Feed Advanced Search

Mon, Nov 11

werner edited projects for T4447: Fix addition of new GPG keys to LDAP, added: gnupg (gpg23); removed gnupg.
Mon, Nov 11, 6:33 PM · gnupg (gpg23), patch, LDAP, dirmngr, Bug Report
werner added a comment to T4447: Fix addition of new GPG keys to LDAP.

See also D475.

Mon, Nov 11, 6:30 PM · gnupg (gpg23), patch, LDAP, dirmngr, Bug Report

Fri, Oct 25

werner triaged T4729: WKD via http_proxy does not work if DNS is broken/unavailable as Normal priority.
Fri, Oct 25, 11:01 AM · dns, gnupg (gpg23), dirmngr
werner triaged T4728: GnuPG fails to connect to 127.0.0.1 when many domains are specified in /etc/hosts as Normal priority.
Fri, Oct 25, 11:00 AM · gnupg (gpg23), dns, dirmngr
mgorny added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

Ping.

Fri, Oct 25, 10:54 AM · Keyserver, dns, dirmngr, Bug Report

Thu, Oct 24

dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

There is a growing bit of popular lore in the GnuPG community that "when keyserver operations fail, you solve that problem with killall dirmngr." I believe this suggestion is potentially damaging (the long-running daemon may be in the middle of operations for a client that you don't know about), but i suspect it is circulating as advice because it resolves the situation outlined in this ticket. For whatever ephemeral reason, dirmngr gets stuck, and fails to notice that this situation has resolved itself.

Thu, Oct 24, 5:39 PM · Feature Request, Keyserver, dirmngr

Thu, Oct 17

Valodim added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

GnuPG ships a non-PKI certificate, specifically to authenticate hkps.pool.sks-keyservers.net. Now due to an implementation detail, this has been shown to potentially lead to authentication of other domains by this certificate, if a maintainer changes the default keyserver via the DIRMNGR_DEFAULT_KEYSERVER variable in configure.ac. Now arguably, this variable isn't exposed via ./configure, so it's not "officially" configurable - but evidently maintainers do want to change it. A trivial one-line patch was supplied to change the unintended and potentially security-problematic behavior into the (I believe) obviously intended one.

Thu, Oct 17, 12:23 PM · gnupg (gpg22), Bug Report, dirmngr

Tue, Oct 15

werner closed T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net` as Wontfix.
Tue, Oct 15, 2:43 PM · gnupg (gpg22), Bug Report, dirmngr

Sep 30 2019

werner edited projects for T4708: gpg cannot retrieve key via wkd from http2 server, added: Documentation, FAQ; removed Bug Report.
Sep 30 2019, 9:39 AM · FAQ, Documentation, dirmngr

Sep 20 2019

deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

$ gpg-connect-agent --dirmngr 'getinfo version' /bye
D 2.2.17
OK

Sep 20 2019, 7:44 PM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

Can you check which dirmngr version you are running

gpg-connect-agent --dirmngr 'getinfo version' /bye
Sep 20 2019, 1:19 PM · FAQ, Documentation, dirmngr
deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

thanks for the dns explanation - IMHO, there should be added something about that in the wiki
When it does not work for you on http1 either, then I guess, it's really just some outdatedness of my gpg/dirmngr and this ticket can be closed.

Sep 20 2019, 9:59 AM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

It does not work either. Your problem is the use of a wildcard DNS for archlinux32.org:

Sep 20 2019, 9:50 AM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

The test above was with gpg master but I got the same result with current 2.2:

Sep 20 2019, 9:27 AM · FAQ, Documentation, dirmngr
deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

ok, I disabled it again. btw: why do we need openpgpkey.archlinux32.org in the cert? Is this standard or did I misconfigure something?

Sep 20 2019, 9:23 AM · FAQ, Documentation, dirmngr
werner triaged T4708: gpg cannot retrieve key via wkd from http2 server as Normal priority.
Sep 20 2019, 9:16 AM · FAQ, Documentation, dirmngr
werner added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

Thanks. Here is a dirmngr log:

Sep 20 2019, 9:16 AM · FAQ, Documentation, dirmngr

Sep 19 2019

deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

I set archlinux32.org back to http2 - so you can see for yourself, how gpg fails to retrieve the key for buildmaster@archlinux32.org

Sep 19 2019, 6:02 PM · FAQ, Documentation, dirmngr
deep42thought added a comment to T4708: gpg cannot retrieve key via wkd from http2 server.

I believe, it means, that it may fall back to http1.1 - the documentation is not clear to me on this.
A simple test however shows, that at least curl has no problems to use http1.1 or http1.0 with the http2 enabled nginx.

Sep 19 2019, 6:01 PM · FAQ, Documentation, dirmngr
werner added a project to T4708: gpg cannot retrieve key via wkd from http2 server: dirmngr.

Does your ngix configuration mean that there is no fallback to standard http?

Sep 19 2019, 5:07 PM · FAQ, Documentation, dirmngr

Sep 12 2019

aheinecke added a comment to T2300: Second crlDP is not used if first is unavailable.

Ah nevermind. I think myself that this is nobug and current behavior is correct.

Sep 12 2019, 2:20 PM · g10code, Feature Request, dirmngr
aheinecke reopened T2300: Second crlDP is not used if first is unavailable as "Open".

To implement / test the "not literally RFC compliant but in practice better" behavior let us call this now a wish and feature request as there are certificates in the wild other then intevation's and customers in large institutions run into that.

Sep 12 2019, 2:12 PM · g10code, Feature Request, dirmngr

Aug 23 2019

werner moved T4594: dirmngr appears to unilaterally import system CAs from For next release to Ready for release on the gnupg (gpg22) board.
Aug 23 2019, 11:00 AM · Bug Report, dirmngr, gnupg (gpg22)
werner moved T4594: dirmngr appears to unilaterally import system CAs from Backlog to For next release on the gnupg (gpg22) board.
Aug 23 2019, 10:54 AM · Bug Report, dirmngr, gnupg (gpg22)
werner added a comment to T4594: dirmngr appears to unilaterally import system CAs.

Will be in 2.2.18

Aug 23 2019, 10:54 AM · Bug Report, dirmngr, gnupg (gpg22)

Aug 10 2019

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

WKD and DANE/OPENPGPKEY offer rather distinct properties. I'd be hard-pressed to say that one is "better" than the other without understanding the threat model and concerns of the evaluator:

Aug 10 2019, 4:24 AM · dns, dirmngr

Aug 6 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

DNSSEC is a centralized CA system. Just different than the TLS one. Given that Certificate Transparency exists I'd say DNSSEC is less transparent than TLS. For example if you happen to have a .ly domain then the Libyan can silently control your signed zone. Given that there is no CT for DNSSEC they can do so selectively, for any connection they want. It wouldn't be the first problem with them.

Aug 6 2019, 1:56 PM · dns, dirmngr
mejo added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

I'm left wondering: are there cases where OPENPGPKEY would be preferred over WKD?

Aug 6 2019, 1:43 PM · dns, dirmngr

Jul 16 2019

dkg added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

Just a note that we're now shipping this patch in debian unstable. It would be great if it was merged upstream.

Jul 16 2019, 8:08 PM · gnupg (gpg22), Bug Report, dirmngr
werner added a comment to T4594: dirmngr appears to unilaterally import system CAs.

I see. I am also mostly testing with ntbtls so I was wondering about the report. Thanks for reporting and fixing.

Jul 16 2019, 8:04 AM · Bug Report, dirmngr, gnupg (gpg22)
gniibe triaged T4594: dirmngr appears to unilaterally import system CAs as Normal priority.

While I understand incorrectness, the risk in practice is not that high. So, I put this as "normal" priority.

Jul 16 2019, 5:35 AM · Bug Report, dirmngr, gnupg (gpg22)
gniibe changed the status of T4594: dirmngr appears to unilaterally import system CAs from Open to Testing.

Pushed the change to master as well as 2.2 branch.

Jul 16 2019, 3:15 AM · Bug Report, dirmngr, gnupg (gpg22)
gniibe added a commit to T4594: dirmngr appears to unilaterally import system CAs: rG58e234fbeb6c: dirmngr: Don't add system CAs for SKS HKPS pool..
Jul 16 2019, 3:14 AM · Bug Report, dirmngr, gnupg (gpg22)
gniibe added a commit to T4594: dirmngr appears to unilaterally import system CAs: rG75e0ec65170b: dirmngr: Don't add system CAs for SKS HKPS pool..
Jul 16 2019, 3:13 AM · Bug Report, dirmngr, gnupg (gpg22)

Jul 15 2019

werner triaged T4617: Odd behavior for HTTP(S) scheme in --keyserver config as Low priority.
Jul 15 2019, 8:16 AM · Documentation, Keyserver, dirmngr

Jul 14 2019

dkg added a project to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: Documentation.
Jul 14 2019, 6:49 PM · Documentation, Keyserver, dirmngr

Jul 11 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

Is this really necessary to duplicate functionality that already is provided by Web Key Directory?

Jul 11 2019, 12:25 PM · dns, dirmngr
gniibe claimed T4594: dirmngr appears to unilaterally import system CAs.

With NTBTLS, it seems it works correctly.

Jul 11 2019, 9:36 AM · Bug Report, dirmngr, gnupg (gpg22)

Jul 10 2019

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

I agree, many currently-shipped DNS client library implementations do not provide DNSSEC validity checks.

Jul 10 2019, 9:44 PM · dns, dirmngr
werner triaged T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures as Normal priority.

Sure it is not validated. Standard clients do not provide the system features to do that. That is one of the problems with DNSSEC adoption - it works only for servers in practice.

Jul 10 2019, 7:17 PM · dns, dirmngr
dkg created T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.
Jul 10 2019, 6:48 PM · dns, dirmngr
Valodim updated subscribers of T4617: Odd behavior for HTTP(S) scheme in --keyserver config.

Ah, that makes sense, good catch. Seems this is just an issue of documentation, then.

Jul 10 2019, 6:20 PM · Documentation, Keyserver, dirmngr
dkg added projects to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: dirmngr, Keyserver.
Jul 10 2019, 6:11 PM · Documentation, Keyserver, dirmngr

Jul 4 2019

werner added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

And of course, thanks for your fix.

Jul 4 2019, 5:05 PM · gnupg (gpg22), dirmngr, Bug Report
werner closed T4566: dirmngr fails with HTTP 302 redirection to hkps as Resolved.

Applied to both branches. I have run no tests myself, though.

Jul 4 2019, 5:04 PM · gnupg (gpg22), dirmngr, Bug Report
werner closed T4603: dirmngr WKD redirection changes paths as Resolved.

Fix will be in 2.2.17

Jul 4 2019, 4:26 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner lowered the priority of T4599: remap `--search` to `--locate-keys` (with warning) from High to Normal.
Jul 4 2019, 3:23 PM · gnupg (gpg23), dirmngr
werner added a commit to T4599: remap `--search` to `--locate-keys` (with warning): rG46f3283b345e: gpg: New command --locate-external-key..
Jul 4 2019, 3:22 PM · gnupg (gpg23), dirmngr
werner added a commit to T4599: remap `--search` to `--locate-keys` (with warning): rGd00c8024e588: gpg: New command --locate-external-key..
Jul 4 2019, 3:15 PM · gnupg (gpg23), dirmngr
werner removed a parent task for T4599: remap `--search` to `--locate-keys` (with warning): T4606: Release GnuPG 2.2.17.
Jul 4 2019, 11:33 AM · gnupg (gpg23), dirmngr
werner edited projects for T4599: remap `--search` to `--locate-keys` (with warning), added: gnupg (gpg23); removed gnupg (gpg22).

I tried to implement this but this is troublesome for other programs using the interface because a common patter is to use --search-keys to get a listing and then use --recv-key to import the keys - That won't work and will require changes to --recv-key too. Thus this change will not go into 2.2. Anyway, it is not dangerous to have --search-keys because the new default for import from keyservers will be to strip all key-signatures.

Jul 4 2019, 11:33 AM · gnupg (gpg23), dirmngr

Jul 3 2019

werner changed the edit policy for T3065: dirmngr: proxy issues with dnslookup causing failure.
Jul 3 2019, 6:19 PM · gnupg (gpg22), dns, dirmngr
werner closed T3065: dirmngr: proxy issues with dnslookup causing failure as Invalid.

I asked you to carry this to a mailing list and not re-open this task.

Jul 3 2019, 6:19 PM · gnupg (gpg22), dns, dirmngr
werner added a parent task for T4599: remap `--search` to `--locate-keys` (with warning): T4606: Release GnuPG 2.2.17.
Jul 3 2019, 6:11 PM · gnupg (gpg23), dirmngr
werner added a parent task for T4603: dirmngr WKD redirection changes paths: T4606: Release GnuPG 2.2.17.
Jul 3 2019, 6:11 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a parent task for T4600: dirmngr enters a loop when the keyserver returns 503 error: T4606: Release GnuPG 2.2.17.
Jul 3 2019, 6:11 PM · gnupg (gpg22), dirmngr, Bug Report
werner moved T4566: dirmngr fails with HTTP 302 redirection to hkps from Backlog to For next release on the gnupg (gpg22) board.
Jul 3 2019, 6:04 PM · gnupg (gpg22), dirmngr, Bug Report
werner moved T4599: remap `--search` to `--locate-keys` (with warning) from Backlog to For next release on the gnupg (gpg22) board.
Jul 3 2019, 6:02 PM · gnupg (gpg23), dirmngr
werner moved T4603: dirmngr WKD redirection changes paths from Backlog to For next release on the gnupg (gpg22) board.
Jul 3 2019, 6:01 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner edited projects for T4599: remap `--search` to `--locate-keys` (with warning), added: gnupg (gpg22); removed gnupg.

My plan is to let --search-key be the same as locate-key but without local lookups, thus it will be the same as

Jul 3 2019, 5:58 PM · gnupg (gpg23), dirmngr
werner closed T4600: dirmngr enters a loop when the keyserver returns 503 error as Resolved.

That was pretty easy to reproduce thanks to your still not working server.

Jul 3 2019, 5:42 PM · gnupg (gpg22), dirmngr, Bug Report
werner added a commit to T4600: dirmngr enters a loop when the keyserver returns 503 error: rGd2e8d7125181: dirmngr: Avoid endless loop in case of HTTP error 503..
Jul 3 2019, 5:41 PM · gnupg (gpg22), dirmngr, Bug Report
werner added a commit to T4600: dirmngr enters a loop when the keyserver returns 503 error: rG8b113bb148f2: dirmngr: Avoid endless loop in case of HTTP error 503..
Jul 3 2019, 5:40 PM · gnupg (gpg22), dirmngr, Bug Report
werner claimed T4600: dirmngr enters a loop when the keyserver returns 503 error.
Jul 3 2019, 5:08 PM · gnupg (gpg22), dirmngr, Bug Report
werner triaged T4603: dirmngr WKD redirection changes paths as Normal priority.
Jul 3 2019, 4:25 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner changed the status of T4603: dirmngr WKD redirection changes paths from Open to Testing.

I did some manual tests using netcat and KS_FETCH to test the redirection.

Jul 3 2019, 4:24 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a commit to T4603: dirmngr WKD redirection changes paths: rGc9b133a54e93: dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain..
Jul 3 2019, 4:22 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a commit to T4603: dirmngr WKD redirection changes paths: rG37f0c55c7be3: dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain..
Jul 3 2019, 4:20 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
dkg added a comment to T4603: dirmngr WKD redirection changes paths.

I think you're suggesting accepting *any* path if the hostname of the proposed redirection matches openpgpkey.example.org when querying the WKD direct URL for an @example.org address. That would also be a fine solution from my point of view.

Jul 3 2019, 4:13 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4603: dirmngr WKD redirection changes paths.

I head the same idea when I read your configuration. Given that the advanced lookup was not reallydeployed (see T4590) I also expect that we will receive complains now that it works. Thus white listing any "openpgpkey." seems to me a reasonable easy solution.

Jul 3 2019, 3:52 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner closed T4590: dirmngr does not perform WKD advanced lookup as Resolved.

Will be in 2.2.17

Jul 3 2019, 3:46 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4590: dirmngr does not perform WKD advanced lookup.

Oh dear, that happens if one is always on master. I simply forgot to cherry pick the change from master back in November.
Two commits, though.

Jul 3 2019, 3:45 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a commit to T4590: dirmngr does not perform WKD advanced lookup: rG2c6d94702a67: dirmngr: Fix previous commit.
Jul 3 2019, 3:43 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
dkg added a comment to T4603: dirmngr WKD redirection changes paths.

@werner, thanks for the pointer to the report, that's certainly useful. And i'm happy that organizations like SektionEins are doing GnuPG audits and publishing their results regardless of who paid for them.

Jul 3 2019, 2:48 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4603: dirmngr WKD redirection changes paths.

See https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html for details. In short they fear that companies using IP based security for internal services can be attacked via redirect request and in particular becuase that can happen in the background without the user noticing. I am not concerned but we had long lasting discussions also with protonmail about this and the result was that we need to have this protection. We do not know who requested and paid for the audit from SektionEins and they won't tell us.

Jul 3 2019, 9:44 AM · gnupg (gpg22), wkd, dirmngr, Bug Report

Jul 2 2019

dkg added a comment to T4603: dirmngr WKD redirection changes paths.

Thanks for the pointer, @werner. Certainly we want T4590 fixed.

Jul 2 2019, 5:37 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4603: dirmngr WKD redirection changes paths.

We need to rewrite the Location to avoid a CSRF attack. See fa1b1eaa4241ff3f0634c8bdf8591cbc7c464144

Jul 2 2019, 4:18 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
dkg updated the task description for T4603: dirmngr WKD redirection changes paths.
Jul 2 2019, 3:44 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
dkg created T4603: dirmngr WKD redirection changes paths.
Jul 2 2019, 3:43 PM · gnupg (gpg22), wkd, dirmngr, Bug Report

Jul 1 2019

werner triaged T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net` as Low priority.
Jul 1 2019, 9:18 PM · gnupg (gpg22), Bug Report, dirmngr
dkg updated subscribers of T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

I should add that i don't really care whose fault it is if the software is broken by some downstream. if it harms any users, and we can fix it, we should fix it, especially if the fix is easy.

Jul 1 2019, 9:13 PM · gnupg (gpg22), Bug Report, dirmngr
dkg added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

We're writing free software, which we know that people use and modify downstream. if we know that the software has a particular sharp edge that people who are modifying it are likely to cut themselves on, we have two options:

Jul 1 2019, 9:03 PM · gnupg (gpg22), Bug Report, dirmngr
werner added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

Come on, if someone changes the software and breaks it, it is their's fault ant not ours. The whole thing on which keyserver and certificate to use as been discussed ad nausea in the past. Given all the problems with the keyservers I do not see a reason to change it right away to a state we had before. Keyserver code is pretty hard to test and has thus always been prone to regressions.

Jul 1 2019, 8:05 PM · gnupg (gpg22), Bug Report, dirmngr
werner triaged T4600: dirmngr enters a loop when the keyserver returns 503 error as High priority.

(See T4175 why this changed in 2.2.12.)

Jul 1 2019, 8:00 PM · gnupg (gpg22), dirmngr, Bug Report
werner claimed T4599: remap `--search` to `--locate-keys` (with warning).
Jul 1 2019, 7:31 PM · gnupg (gpg23), dirmngr
dkg reopened T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net` as "Open".

If the default keyserver is not hkps.pool.sks-keyservers.net, then @kristianf's CA certificate has no business certifying it.

Jul 1 2019, 6:31 PM · gnupg (gpg22), Bug Report, dirmngr
dkg created T4599: remap `--search` to `--locate-keys` (with warning).
Jul 1 2019, 6:16 PM · gnupg (gpg23), dirmngr
werner closed T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net` as Wontfix.

I see no need for this.

Jul 1 2019, 9:50 AM · gnupg (gpg22), Bug Report, dirmngr

Jun 30 2019

dkg added a project to T4594: dirmngr appears to unilaterally import system CAs: Bug Report.
Jun 30 2019, 7:27 PM · Bug Report, dirmngr, gnupg (gpg22)
dkg added a comment to T4594: dirmngr appears to unilaterally import system CAs.

To be clear, this would allow the least competent CA in the system root trust anchor list to certify an arbitrary server as a member of hkps.pool.sks-keyservers.net. So it is in some sense a security vulnerability -- it allows for a bypass of the correct authority.

Jun 30 2019, 7:26 PM · Bug Report, dirmngr, gnupg (gpg22)
dkg created T4594: dirmngr appears to unilaterally import system CAs.
Jun 30 2019, 6:14 PM · Bug Report, dirmngr, gnupg (gpg22)
dkg added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

I've just pushed 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 to the branch dkg-fix-T4593

Jun 30 2019, 6:12 PM · gnupg (gpg22), Bug Report, dirmngr
dkg updated the task description for T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.
Jun 30 2019, 6:09 PM · gnupg (gpg22), Bug Report, dirmngr
dkg created T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.
Jun 30 2019, 6:09 PM · gnupg (gpg22), Bug Report, dirmngr

Jun 28 2019

dkg added a comment to T4590: dirmngr does not perform WKD advanced lookup.

I recognize that adding network activity to the test suite can be complicated (not all test suites are run with functional network access), but if it is possible to have a unit test or something (that doesn't do network access, but just looks at what the dirmngr *would* have tried somehow?), that would be great. Thanks for looking into this!

Jun 28 2019, 2:39 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner triaged T4590: dirmngr does not perform WKD advanced lookup as High priority.

Confirmed; that looks like a regression.

Jun 28 2019, 12:09 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
dkg created T4590: dirmngr does not perform WKD advanced lookup.
Jun 28 2019, 6:29 AM · gnupg (gpg22), wkd, dirmngr, Bug Report

Jun 21 2019

Valodim added a comment to T4493: Default to HKPS, not HKP.

A possible exception here is that .onion TLDs should stick with HKP by default

Jun 21 2019, 11:16 AM · dirmngr, Feature Request

Jun 19 2019

dkg added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

Any word on this? i've pushed a fix for this into debian experimental as a part of 2.2.16-2, but i am concerned that there's no adoption from upstream. If there's a reason that this is the wrong fix, please do let me know!

Jun 19 2019, 7:06 PM · gnupg (gpg22), dirmngr, Bug Report

Jun 18 2019

dkg added a comment to T4512: gpg's --keyserver option should be more robustly deprecated.

If we only need it for backward compatibility, then the configuration in gpg.conf should *not* be overriding the preferred, forward-looking form of the configuration (in dirmngr.conf). If it is low priority to fix this, then there will be a generation of GnuPG users and toolchains which deliberately configure the value in gpg.conf instead of dirmngr.conf because they'll know that's the more robust way to do it.

Jun 18 2019, 2:56 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report