Page MenuHome GnuPG

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

Web Key Directory related

Recent Activity

Wed, Apr 20

werner closed T5813: Locating Keys via WKD with gpg4win fails with unknown error. as Resolved.
Wed, Apr 20, 8:51 AM · wkd, gpg4win, Bug Report

Mar 31 2022

werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I don't like it either but the browser vendors don't like SRV records.

Mar 31 2022, 9:03 AM · wkd, gpg4win, Bug Report
wiktor-k added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I still think that redirecting to another catch-all domain is contrary to the original goal and weakens the security model. We need to see what we can do about this.

Mar 31 2022, 8:27 AM · wkd, gpg4win, Bug Report
rainerh added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Thank you, works now on Windows with openpgpkey.sanka-gmbh.de

Mar 31 2022, 7:08 AM · wkd, gpg4win, Bug Report

Mar 30 2022

Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Independently of that, it seems that gpg4win doesn't work with at least one widely deployed webserver in its default configuration, specifically Caddy, so this fix is well appreciated.

Mar 30 2022, 11:41 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I still think that redirecting to another catch-all domain is contrary to the original goal and weakens the security model. We need to see what we can do about this.

Mar 30 2022, 6:07 PM · wkd, gpg4win, Bug Report
Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Oof. That hinges on the certificate, guess we'll need to renew the bunch of them. I reconfigured, might take a while for all pages but ciphers should now be:

Mar 30 2022, 4:53 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

The ECDHE_ECDSA suites are not yet implemented in ntbtls and thus we can't agree on a common cipher suite. Will be solved in the next Windows version.

Mar 30 2022, 3:35 PM · wkd, gpg4win, Bug Report
rainerh added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

In the above test, I was using
Windows: 2.3.4
Debian: 2.2.12

Mar 30 2022, 12:58 PM · wkd, gpg4win, Bug Report
Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I captured some logs server-side, and I do see this error:

Mar 30 2022, 12:27 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Are you using 2.3.4 also on Windows?

Mar 30 2022, 12:15 PM · wkd, gpg4win, Bug Report
rainerh added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I have the same error when using wkd.keys.openpgp.org with a CNAME DNS entry. The error occurs with Windows 10, 11 and Server 2019 (only the most recent versions tested). With Debian it works fine.

Mar 30 2022, 11:44 AM · wkd, gpg4win, Bug Report

Mar 28 2022

werner closed T5902: GnuPG dirmngr sends incorrect l parameter to a WKD server as Resolved.

Good idea. Thanks. Goes onto 2.3 and 2.2

Mar 28 2022, 4:15 PM · dirmngr, gnupg, wkd, Bug Report
eehakkin created T5902: GnuPG dirmngr sends incorrect l parameter to a WKD server.
Mar 28 2022, 10:17 AM · dirmngr, gnupg, wkd, Bug Report

Mar 12 2022

Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

@mieth sorry for the delay. meanwhile I adjusted the ciphersuite of the WKD gateway to include an AES-CBC suite. would be interested if it works now on the setup you tested before.

Mar 12 2022, 2:27 PM · wkd, gpg4win, Bug Report

Feb 10 2022

ikloecker added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Did you make another request for locating keys via WKD after adding the debug flags? I'm asking because when I do this I get the following log:

2022-02-10 17:49:59 dirmngr[6780] listening on socket '/run/user/1000/gnupg/d.f3hdqcrmjwf98p87yqjmuctx/S.dirmngr'
2022-02-10 17:49:59 dirmngr[6781.0] permanently loaded certificates: 130
2022-02-10 17:49:59 dirmngr[6781.0]     runtime cached certificates: 0
2022-02-10 17:49:59 dirmngr[6781.0]            trusted certificates: 130 (130,0,0,0)
2022-02-10 17:49:59 dirmngr[6781.0] failed to open cache dir file '/tmp/tmp.8P2EakNghu/crls.d/DIR.txt': No such file or directory
2022-02-10 17:49:59 dirmngr[6781.0] creating directory '/tmp/tmp.8P2EakNghu/crls.d'
2022-02-10 17:49:59 dirmngr[6781.0] new cache dir file '/tmp/tmp.8P2EakNghu/crls.d/DIR.txt' created
2022-02-10 17:49:59 dirmngr[6781.6] handler for fd 6 started
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> # Home: /tmp/tmp.8P2EakNghu
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> # Config: /tmp/tmp.8P2EakNghu/dirmngr.conf
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> OK Dirmngr 2.3.5-beta17 at your service
2022-02-10 17:49:59 dirmngr[6781.6] connection from process 6779 (1000:100)
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 <- GETINFO version
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> D 2.3.5-beta17
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> OK
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 <- WKD_GET -- werner.koch@gnupg.com
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: libdns initialized
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: resolve_dns_name(openpgpkey.gnupg.com): No name
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: getsrv(_openpgpkey._tcp.gnupg.com) -> 0 records
2022-02-10 17:49:59 dirmngr[6781.6] DBG: chan_6 -> S SOURCE https://gnupg.com
2022-02-10 17:49:59 dirmngr[6781.6] number of system provided CAs: 390
2022-02-10 17:49:59 dirmngr[6781.6] DBG: Using TLS library: GNUTLS 3.7.3
2022-02-10 17:49:59 dirmngr[6781.6] DBG: http.c:connect_server: trying name='gnupg.com' port=443
2022-02-10 17:49:59 dirmngr[6781.6] DBG: dns: resolve_dns_name(gnupg.com): Success
2022-02-10 17:49:59 dirmngr[6781.6] DBG: http.c:1917:socket_new: object 0x00007f524c290e20 for fd 7 created
2022-02-10 17:50:00 dirmngr[6781.6] DBG: http.c:request:
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> GET /.well-known/openpgpkey/hu/waoubdep9643akkesx4xm3ynstfffiok?l=werner.koch HTTP/1.0\r\n
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> Host: gnupg.com\r\n
2022-02-10 17:50:00 dirmngr[6781.6] DBG: http.c:request-header:
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> \r\n
2022-02-10 17:50:00 dirmngr[6781.6] DBG: http.c:response:
2022-02-10 17:50:00 dirmngr[6781.6] DBG: >> HTTP/1.0 200 OK\r\n
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Date: Thu, 10 Feb 2022 16:49:59 GMT'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Server: Boa/0.94.14rc21'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Accept-Ranges: bytes'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Connection: close'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Content-Length: 957'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Last-Modified: Mon, 28 Jun 2021 17:47:11 GMT'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: 'Content-Type: text/plain'
2022-02-10 17:50:00 dirmngr[6781.6] http.c:RESP: ''
2022-02-10 17:50:00 dirmngr[6781.6] DBG: (957 bytes sent via D lines not shown)
2022-02-10 17:50:00 dirmngr[6781.6] DBG: chan_6 -> OK
2022-02-10 17:50:00 dirmngr[6781.6] DBG: chan_6 <- BYE
2022-02-10 17:50:00 dirmngr[6781.6] DBG: chan_6 -> OK closing connection
2022-02-10 17:50:00 dirmngr[6781.6] handler for fd 6 terminated
Feb 10 2022, 5:53 PM · wkd, gpg4win, Bug Report
mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..
2022-02-10 17:07:35 [12256]    dauerhaft geladene Zertifikate: 74
2022-02-10 17:07:35 [12256]  zwischengespeicherte Zertifikate: 0
2022-02-10 17:07:35 [12256]     vertrauenswürdige Zertifikate: 74 (74,0,0,0)
2022-02-10 17:07:35 [12256] DBG: chan_0x0000026c -> # Home: C:\Users\User\AppData\Roaming\gnupg
2022-02-10 17:07:35 [12256] DBG: chan_0x0000026c -> # Config: .\dirmngr.conf
2022-02-10 17:07:35 [12256] DBG: chan_0x0000026c -> OK Dirmngr 2.3.4 at your service
Feb 10 2022, 5:10 PM · wkd, gpg4win, Bug Report

Feb 8 2022

ikloecker added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Add the following to dirmngr.conf:

debug ipc,dns,network,lookup

There are more debug flags but the above flags should cover anything related to the lookup.

Feb 8 2022, 6:55 PM · wkd, gpg4win, Bug Report
bernhard added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

You may have to restart the dirmngr to see the log-file option be honored. The gpg request to dirmngr should be visible in the log.

Feb 8 2022, 4:37 PM · wkd, gpg4win, Bug Report
mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

@mieth can you enable the dirmngr log and give it more message, you'll be able to diagnose the problem further. There have been problems in the past with the contents of the certificate store of Windows. It does not look like this is the problem you are facing, but the diagnostic messages should be helpful.

Feb 8 2022, 1:37 PM · wkd, gpg4win, Bug Report
bernhard added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

@mieth can you enable the dirmngr log and give it more message, you'll be able to diagnose the problem further. There have been problems in the past with the contents of the certificate store of Windows. It does not look like this is the problem you are facing, but the diagnostic messages should be helpful.

Feb 8 2022, 11:41 AM · wkd, gpg4win, Bug Report

Feb 7 2022

mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Might be an issue with matching ciphersuites? There was a problem with this before when GnuPG didn't support AES-GCM yet (https://dev.gnupg.org/T4597). That was added in 2020, maybe it's not rolled out far enough yet?

Either way, I hadn't considered this for the WKD relay. I'll look into enabling AES-CBC there, at least for backwards compatibility.

Feb 7 2022, 11:41 AM · wkd, gpg4win, Bug Report

Feb 3 2022

Valodim added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Might be an issue with matching ciphersuites? There was a problem with this before when GnuPG didn't support AES-GCM yet (https://dev.gnupg.org/T4597). That was added in 2020, maybe it's not rolled out far enough yet?

Feb 3 2022, 11:59 AM · wkd, gpg4win, Bug Report

Feb 2 2022

mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

After further testing: The error does not occur if WKD is implemented directly under the respective domain.
The behavior of GnuPG differs between Windows and other platforms. However, it is not clear to me which version is behaving incorrectly. But it seems clear that there is no compatibility with the instructions at https://keys.openpgp.org/about/usage#wkd-as-a-service under Windows. (However this may concern another project.)

Feb 2 2022, 2:11 PM · wkd, gpg4win, Bug Report
mieth added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

The server in the testcase is wkd.keys.openpgp.org which is referred with CNAME via the DNS. Referring to https://www.ssllabs.com/ssltest/analyze.html?d=wkd.keys.openpgp.org it shoud support TLS 1.2

Feb 2 2022, 1:19 PM · wkd, gpg4win, Bug Report
werner added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

Check that the server does not prohibit TLS 1.2 - a few server admins allow only TLS 1.3 for whatever security threats they have in mind.

Feb 2 2022, 1:00 PM · wkd, gpg4win, Bug Report
mieth created T5813: Locating Keys via WKD with gpg4win fails with unknown error..
Feb 2 2022, 10:52 AM · wkd, gpg4win, Bug Report

Sep 29 2021

werner triaged T5629: gpg-wks-client should also print direct method URL as Normal priority.

Requires a new option or command.

Sep 29 2021, 5:28 PM · Feature Request, gnupg (gpg23), wkd
bernhard added a comment to T5214: gpg-wks-client generates Web Key Directory with bad permissions..

@werner I think @Rombobeorn suggests something like

Sep 29 2021, 3:13 PM · wkd, Bug Report
bernhard created T5629: gpg-wks-client should also print direct method URL.
Sep 29 2021, 2:55 PM · Feature Request, gnupg (gpg23), wkd

Mar 7 2021

Angel added a comment to T5323: adduid and key expiration oddity in gpg-wks-client.

Maybe have gpg-wks-client(or also --export-filter) print a warning if the filtered result has a key expiration different than the original key? That seems the simplest way tp approach the problem.

Mar 7 2021, 11:32 PM · Bug Report, gnupg (gpg23), wkd

Feb 23 2021

werner created T5323: adduid and key expiration oddity in gpg-wks-client.
Feb 23 2021, 6:05 PM · Bug Report, gnupg (gpg23), wkd

Feb 11 2021

werner removed a parent task for T4344: Periodic check of own keys with the WKD: T4417: Work needed for gnupg 2.3.
Feb 11 2021, 11:05 AM · wkd, gnupg, Feature Request

Jan 29 2021

dkg added a comment to T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.

See also https://gitlab.com/openpgp-wg/webkey-directory/-/issues/3 which is the same issue.

Jan 29 2021, 3:33 AM · Documentation, wkd

Jan 15 2021

dkg updated the task description for T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.
Jan 15 2021, 10:50 PM · Documentation, wkd
dkg added a comment to T4679: WKD spec should document exactly when a client should fall back from "advanced" to "direct" URL.

This ambiguity appears to be the cause of a recent epic (and to me, largely incomprehensible) thread on gnupg-users. It would be great to have the WKD guidance about fallback strategy be much more explicit. Any room for ambiguity here leads to different outcomes from different WKD clients, and quite a bit of confused discussion by their users.

Jan 15 2021, 10:38 PM · Documentation, wkd

Dec 31 2020

Rombobeorn added a comment to T5214: gpg-wks-client generates Web Key Directory with bad permissions..

For directories this can't be done because not only the server reads the directories but also other deployment tools (e.g. rsync).

Dec 31 2020, 10:19 AM · wkd, Bug Report

Dec 30 2020

werner triaged T5214: gpg-wks-client generates Web Key Directory with bad permissions. as Low priority.
Dec 30 2020, 3:07 PM · wkd, Bug Report
werner changed the status of T5214: gpg-wks-client generates Web Key Directory with bad permissions. from Open to Testing.
Dec 30 2020, 3:07 PM · wkd, Bug Report
werner added a project to T5214: gpg-wks-client generates Web Key Directory with bad permissions.: wkd.
Dec 30 2020, 3:04 PM · wkd, Bug Report

Dec 11 2020

TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

The specs might just want to say that it just expects the wildcard to be broken, not that it expects an empty record.

Dec 11 2020, 10:49 AM · FAQ, wkd
werner added a comment to T5177: GPG WKD lookup does not send correct SNI.

Than put something into the TXT - it does not matter and is only used to break the wildcard.

Dec 11 2020, 10:41 AM · FAQ, wkd

Dec 10 2020

TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

Cloudflare doesn't seem to allow empty DNS TXT records...

Dec 10 2020, 4:30 PM · FAQ, wkd
werner closed T5177: GPG WKD lookup does not send correct SNI as Resolved.

From the specs:

Dec 10 2020, 4:28 PM · FAQ, wkd
TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

There's a wildcard CNAME, it's not _really_ configured. It's not a good assumption that a CNAME == configured and it doesn't have a reasonable fallback, IMHO.

Dec 10 2020, 3:00 PM · FAQ, wkd
werner added a comment to T5177: GPG WKD lookup does not send correct SNI.

If you configure the subdomain in the DNS this will be used. Thus get a cert for it. The old method should not be used and thus if the openpgpkey subdomain exists gpg concludes that the admin is aware of the new scheme.

Dec 10 2020, 2:48 PM · FAQ, wkd
TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

Hm, I don't want to remove the CNAME just so that GPG WKD would work, is there a way to fix this? Is there a good reason why after "Advanced"/subdomain lookup it doesn't try "direct"?

Dec 10 2020, 12:22 PM · FAQ, wkd
TaaviE added a comment to T5177: GPG WKD lookup does not send correct SNI.

Oh, it's using the openpgpkey subdomain because of the CNAME but that's not actually being served by the server.

Dec 10 2020, 11:51 AM · FAQ, wkd
werner edited projects for T5177: GPG WKD lookup does not send correct SNI, added: Support, wkd; removed Bug Report.
Dec 10 2020, 11:39 AM · FAQ, wkd

Aug 7 2020

aheinecke closed T4839: GpgOL: WKS Confirmation mail is not handled correctly as Resolved.
Aug 7 2020, 10:47 AM · gpg4win, wkd, gpgol