Ah well, Kleopatra has a GUI to set the keyserver - that is probably easier to use.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Sep 22 2021
Sep 7 2021
Aug 25 2021
Okay, I close this as a keyserver infrastructure problem. Feel free tore-open if you get other infos.
Aug 13 2021
Jul 28 2021
Jul 15 2021
[[ URL | foreach ($list as $item) {
work_miracles($item);
} ]]
Jun 21 2021
The sks pool is now officially gone.
Feb 2 2021
Please do not repeat you question, this won't give you anymore attention. Read my comment above and please ask on a mailing list etc.
Good morning,
Jan 28 2021
The last server of the HKPS pool dropped off for several hours yesterday, during which hkps.pool.sks-keyservers.net could not be resolved.
Jan 5 2021
For the context of all subscribed parties I think Werner refers to what Hockeypuck is doing: https://lists.gnupg.org/pipermail/gnupg-users/2020-December/064441.html
Meanwhile there are simpler ideas and code on how to do only authenticated uploads. Thus lowering the prio.
(Reporter has problems running his own keyserver and accessing it.)
Dec 4 2020
Perhaps of interest for this issue: the HKPS pool has consisted of only a single server for a couple of months now.
Nov 27 2020
Oct 19 2020
My sks keyserver is in Linux Ubuntu 18.04 LTS. As a client I'm using windows 10 and gpg4win is 3.1.13.
Are you on Windows or Linux? What version of Kleopatra or Gpg4win are you using?
Sep 17 2020
Aug 12 2020
Jul 9 2020
Mar 14 2020
I think that this chnage is useful enough to be backported to 2.2. Done that.
Mar 13 2020
You can test it now out using GnuPG master: Just add --include-key-block and you can then verify using an empty keyring. Currently --auto-key-retrieve is not needed but we need to think on how we can enable or disable this during verification.
Mar 10 2020
ftr, here is the thread I had in mind but couldn't recall above. @aheinecke is that your thinking, or a more pgp/mime bound mechanism as @dkg assumed?
@wiktor-k, "just extend the spec" doesn't necessarily work with existing clients, which might be surprised to find unexpected packets in the signature section of an e-mail. It seems more likely to me that they'd be able to handle (meaning: ignore) an unknown subpacket (as long as it's well-formed) than to handle additional packets. But all of these surmises require testing with existing clients, of course. Has anyone done any of that testing?
This is a nice idea and although it overlaps with Autocrypt it has other uses too: for example verification of signed files that can be vastly simplified (just get the file and the signature, no key fetching needed, downside: the key attached to the signature could be stale).
Ah, thanks for pointing out the subpacket option (i guess it could be hashed or unhashed). i don't think any of the subpackets currently defined in RFC4880 supports this use case -- but i guess you could mint a new one, or use a notation.
Werner said that it's possible in OpenPGP to also put the pubkey into the signature. (...) The nice advantage is that this will also work for files.
Mar 9 2020
Hi @aheinecke, thanks for thinking about this, and thanks for tagging me here too. I'm definitely interested.
Feb 26 2020
In T4513#132777, @Valodim wrote:But searching on Keyservers is also in my opinion not a common use case for Kleopatra users.
Thanks for engaging constructively.
Feb 21 2020
In T4513#132770, @aheinecke wrote:
Werner could you maybe at least check for an internet connection, I don't know how to do it on Linux but on Windows it's easy because windows has API for that.
Feb 19 2020
But searching on Keyservers is also in my opinion not a common use case for Kleopatra users.
and by that bypassing all key source tracking as done by gpg. In any case searching by name or mail address on a keyserver should not be done - at least not by a GUI tool as used by non experienced users.
I agree that this is a tricky problem, but it should really be improved.
The problem is not to check whether there is a connection but on how to decide whether something is a pool or an explictly added single keyserver and how often should we try to connect or read from it. Without marking hosts as dead the auto search features won't work well.
@Valodim probably not so much as dirmngr might behave differently and not mark hosts as dead.
The proper solution is of course to use pkill instead of killall. SCNR.
I can attest to the "growing bit of popular lore": Roughly half the support requests I get to support@keys.openpgp.org boil down to an exchange of "it just doesn't work with a 'general error' message" -> "try killall dirmngr" -> "that did it". I have heard similar stories from @patrick from Enigmail users, and more than once heard people applying poweruser trickery like "I just have killall dirmngr in my resume.d".
Nov 25 2019
Unusable v6 interfaces are now detected on Windows and then not used.
Nov 20 2019
Nov 7 2019
Oct 25 2019
Ping.
Oct 24 2019
There is a growing bit of popular lore in the GnuPG community that "when keyserver operations fail, you solve that problem with killall dirmngr." I believe this suggestion is potentially damaging (the long-running daemon may be in the middle of operations for a client that you don't know about), but i suspect it is circulating as advice because it resolves the situation outlined in this ticket. For whatever ephemeral reason, dirmngr gets stuck, and fails to notice that this situation has resolved itself.
Jul 18 2019
I'm aware of you releasing an RC for comments, and i apologize for not catching this particular case earlier. As you know from T4607, i was even advocating for it. i didn't understand the full implications of the "import-then-clean" approach at the time, and was thinking it would only apply to the incoming material, not the stored material.
The code has comments why we do a first clean_key on the imported keyblock.
i've merged a variant of rGbe99eec2b105eb5f8e3759147ae351dcc40560ad into the GnuPG packaging in debian unstable as of version 2.2.17-3 to avoid the risks of data loss and signature verification failures. I'll revert it if i see the concern addressed upstream.
Jul 16 2019
that pseudocode is strange to me -- it looks like you have (two) duplicate calls to clean_key (imported_keyblock) (though maybe i just don't know what .... means in this pseudocode).
You are partly right. I missed that we also do clean the original keyblock while updating a key. The code is
Jul 15 2019
I think dropping import-clean from the default keyserver options is the right way to go. It is not clear what additional benefit import-clean provides given that we are already using self-sigs-only. And the idea of non-additive behavior to the local keyring when pulling from a keyserver is a deeply surprising change for multiple users i've talked to.
Jul 14 2019
Jul 10 2019
Ah, that makes sense, good catch. Seems this is just an issue of documentation, then.
We should put it of the agenda od the Brussesl summit in 3 weeks. I have a few ideas what we can do in gpg.
Jul 4 2019
Given the recent problems with the keyservers, I expect that the keyserver feature will go away anyway and thus I do not think we will put any more effort into this. Thus I re-tag this as gpg 2.3.
Jun 18 2019
If we only need it for backward compatibility, then the configuration in gpg.conf should *not* be overriding the preferred, forward-looking form of the configuration (in dirmngr.conf). If it is low priority to fix this, then there will be a generation of GnuPG users and toolchains which deliberately configure the value in gpg.conf instead of dirmngr.conf because they'll know that's the more robust way to do it.
Jun 8 2019
We need --keyserver in gpg for just one reason: backward compatibility.
thanks for fixing that error message, @werner. As @Valodim points out in discusson about hagrid, a gpg.conf keyserver option (deprecated according to the documentation) overrides the dirmngr.conf keyserver option (not deprecated according to the documentation.
May 27 2019
I doubt that we are going to implement this.
May 17 2019
May 15 2019
Thanks
May 14 2019
I removed this specialized error message. Thanks for reporting.
This is particularly bad for users who have manually specified a given keyserver in dirmngr.conf, because even a transient failure in that keyserver will prevent them from any future keyserver requests until dirmngr decides that the "death" has worn off.
Apr 1 2019
HTTP/1.1 spec, RFC 7230, Section 5.4, paragraph 2:
https://tools.ietf.org/html/rfc7230#section-5.4
Please be so kind and point me to the specs stating that you should put the IP address into Host:
It's up to GPG to send the Host header that shows the user's intent.
So in short you want:
- Allow to specify a keyserver by IP without any DNS lookups.
- When connecting via IP use the IP address for Host:.
Mar 31 2019
Mar 13 2019
There is a solution for it:
Feb 9 2019
So, the keyserver operator had thrown in a hockeypuck server in the pool, causing this.. While the keyserver remains in the exclude list until confirmation it has been resolved, that explains the behavior and it has been made clear that separate software needs to use different names in the future.
Feb 4 2019
@kristianf we talked about this on Saturday evening. Would you be so kind and have a quick look at the problem with the hu server?
Feb 1 2019
Hi Werner and thanks for looking into this.
Jan 30 2019
According to sks-keyservers.net both servers you mention run the very same software. Thus I would like to understand why you think they require the use of a legacy option.
Oct 29 2018
It actually tries several servers but we need to set a limit because we need to cope with longer timeouts. Do you suggest to toggle between v4 and v6 addresses? That is if a v6 address fails, first try the next v4 address and it that fails, another v6 address, etc.
Oct 2 2018
The problem is that the keyserver network is abused as free and
permanent data storage. We can't do much about it without larger
changes on the search capabilities of the keyservers. For more
information see the archives of the sks-devel list starting in July.
Oct 1 2018
Ok. I was not aware that HKPS should already have the highest quality.
hkps pool really should be the most responsive, and it already requires clustered only servers for a couple of weeks to try to increase the responsiveness. Experience has shown that any keyserver with less than 3 nodes in a cluster should not be used towards end-users. But do you have any more debugging output as to the problem at hand?
Sep 11 2018
We assume that this has meanwhile been fixed.
Aug 29 2018
@elonsatoshi: Were you able to check this with 2.2.9 which has a fix for the resolver?
Nov 19 2017
You know... I think connman and DNS have something to do with this. Connman does some weird DNS thing. And it auto-generates /etc/resolv.conf to use localhost as the DNS server.