.

I'm using enigmail 1.9.9 because I'm on a mail client that doesn't use WebExtensions, so it's using gnupg for keyserver stuff. In this case that means I've been able to verify it's a gnupg issue (both Kleopatra and enigmail displaying the same issue as CLI).

Mar 9 2020, 9:54 PM · gnupg, dirmngr, Bug Report, gpg4win
dkg added a comment to T4249: No connection to Keyserver possible.

@Moonchild wrote:

using enigmail with the new version

Mar 9 2020, 6:14 PM · gnupg, dirmngr, Bug Report, gpg4win
Moonchild added a comment to T4249: No connection to Keyserver possible.

Just registered to report pretty much the same.
I've been using gpg 2 for a long while and it's been doing just fine, up to the point where people started using keys it didn't recognise that require a later version.

Mar 9 2020, 1:03 PM · gnupg, dirmngr, Bug Report, gpg4win

Mar 5 2020

werner lowered the priority of T4538: Support PSS signed CRLs from Normal to Low.

It is actually questionable whether PSS is a better padding scheme than PKCS#1, see
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html . PSS seems indeed be rarely used; quoting Peter from a followup on his writeup: “If I get time over the weekend, and I can find a CMS message signed with RSA-PSS, I'll create a forgery using xor256.”

Mar 5 2020, 10:27 AM · dirmngr, S/MIME, libksba

Mar 4 2020

aheinecke added a comment to T4538: Support PSS signed CRLs.

To summarize: The DGN CRL uses a the RSA-PSS Padding / Signature Scheme. ( https://de.wikipedia.org/wiki/Probabilistic_Signature_Scheme )

Mar 4 2020, 3:17 PM · dirmngr, S/MIME, libksba

Feb 26 2020

aheinecke added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

But searching on Keyservers is also in my opinion not a common use case for Kleopatra users.

Thanks for engaging constructively.

Feb 26 2020, 12:03 PM · Feature Request, Keyserver, dirmngr

Feb 21 2020

dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

In T4513#132770, @aheinecke wrote:

Werner could you maybe at least check for an internet connection, I don't know how to do it on Linux but on Windows it's easy because windows has API for that.

Feb 21 2020, 6:33 PM · Feature Request, Keyserver, dirmngr

Feb 19 2020

Valodim added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

But searching on Keyservers is also in my opinion not a common use case for Kleopatra users.

Feb 19 2020, 6:43 PM · Feature Request, Keyserver, dirmngr
werner added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

and by that bypassing all key source tracking as done by gpg. In any case searching by name or mail address on a keyserver should not be done - at least not by a GUI tool as used by non experienced users.

Feb 19 2020, 4:34 PM · Feature Request, Keyserver, dirmngr
patrick added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

I agree that this is a tricky problem, but it should really be improved.

Feb 19 2020, 4:05 PM · Feature Request, Keyserver, dirmngr
werner added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

The problem is not to check whether there is a connection but on how to decide whether something is a pool or an explictly added single keyserver and how often should we try to connect or read from it. Without marking hosts as dead the auto search features won't work well.

Feb 19 2020, 1:30 PM · Feature Request, Keyserver, dirmngr
aheinecke added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

@Valodim probably not so much as dirmngr might behave differently and not mark hosts as dead.

Feb 19 2020, 1:17 PM · Feature Request, Keyserver, dirmngr
werner added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

The proper solution is of course to use pkill instead of killall. SCNR.

Feb 19 2020, 12:43 PM · Feature Request, Keyserver, dirmngr
Valodim updated subscribers of T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

I can attest to the "growing bit of popular lore": Roughly half the support requests I get to support@keys.openpgp.org boil down to an exchange of "it just doesn't work with a 'general error' message" -> "try killall dirmngr" -> "that did it". I have heard similar stories from @patrick from Enigmail users, and more than once heard people applying poweruser trickery like "I just have killall dirmngr in my resume.d".

Feb 19 2020, 11:37 AM · Feature Request, Keyserver, dirmngr

Nov 26 2019

werner triaged T4758: gnupg-2.2.18/dirmngr/ldap-parse-uri.c:57:27: style: Same expression on both sides of '||'. as Normal priority.

The LDAP code is actually in very bad shape because @neal added it without utilizing the ldap wrapper and thus a timeout won't work reliable.

Nov 26 2019, 11:17 AM · LDAP, dirmngr, Bug Report

Nov 25 2019

werner closed T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached as Resolved.

Unusable v6 interfaces are now detected on Windows and then not used.

Nov 25 2019, 10:17 PM · Keyserver, Feature Request, dirmngr
werner closed T4594: dirmngr appears to unilaterally import system CAs as Resolved.
Nov 25 2019, 10:16 PM · Bug Report, dirmngr, gnupg (gpg22)

Nov 23 2019

werner closed T4547: improve error message ("Not enabled") when using Tor network and standard resolver as Resolved.

The manual states that --standard-resolver is mostly for debugging. The reason you get an "not enabled" is that we can't allow direct DNS queries in Tor mode which would happen with the system (standard) DNS resolver.

Nov 23 2019, 8:32 PM · dirmngr, gnupg (gpg22), Bug Report

Nov 11 2019

werner edited projects for T4447: Fix addition of new GPG keys to LDAP, added: gnupg (gpg23); removed gnupg.
Nov 11 2019, 6:33 PM · gnupg (gpg23), patch, LDAP, dirmngr, Bug Report
werner added a comment to T4447: Fix addition of new GPG keys to LDAP.

See also D475.

Nov 11 2019, 6:30 PM · gnupg (gpg23), patch, LDAP, dirmngr, Bug Report

Oct 25 2019

werner triaged T4729: WKD via http_proxy does not work if DNS is broken/unavailable as Normal priority.
Oct 25 2019, 11:01 AM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner triaged T4728: GnuPG fails to connect to 127.0.0.1 when many domains are specified in /etc/hosts as Normal priority.
Oct 25 2019, 11:00 AM · gnupg24, gnupg (gpg23), dns, dirmngr
mgorny added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

Ping.

Oct 25 2019, 10:54 AM · Keyserver, dns, dirmngr, Bug Report

Oct 24 2019

dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

There is a growing bit of popular lore in the GnuPG community that "when keyserver operations fail, you solve that problem with killall dirmngr." I believe this suggestion is potentially damaging (the long-running daemon may be in the middle of operations for a client that you don't know about), but i suspect it is circulating as advice because it resolves the situation outlined in this ticket. For whatever ephemeral reason, dirmngr gets stuck, and fails to notice that this situation has resolved itself.

Oct 24 2019, 5:39 PM · Feature Request, Keyserver, dirmngr

Oct 17 2019

Valodim added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

GnuPG ships a non-PKI certificate, specifically to authenticate hkps.pool.sks-keyservers.net. Now due to an implementation detail, this has been shown to potentially lead to authentication of other domains by this certificate, if a maintainer changes the default keyserver via the DIRMNGR_DEFAULT_KEYSERVER variable in configure.ac. Now arguably, this variable isn't exposed via ./configure, so it's not "officially" configurable - but evidently maintainers do want to change it. A trivial one-line patch was supplied to change the unintended and potentially security-problematic behavior into the (I believe) obviously intended one.

Oct 17 2019, 12:23 PM · gnupg (gpg22), Bug Report, dirmngr

Oct 15 2019

werner closed T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net` as Wontfix.
Oct 15 2019, 2:43 PM · gnupg (gpg22), Bug Report, dirmngr

Sep 30 2019

werner edited projects for T4708: gpg cannot retrieve key via wkd from http2 server, added: Documentation, FAQ; removed Bug Report.
Sep 30 2019, 9:39 AM · FAQ, Documentation, dirmngr

Sep 20 2019

deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

$ gpg-connect-agent --dirmngr 'getinfo version' /bye
D 2.2.17
OK

Sep 20 2019, 7:44 PM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

Can you check which dirmngr version you are running

gpg-connect-agent --dirmngr 'getinfo version' /bye
Sep 20 2019, 1:19 PM · FAQ, Documentation, dirmngr
deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

thanks for the dns explanation - IMHO, there should be added something about that in the wiki
When it does not work for you on http1 either, then I guess, it's really just some outdatedness of my gpg/dirmngr and this ticket can be closed.

Sep 20 2019, 9:59 AM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

It does not work either. Your problem is the use of a wildcard DNS for archlinux32.org:

Sep 20 2019, 9:50 AM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

The test above was with gpg master but I got the same result with current 2.2:

Sep 20 2019, 9:27 AM · FAQ, Documentation, dirmngr
deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

ok, I disabled it again. btw: why do we need openpgpkey.archlinux32.org in the cert? Is this standard or did I misconfigure something?

Sep 20 2019, 9:23 AM · FAQ, Documentation, dirmngr
werner triaged T4708: gpg cannot retrieve key via wkd from http2 server as Normal priority.
Sep 20 2019, 9:16 AM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

Thanks. Here is a dirmngr log:

Sep 20 2019, 9:16 AM · FAQ, Documentation, dirmngr

Sep 19 2019

deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

I set archlinux32.org back to http2 - so you can see for yourself, how gpg fails to retrieve the key for buildmaster@archlinux32.org

Sep 19 2019, 6:02 PM · FAQ, Documentation, dirmngr
deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

I believe, it means, that it may fall back to http1.1 - the documentation is not clear to me on this.
A simple test however shows, that at least curl has no problems to use http1.1 or http1.0 with the http2 enabled nginx.

Sep 19 2019, 6:01 PM · FAQ, Documentation, dirmngr
werner added a project to T4708: gpg cannot retrieve key via wkd from http2 server: dirmngr.

Does your ngix configuration mean that there is no fallback to standard http?

Sep 19 2019, 5:07 PM · FAQ, Documentation, dirmngr

Sep 12 2019

aheinecke added a comment to T2300: Second crlDP is not used if first is unavailable.

Ah nevermind. I think myself that this is nobug and current behavior is correct.

Sep 12 2019, 2:20 PM · g10code, Feature Request, dirmngr
aheinecke reopened T2300: Second crlDP is not used if first is unavailable as "Open".

To implement / test the "not literally RFC compliant but in practice better" behavior let us call this now a wish and feature request as there are certificates in the wild other then intevation's and customers in large institutions run into that.

Sep 12 2019, 2:12 PM · g10code, Feature Request, dirmngr

Aug 23 2019

werner moved T4594: dirmngr appears to unilaterally import system CAs from For next release to Ready for release on the gnupg (gpg22) board.
Aug 23 2019, 11:00 AM · Bug Report, dirmngr, gnupg (gpg22)
werner moved T4594: dirmngr appears to unilaterally import system CAs from Backlog to For next release on the gnupg (gpg22) board.
Aug 23 2019, 10:54 AM · Bug Report, dirmngr, gnupg (gpg22)
werner added a comment to T4594: dirmngr appears to unilaterally import system CAs.

Will be in 2.2.18

Aug 23 2019, 10:54 AM · Bug Report, dirmngr, gnupg (gpg22)

Aug 10 2019

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

WKD and DANE/OPENPGPKEY offer rather distinct properties. I'd be hard-pressed to say that one is "better" than the other without understanding the threat model and concerns of the evaluator:

Aug 10 2019, 4:24 AM · dns, dirmngr

Aug 6 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

DNSSEC is a centralized CA system. Just different than the TLS one. Given that Certificate Transparency exists I'd say DNSSEC is less transparent than TLS. For example if you happen to have a .ly domain then the Libyan can silently control your signed zone. Given that there is no CT for DNSSEC they can do so selectively, for any connection they want. It wouldn't be the first problem with them.

Aug 6 2019, 1:56 PM · dns, dirmngr
mejo added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

I'm left wondering: are there cases where OPENPGPKEY would be preferred over WKD?

Aug 6 2019, 1:43 PM · dns, dirmngr

Jul 16 2019

dkg added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

Just a note that we're now shipping this patch in debian unstable. It would be great if it was merged upstream.

Jul 16 2019, 8:08 PM · gnupg (gpg22), Bug Report, dirmngr
werner added a comment to T4594: dirmngr appears to unilaterally import system CAs.

I see. I am also mostly testing with ntbtls so I was wondering about the report. Thanks for reporting and fixing.

Jul 16 2019, 8:04 AM · Bug Report, dirmngr, gnupg (gpg22)
gniibe triaged T4594: dirmngr appears to unilaterally import system CAs as Normal priority.

While I understand incorrectness, the risk in practice is not that high. So, I put this as "normal" priority.

Jul 16 2019, 5:35 AM · Bug Report, dirmngr, gnupg (gpg22)
gniibe changed the status of T4594: dirmngr appears to unilaterally import system CAs from Open to Testing.

Pushed the change to master as well as 2.2 branch.

Jul 16 2019, 3:15 AM · Bug Report, dirmngr, gnupg (gpg22)

Jul 15 2019

werner triaged T4617: Odd behavior for HTTP(S) scheme in --keyserver config as Low priority.
Jul 15 2019, 8:16 AM · Documentation, Keyserver, dirmngr

Jul 14 2019

dkg added a project to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: Documentation.
Jul 14 2019, 6:49 PM · Documentation, Keyserver, dirmngr

Jul 11 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

Is this really necessary to duplicate functionality that already is provided by Web Key Directory?

Jul 11 2019, 12:25 PM · dns, dirmngr
gniibe claimed T4594: dirmngr appears to unilaterally import system CAs.

With NTBTLS, it seems it works correctly.

Jul 11 2019, 9:36 AM · Bug Report, dirmngr, gnupg (gpg22)

Jul 10 2019

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

I agree, many currently-shipped DNS client library implementations do not provide DNSSEC validity checks.

Jul 10 2019, 9:44 PM · dns, dirmngr
werner triaged T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures as Normal priority.

Sure it is not validated. Standard clients do not provide the system features to do that. That is one of the problems with DNSSEC adoption - it works only for servers in practice.

Jul 10 2019, 7:17 PM · dns, dirmngr
dkg created T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.
Jul 10 2019, 6:48 PM · dns, dirmngr
Valodim updated subscribers of T4617: Odd behavior for HTTP(S) scheme in --keyserver config.

Ah, that makes sense, good catch. Seems this is just an issue of documentation, then.

Jul 10 2019, 6:20 PM · Documentation, Keyserver, dirmngr
dkg added projects to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: dirmngr, Keyserver.
Jul 10 2019, 6:11 PM · Documentation, Keyserver, dirmngr

Jul 4 2019

werner added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

And of course, thanks for your fix.

Jul 4 2019, 5:05 PM · gnupg (gpg22), dirmngr, Bug Report