Page MenuHome GnuPG
Feed Advanced Search

Thu, Jun 23

werner added a project to T6038: gpg-wks-client excludes uid with URL in comment: gnupg (gpg22).
Thu, Jun 23, 10:43 AM · gnupg (gpg22), wkd, Bug Report

Tue, Jun 21

ikloecker added a comment to T6038: gpg-wks-client excludes uid with URL in comment.

This problem does not seem to exist in GnuPG 2.3.6.

Tue, Jun 21, 9:49 AM · gnupg (gpg22), wkd, Bug Report
l0s created T6038: gpg-wks-client excludes uid with URL in comment.
Tue, Jun 21, 7:03 AM · gnupg (gpg22), wkd, Bug Report

Thu, Jun 9

ikloecker added a comment to T6023: Check how GnuPG handles several keys from WKD.

gpg tries to find the "best" key using get_best_pubkey_byname (https://dev.gnupg.org/source/gnupg/browse/master/g10/getkey.c$1507), but the applied rules are not clearly documented in one place.

Thu, Jun 9, 11:23 AM · wkd, gnupg (gpg23)
werner triaged T6023: Check how GnuPG handles several keys from WKD as High priority.
Thu, Jun 9, 10:37 AM · wkd, gnupg (gpg23)

Apr 20 2022

werner closed T5813: Locating Keys via WKD with gpg4win fails with unknown error. as Resolved.
Apr 20 2022, 8:51 AM · wkd, gpg4win, Bug Report

Mar 31 2022

werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I don't like it either but the browser vendors don't like SRV records.

Mar 31 2022, 9:03 AM · wkd, gpg4win, Bug Report
wiktor-k added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I still think that redirecting to another catch-all domain is contrary to the original goal and weakens the security model. We need to see what we can do about this.

Mar 31 2022, 8:27 AM · wkd, gpg4win, Bug Report
rainerh added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Thank you, works now on Windows with openpgpkey.sanka-gmbh.de

Mar 31 2022, 7:08 AM · wkd, gpg4win, Bug Report

Mar 30 2022

Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Independently of that, it seems that gpg4win doesn't work with at least one widely deployed webserver in its default configuration, specifically Caddy, so this fix is well appreciated.

Mar 30 2022, 11:41 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I still think that redirecting to another catch-all domain is contrary to the original goal and weakens the security model. We need to see what we can do about this.

Mar 30 2022, 6:07 PM · wkd, gpg4win, Bug Report
Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Oof. That hinges on the certificate, guess we'll need to renew the bunch of them. I reconfigured, might take a while for all pages but ciphers should now be:

Mar 30 2022, 4:53 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

The ECDHE_ECDSA suites are not yet implemented in ntbtls and thus we can't agree on a common cipher suite. Will be solved in the next Windows version.

Mar 30 2022, 3:35 PM · wkd, gpg4win, Bug Report
rainerh added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

In the above test, I was using
Windows: 2.3.4
Debian: 2.2.12

Mar 30 2022, 12:58 PM · wkd, gpg4win, Bug Report
Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I captured some logs server-side, and I do see this error:

Mar 30 2022, 12:27 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Are you using 2.3.4 also on Windows?

Mar 30 2022, 12:15 PM · wkd, gpg4win, Bug Report
rainerh added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I have the same error when using wkd.keys.openpgp.org with a CNAME DNS entry. The error occurs with Windows 10, 11 and Server 2019 (only the most recent versions tested). With Debian it works fine.

Mar 30 2022, 11:44 AM · wkd, gpg4win, Bug Report

Mar 28 2022

werner closed T5902: GnuPG dirmngr sends incorrect l parameter to a WKD server as Resolved.

Good idea. Thanks. Goes onto 2.3 and 2.2

Mar 28 2022, 4:15 PM · dirmngr, gnupg, wkd, Bug Report
eehakkin created T5902: GnuPG dirmngr sends incorrect l parameter to a WKD server.
Mar 28 2022, 10:17 AM · dirmngr, gnupg, wkd, Bug Report

Mar 12 2022

Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

@mieth sorry for the delay. meanwhile I adjusted the ciphersuite of the WKD gateway to include an AES-CBC suite. would be interested if it works now on the setup you tested before.

Mar 12 2022, 2:27 PM · wkd, gpg4win, Bug Report

Feb 10 2022

ikloecker added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Did you make another request for locating keys via WKD after adding the debug flags? I'm asking because when I do this I get the following log:

2022-02-10 17:49:59 dirmngr[6780] listening on socket '/run/user/1000/gnupg/d.f3hdqcrmjwf98p87yqjmuctx/S.dirmngr'
2022-02-10 17:49:59 dirmngr[6781.0] permanently loaded certificates: 130
2022-02-10 17:49:59 dirmngr[6781.0]     runtime cached certificates: 0
2022-02-10 17:49:59 dirmngr[6781.0]            trusted certificates: 130 (130,0,0,0)
2022-02-10 17:49:59 dirmngr[6781.0] failed to open cache dir file '/tmp/tmp.8P2EakNghu/crls.d/DIR.txt': No such file or directory
2022-02-10 17:49:59 dirmngr[6781.0] creating directory '/tmp/tmp.8P2EakNghu/crls.d'
2022-02-10 17:49:59 dirmngr[6781.0] new cache dir file '/tmp/tmp.8P2EakNghu/crls.d/DIR.txt' created
2022-02-10 17:49:59 dirmngr[6781.6] handler for fd 6 started
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> # Home: /tmp/tmp.8P2EakNghu
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> # Config: /tmp/tmp.8P2EakNghu/dirmngr.conf
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> OK Dirmngr 2.3.5-beta17 at your service
2022-02-10 17:49:59 dirmngr[6781.6] connection from process 6779 (1000:100)
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 <- GETINFO version
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> D 2.3.5-beta17
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> OK
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 <- WKD_GET -- werner.koch@gnupg.com
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: libdns initialized
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: resolve_dns_name(openpgpkey.gnupg.com): No name
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: getsrv(_openpgpkey._tcp.gnupg.com) -> 0 records
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> S SOURCE https://gnupg.com
2022-02-10 17:49:59 dirmngr[6781.6] number of system provided CAs: 390
2022-02-10 17:49:59 dirmngr[6781.6] DBG: Using TLS library: GNUTLS 3.7.3
2022-02-10 17:49:59 dirmngr[6781.6] DBG: http.c:connect_server: trying name='gnupg.com' port=443
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: resolve_dns_name(gnupg.com): Success
2022-02-10 17:49:59 dirmngr[6781.6] DBG: http.c:1917:socket_new: object 0x00007f524c290e20 for fd 7 created
2022-02-10 17:50:00 dirmngr[6781.6] DBG: http.c:request:
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> GET /.well-known/openpgpkey/hu/waoubdep9643akkesx4xm3ynstfffiok?l=werner.koch HTTP/1.0\r\n
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> Host: gnupg.com\r\n
2022-02-10 17:50:00 dirmngr[6781.6] DBG: http.c:request-header:
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> \r\n
2022-02-10 17:50:00 dirmngr[6781.6] DBG: http.c:response:
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> HTTP/1.0 200 OK\r\n
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Date: Thu, 10 Feb 2022 16:49:59 GMT'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Server: Boa/0.94.14rc21'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Accept-Ranges: bytes'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Connection: close'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Content-Length: 957'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Last-Modified: Mon, 28 Jun 2021 17:47:11 GMT'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Content-Type: text/plain'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: ''
2022-02-10 17:50:00 dirmngr[6781.6] DBG: (957 bytes sent via D lines not shown)
2022-02-10 17:50:00 dirmngr[6781.6] DBG: chan_6 -> OK
2022-02-10 17:50:00 dirmngr[6781.6] DBG: chan_6 <- BYE
2022-02-10 17:50:00 dirmngr[6781.6] DBG: chan_6 -> OK closing connection
2022-02-10 17:50:00 dirmngr[6781.6] handler for fd 6 terminated
Feb 10 2022, 5:53 PM · wkd, gpg4win, Bug Report
mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..
2022-02-10 17:07:35 [12256]    dauerhaft geladene Zertifikate: 74
2022-02-10 17:07:35 [12256]  zwischengespeicherte Zertifikate: 0
2022-02-10 17:07:35 [12256]     vertrauenswürdige Zertifikate: 74 (74,0,0,0)
2022-02-10 17:07:35 [12256] DBG: chan_0x0000026c -> # Home: C:\Users\User\AppData\Roaming\gnupg
2022-02-10 17:07:35 [12256] DBG: chan_0x0000026c -> # Config: .\dirmngr.conf
2022-02-10 17:07:35 [12256] DBG: chan_0x0000026c -> OK Dirmngr 2.3.4 at your service
Feb 10 2022, 5:10 PM · wkd, gpg4win, Bug Report

Feb 8 2022

ikloecker added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Add the following to dirmngr.conf:

debug ipc,dns,network,lookup

There are more debug flags but the above flags should cover anything related to the lookup.

Feb 8 2022, 6:55 PM · wkd, gpg4win, Bug Report
bernhard added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

You may have to restart the dirmngr to see the log-file option be honored. The gpg request to dirmngr should be visible in the log.

Feb 8 2022, 4:37 PM · wkd, gpg4win, Bug Report
mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

@mieth can you enable the dirmngr log and give it more message, you'll be able to diagnose the problem further. There have been problems in the past with the contents of the certificate store of Windows. It does not look like this is the problem you are facing, but the diagnostic messages should be helpful.

Feb 8 2022, 1:37 PM · wkd, gpg4win, Bug Report
bernhard added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

@mieth can you enable the dirmngr log and give it more message, you'll be able to diagnose the problem further. There have been problems in the past with the contents of the certificate store of Windows. It does not look like this is the problem you are facing, but the diagnostic messages should be helpful.

Feb 8 2022, 11:41 AM · wkd, gpg4win, Bug Report

Feb 7 2022

mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Might be an issue with matching ciphersuites? There was a problem with this before when GnuPG didn't support AES-GCM yet (https://dev.gnupg.org/T4597). That was added in 2020, maybe it's not rolled out far enough yet?

Either way, I hadn't considered this for the WKD relay. I'll look into enabling AES-CBC there, at least for backwards compatibility.

Feb 7 2022, 11:41 AM · wkd, gpg4win, Bug Report

Feb 3 2022

Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Might be an issue with matching ciphersuites? There was a problem with this before when GnuPG didn't support AES-GCM yet (https://dev.gnupg.org/T4597). That was added in 2020, maybe it's not rolled out far enough yet?

Feb 3 2022, 11:59 AM · wkd, gpg4win, Bug Report

Feb 2 2022

mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

After further testing: The error does not occur if WKD is implemented directly under the respective domain.
The behavior of GnuPG differs between Windows and other platforms. However, it is not clear to me which version is behaving incorrectly. But it seems clear that there is no compatibility with the instructions at https://keys.openpgp.org/about/usage#wkd-as-a-service under Windows. (However this may concern another project.)

Feb 2 2022, 2:11 PM · wkd, gpg4win, Bug Report
mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

The server in the testcase is wkd.keys.openpgp.org which is referred with CNAME via the DNS. Referring to https://www.ssllabs.com/ssltest/analyze.html?d=wkd.keys.openpgp.org it shoud support TLS 1.2

Feb 2 2022, 1:19 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Check that the server does not prohibit TLS 1.2 - a few server admins allow only TLS 1.3 for whatever security threats they have in mind.

Feb 2 2022, 1:00 PM · wkd, gpg4win, Bug Report
mieth created T5813: Locating Keys via WKD with gpg4win fails with unknown error..
Feb 2 2022, 10:52 AM · wkd, gpg4win, Bug Report

Sep 29 2021

werner triaged T5629: gpg-wks-client should also print direct method URL as Normal priority.

Requires a new option or command.

Sep 29 2021, 5:28 PM · Feature Request, gnupg (gpg23), wkd
bernhard added a comment to T5214: gpg-wks-client generates Web Key Directory with bad permissions..

@werner I think @Rombobeorn suggests something like

Sep 29 2021, 3:13 PM · wkd, Bug Report
bernhard created T5629: gpg-wks-client should also print direct method URL.
Sep 29 2021, 2:55 PM · Feature Request, gnupg (gpg23), wkd

Mar 7 2021

Angel added a comment to T5323: adduid and key expiration oddity in gpg-wks-client.

Maybe have gpg-wks-client(or also --export-filter) print a warning if the filtered result has a key expiration different than the original key? That seems the simplest way tp approach the problem.

Mar 7 2021, 11:32 PM · Bug Report, gnupg (gpg23), wkd

Feb 23 2021

werner created T5323: adduid and key expiration oddity in gpg-wks-client.
Feb 23 2021, 6:05 PM · Bug Report, gnupg (gpg23), wkd

Feb 11 2021

werner removed a parent task for T4344: Periodic check of own keys with the WKD: T4417: Work needed for gnupg 2.3.
Feb 11 2021, 11:05 AM · wkd, gnupg, Feature Request

Jan 29 2021

dkg added a comment to T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.

See also https://gitlab.com/openpgp-wg/webkey-directory/-/issues/3 which is the same issue.

Jan 29 2021, 3:33 AM · Documentation, wkd

Jan 15 2021

dkg updated the task description for T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.
Jan 15 2021, 10:50 PM · Documentation, wkd
dkg added a comment to T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.

This ambiguity appears to be the cause of a recent epic (and to me, largely incomprehensible) thread on gnupg-users. It would be great to have the WKD guidance about fallback strategy be much more explicit. Any room for ambiguity here leads to different outcomes from different WKD clients, and quite a bit of confused discussion by their users.

Jan 15 2021, 10:38 PM · Documentation, wkd

Dec 31 2020

Rombobeorn added a comment to T5214: gpg-wks-client generates Web Key Directory with bad permissions..

For directories this can't be done because not only the server reads the directories but also other deployment tools (e.g. rsync).

Dec 31 2020, 10:19 AM · wkd, Bug Report

Dec 30 2020

werner triaged T5214: gpg-wks-client generates Web Key Directory with bad permissions. as Low priority.
Dec 30 2020, 3:07 PM · wkd, Bug Report
werner changed the status of T5214: gpg-wks-client generates Web Key Directory with bad permissions. from Open to Testing.
Dec 30 2020, 3:07 PM · wkd, Bug Report
werner added a project to T5214: gpg-wks-client generates Web Key Directory with bad permissions.: wkd.
Dec 30 2020, 3:04 PM · wkd, Bug Report

Dec 11 2020

TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

The specs might just want to say that it just expects the wildcard to be broken, not that it expects an empty record.

Dec 11 2020, 10:49 AM · FAQ, wkd
werner added a comment to T5177: GPG WKD lookup does not send correct SNI.

Than put something into the TXT - it does not matter and is only used to break the wildcard.

Dec 11 2020, 10:41 AM · FAQ, wkd

Dec 10 2020

TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

Cloudflare doesn't seem to allow empty DNS TXT records...

Dec 10 2020, 4:30 PM · FAQ, wkd
werner closed T5177: GPG WKD lookup does not send correct SNI as Resolved.

From the specs:

Dec 10 2020, 4:28 PM · FAQ, wkd
TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

There's a wildcard CNAME, it's not _really_ configured. It's not a good assumption that a CNAME == configured and it doesn't have a reasonable fallback, IMHO.

Dec 10 2020, 3:00 PM · FAQ, wkd
werner added a comment to T5177: GPG WKD lookup does not send correct SNI.

If you configure the subdomain in the DNS this will be used. Thus get a cert for it. The old method should not be used and thus if the openpgpkey subdomain exists gpg concludes that the admin is aware of the new scheme.

Dec 10 2020, 2:48 PM · FAQ, wkd
TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

Hm, I don't want to remove the CNAME just so that GPG WKD would work, is there a way to fix this? Is there a good reason why after "Advanced"/subdomain lookup it doesn't try "direct"?

Dec 10 2020, 12:22 PM · FAQ, wkd
TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

Oh, it's using the openpgpkey subdomain because of the CNAME but that's not actually being served by the server.

Dec 10 2020, 11:51 AM · FAQ, wkd
werner edited projects for T5177: GPG WKD lookup does not send correct SNI, added: Support, wkd; removed Bug Report.
Dec 10 2020, 11:39 AM · FAQ, wkd

Aug 7 2020

aheinecke closed T4839: GpgOL: WKS Confirmation mail is not handled correctly as Resolved.
Aug 7 2020, 10:47 AM · gpg4win, wkd, gpgol

Apr 9 2020

aisha added a comment to T4886: gpg-wks-server fails on openbsd, because sendmail is in /usr/sbin, not /usr/lib.

thanks a lot dkg and werner :)

Apr 9 2020, 6:14 PM · wkd, gnupg (gpg22), Bug Report

Mar 30 2020

dkg added a comment to T4886: gpg-wks-server fails on openbsd, because sendmail is in /usr/sbin, not /usr/lib.

thanks!

Mar 30 2020, 8:32 PM · wkd, gnupg (gpg22), Bug Report
werner closed T4886: gpg-wks-server fails on openbsd, because sendmail is in /usr/sbin, not /usr/lib as Resolved.

Done; will go into 2.2.21 (T4897).

Mar 30 2020, 5:42 PM · wkd, gnupg (gpg22), Bug Report

Mar 23 2020

dkg created T4886: gpg-wks-server fails on openbsd, because sendmail is in /usr/sbin, not /usr/lib.
Mar 23 2020, 4:13 PM · wkd, gnupg (gpg22), Bug Report

Feb 5 2020

aheinecke created T4839: GpgOL: WKS Confirmation mail is not handled correctly.
Feb 5 2020, 11:16 AM · gpg4win, wkd, gpgol

Jan 14 2020

ringelkrat added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

Thank you for resolving this issue! I am successfully using version 2.2.19 from the gnupg (2.2.19-1~bpo10+1) package of Debian Backports.

Jan 14 2020, 11:47 AM · gnupg (gpg22), wkd, Bug Report

Dec 17 2019

aheinecke created T4778: GpgOL: Initial WKD lookup slow.
Dec 17 2019, 10:21 AM · gpgol, wkd

Dec 4 2019

werner closed T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets) as Resolved.

Fixed for 2.2.19 and master

Dec 4 2019, 4:28 PM · gnupg (gpg22), wkd, Bug Report

Nov 23 2019

werner moved T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets) from Backlog to For next release on the gnupg (gpg22) board.
Nov 23 2019, 8:24 PM · gnupg (gpg22), wkd, Bug Report
ringelkrat added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

Given that the the angle brackets are elsewhere used to indicate a search by mail address, it would be okay to allow for them in this case too (that is dkg's second example).
[...]
To answer your question: With the exception of case two this is desired behaviour also in the future,

Nov 23 2019, 6:53 PM · gnupg (gpg22), wkd, Bug Report

Nov 16 2019

werner triaged T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets) as Normal priority.
Nov 16 2019, 10:18 AM · gnupg (gpg22), wkd, Bug Report
werner added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

Given that the the angle brackets are elsewhere used to indicate a search by mail address, it would be okay to allow for them in this case too (that is dkg's second example). The risk of a regression in that case is pretty low.

Nov 16 2019, 10:18 AM · gnupg (gpg22), wkd, Bug Report

Nov 7 2019

ringelkrat added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).
-r  STRING

does a remote key lookup only if STRING is a valid addr-spec. No extraction of the addr-spec from STRING is done and thus angle brackets inhibit the use of a remote lookup.

Nov 7 2019, 4:51 PM · gnupg (gpg22), wkd, Bug Report
werner added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

does a remote key lookup only if STRING is a valid addr-spec. No extraction of the addr-spec from STRING is done and thus angle brackets inhibit the use of a remote lookup. This was implemented in this way to be as much as possible backward compatible.

Nov 7 2019, 4:02 PM · gnupg (gpg22), wkd, Bug Report

Oct 28 2019

dkg created T4732: X.509 cert for openpgpkey.gnupg.org is expired.
Oct 28 2019, 11:36 PM · gpgweb, Bug Report

Oct 24 2019

dkg added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

@werner, you seem to be saying that -r does not imply "key lookups on remote services". Is that correct?

Oct 24 2019, 8:42 PM · gnupg (gpg22), wkd, Bug Report

Oct 23 2019

ringelkrat added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

This is a misunderstanding. The extraction of mail addresses is only doe for key lookups on remote services. Thus the -r case is as intended.

Oct 23 2019, 1:26 PM · gnupg (gpg22), wkd, Bug Report
werner added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

This is a misunderstanding. The extraction of mail addresses is only doe for key lookups on remote services. Thus the -r case is as intended.

Oct 23 2019, 11:35 AM · gnupg (gpg22), wkd, Bug Report
ringelkrat added a comment to T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

Is this task maybe related to T1927?

Oct 23 2019, 8:07 AM · gnupg (gpg22), wkd, Bug Report
ringelkrat updated subscribers of T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).

Thank you @dkg for creating the bug report! I would like to glean the following information from the above mentioned discussion.

Oct 23 2019, 8:00 AM · gnupg (gpg22), wkd, Bug Report
dkg created T4726: auto-key-locate only works with raw e-mail addresses (not angle-brackets).
Oct 23 2019, 3:24 AM · gnupg (gpg22), wkd, Bug Report

Sep 2 2019

werner claimed T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.
Sep 2 2019, 2:59 PM · Documentation, wkd

Aug 21 2019

dkg added a comment to T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.

This was also raised for (hopefully) wider discussion on the IETF mailing list.

Aug 21 2019, 8:32 PM · Documentation, wkd

Aug 20 2019

dkg created T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.
Aug 20 2019, 10:59 PM · Documentation, wkd

Jul 5 2019

werner closed T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver as Resolved.

Done for master and 2.2.

Jul 5 2019, 10:49 AM · gnupg (gpg22), wkd
werner triaged T4613: document implementation guidance for WKD clients in draft-koch-openpgp-webkey-service as Normal priority.
Jul 5 2019, 7:32 AM · Documentation, wkd

Jul 4 2019

dkg created T4613: document implementation guidance for WKD clients in draft-koch-openpgp-webkey-service.
Jul 4 2019, 11:04 PM · Documentation, wkd
werner closed T4603: dirmngr WKD redirection changes paths as Resolved.

Fix will be in 2.2.17

Jul 4 2019, 4:26 PM · gnupg (gpg22), wkd, dirmngr, Bug Report

Jul 3 2019

wiktor-k added a comment to T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver.

@dkg I believe @aheinecke gave the GpgOL description just as an example of why WKD-first retrieval would be beneficial (for details of that see https://wiki.gnupg.org/AutomatedEncryption#Trust_Levels) and I believe this ticket is a follow-up to my question on gnupg-devel ML: https://lists.gnupg.org/pipermail/gnupg-devel/2019-June/034372.html

Jul 3 2019, 7:26 PM · gnupg (gpg22), wkd
dkg added a comment to T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver.

auto-key-retrieve happens in the context of signature verification when the certificate is missing. If no signer User ID subpacket is present in the signature, then WKD simply won't work.

Jul 3 2019, 7:11 PM · gnupg (gpg22), wkd
werner moved T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver from Backlog to For next release on the gnupg (gpg22) board.
Jul 3 2019, 6:14 PM · gnupg (gpg22), wkd
werner edited projects for T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver, added: gnupg (gpg22); removed gnupg.
Jul 3 2019, 6:12 PM · gnupg (gpg22), wkd
werner added a parent task for T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver: T4606: Release GnuPG 2.2.17.
Jul 3 2019, 6:11 PM · gnupg (gpg22), wkd
werner added a parent task for T4603: dirmngr WKD redirection changes paths: T4606: Release GnuPG 2.2.17.
Jul 3 2019, 6:11 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner moved T4603: dirmngr WKD redirection changes paths from Backlog to For next release on the gnupg (gpg22) board.
Jul 3 2019, 6:01 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner triaged T4603: dirmngr WKD redirection changes paths as Normal priority.
Jul 3 2019, 4:25 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner changed the status of T4603: dirmngr WKD redirection changes paths from Open to Testing.

I did some manual tests using netcat and KS_FETCH to test the redirection.

Jul 3 2019, 4:24 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
dkg added a comment to T4603: dirmngr WKD redirection changes paths.

I think you're suggesting accepting *any* path if the hostname of the proposed redirection matches openpgpkey.example.org when querying the WKD direct URL for an @example.org address. That would also be a fine solution from my point of view.

Jul 3 2019, 4:13 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4603: dirmngr WKD redirection changes paths.

I head the same idea when I read your configuration. Given that the advanced lookup was not reallydeployed (see T4590) I also expect that we will receive complains now that it works. Thus white listing any "openpgpkey." seems to me a reasonable easy solution.

Jul 3 2019, 3:52 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner closed T4590: dirmngr does not perform WKD advanced lookup as Resolved.

Will be in 2.2.17

Jul 3 2019, 3:46 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4590: dirmngr does not perform WKD advanced lookup.

Oh dear, that happens if one is always on master. I simply forgot to cherry pick the change from master back in November.
Two commits, though.

Jul 3 2019, 3:45 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
dkg added a comment to T4603: dirmngr WKD redirection changes paths.

@werner, thanks for the pointer to the report, that's certainly useful. And i'm happy that organizations like SektionEins are doing GnuPG audits and publishing their results regardless of who paid for them.

Jul 3 2019, 2:48 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4603: dirmngr WKD redirection changes paths.

See https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html for details. In short they fear that companies using IP based security for internal services can be attacked via redirect request and in particular becuase that can happen in the background without the user noticing. I am not concerned but we had long lasting discussions also with protonmail about this and the result was that we need to have this protection. We do not know who requested and paid for the audit from SektionEins and they won't tell us.

Jul 3 2019, 9:44 AM · gnupg (gpg22), wkd, dirmngr, Bug Report

Jul 2 2019

dkg added a comment to T4603: dirmngr WKD redirection changes paths.

Thanks for the pointer, @werner. Certainly we want T4590 fixed.

Jul 2 2019, 5:37 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner added a comment to T4603: dirmngr WKD redirection changes paths.

We need to rewrite the Location to avoid a CSRF attack. See fa1b1eaa4241ff3f0634c8bdf8591cbc7c464144

Jul 2 2019, 4:18 PM · gnupg (gpg22), wkd, dirmngr, Bug Report