Aug 21 2024
Aug 21 2024
Jan 4 2024
Jan 4 2024
Jan 19 2023
Jan 19 2023
• werner removed a project from T6020: Make %-expandos available for --default-keyserver-url: gnupg (gpg23).
• werner removed a project from T6040: Allow embedding preferred keyserver URL in signatures: gnupg (gpg23).
• werner removed a project from T6254: Warn in --recv-keys verbose output that no keys have been imported: gnupg (gpg23).
Oct 20 2022
Oct 20 2022
• werner triaged T6254: Warn in --recv-keys verbose output that no keys have been imported as Normal priority.
• werner added projects to T6254: Warn in --recv-keys verbose output that no keys have been imported: gnupg (gpg23), Keyserver.
Oh yes, the usual import statistics should be shown here.
Oct 5 2022
Oct 5 2022
Sep 22 2022
Sep 22 2022
• werner added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
We should close this. The recent fix in 2.2 and the forthcoming 2.3 does everything we want. In the meantiime or if further problems turn up, --ignore-cert is a good workaround.
• werner changed the status of T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired from Open to Testing.
Aug 30 2022
Aug 30 2022
• gniibe added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
In the situation of a certificate about to be expired in the cache:
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Thanks, @gniibe -- i agree that this change to put_cert should be helpful, when encountering a certificate that is already invalid.
Aug 26 2022
Aug 26 2022
• gniibe added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
rejecting an intermediate certificate too.
• gniibe added a project to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired: Restricted Project.
Pushed the change of mine to master, since I can confirm that it results validate_cert_chain working better, because of put_cert's rejecting an intermediate certificate too.
Aug 25 2022
Aug 25 2022
• werner triaged T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired as Wishlist priority.
• werner added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
@dkg: Thanks for the detailed description of the problem.
• gniibe added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Thank you @dkg for the analysis. Unfortunately, the certificate cache is hashed by SHA-1 FPR, so, I think that it is a bit difficult to implement moving certs "front" / "back".
dkg reopened T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired as "Open".
Thanks for the followup about R3, @mpilgrem! Looking at your logs in more details, and the source code for find_cert_bysubject in dirmngr/certcache.c, i think i see what the issue is. It's slightly more subtle than not terminating early if a known trusted root can validate a truncated chain.
Aug 24 2022
Aug 24 2022
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
@mpilgrem, i'm glad that removing the DST Root CA X3 from your windows control panel worked for you, but it still doesn't seem to be a reasonable fix from a GnuPG user perspective
mpilgrem added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Doing the same thing on my second PC, I can be more precise:
Valodim reopened T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired as "Open".
I'll reopen this ticket here, since the underlying issue is not quite resolved yet as @dkg helpfully outlined above.
mpilgrem added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Thank you dkg. I am new to 'certificates' generally - and a little knowledge is a dangerous thing - but this is what I did:
Aug 23 2022
Aug 23 2022
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
@mpilgrem: in the meantime, for connecting to keys.openpgp.org, which *has* cleaned up its certificate chain, you might also want to try killing your dirmngr process, and/or cleaning up the data in .gnupg/dirmngr-cache.d/.
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Basically, the website in question (e.g. https://openpgpkey.gnupg.org/, which exhibits this problem) serves up three certificates:
Aug 22 2022
Aug 22 2022
Valodim added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
In that case, it's a bug in gnupg and there's nothing I can further do from my side 🤷
mpilgrem added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Thank you Valodim. I am new to GnuPG etc, so not sure if I should be doing something at my end. At the moment, whatever you have changed does not seem to have affected my experience. This is my current log for the same failed commands as above:
2022-08-22 21:31:19 dirmngr[1152] listening on socket 'C:\\Users\\mike\\AppData\\Local\\gnupg\\S.dirmngr' 2022-08-22 21:31:19 dirmngr[1152] DBG: number of certs loaded from store 'ROOT': 70 2022-08-22 21:31:19 dirmngr[1152] DBG: certificate 'CA' already cached 2022-08-22 21:31:19 dirmngr[1152] DBG: number of certs loaded from store 'CA': 151 2022-08-22 21:31:19 dirmngr[1152] permanently loaded certificates: 221 2022-08-22 21:31:19 dirmngr[1152] runtime cached certificates: 0 2022-08-22 21:31:19 dirmngr[1152] trusted certificates: 221 (221,0,0,0) 2022-08-22 21:31:19 dirmngr[1152] handler for fd 704 started 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> # Home: C:\Users\mike\AppData\Roaming\gnupg 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> # Config: C:/Users/mike/AppData/Roaming/gnupg/dirmngr.conf 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> OK Dirmngr 2.3.7 at your service 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 <- GETINFO version 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> D 2.3.7 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> OK 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 <- KEYSERVER --clear hkps://keys.openpgp.org 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> OK 2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 <- KS_SEARCH -- 575159689BEFB442 2022-08-22 21:31:19 dirmngr[1152] DBG: dns: dnsserver[0] '192.168.1.254' 2022-08-22 21:31:19 dirmngr[1152] DBG: dns: libdns initialized 2022-08-22 21:31:20 dirmngr[1152] DBG: dns: getsrv(_pgpkey-https._tcp.keys.openpgp.org) -> 0 records 2022-08-22 21:31:20 dirmngr[1152] DBG: dns: resolve_dns_name(keys.openpgp.org): Success 2022-08-22 21:31:20 dirmngr[1152] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known] 2022-08-22 21:31:20 dirmngr[1152] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known] 2022-08-22 21:31:20 dirmngr[1152] DBG: Using TLS library: NTBTLS 0.3.1 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: family: 23 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: addr: fe80::dc27:6f:dcb5:531e%4 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: family: 23 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: addr: 2a00:23c7:c181:f01:246b:c705:4a54:3265 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: family: 23 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: addr: 2a00:23c7:c181:f01:dc27:6f:dcb5:531e 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: family: 23 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: addr: fe80::9055:5c7f:95b9:e13d%47 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: family: 2 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: addr: 192.168.1.101 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: family: 2 2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support: addr: 172.22.176.1 2022-08-22 21:31:20 dirmngr[1152] DBG: http.c:connect_server: trying name='keys.openpgp.org' port=443 2022-08-22 21:31:20 dirmngr[1152] DBG: dns: resolve_dns_name(keys.openpgp.org): Success 2022-08-22 21:31:21 dirmngr[1152] DBG: http.c:1951:socket_new: object 0x036a2810 for fd 1020 created 2022-08-22 21:31:21 dirmngr[1152] certificate already cached 2022-08-22 21:31:21 dirmngr[1152] DBG: BEGIN Certificate 'subject': 2022-08-22 21:31:21 dirmngr[1152] DBG: serial: 0431B075AFEFF12EBDD26C62BECFF6F47A91 2022-08-22 21:31:21 dirmngr[1152] DBG: notBefore: 2022-08-22 14:26:24 2022-08-22 21:31:21 dirmngr[1152] DBG: notAfter: 2022-11-20 14:26:23 2022-08-22 21:31:21 dirmngr[1152] DBG: issuer: CN=R3,O=Let's Encrypt,C=US 2022-08-22 21:31:21 dirmngr[1152] DBG: subject: CN=keys.openpgp.org 2022-08-22 21:31:21 dirmngr[1152] DBG: aka: (8:dns-name16:keys.openpgp.org) 2022-08-22 21:31:21 dirmngr[1152] DBG: hash algo: 1.2.840.113549.1.1.11 2022-08-22 21:31:21 dirmngr[1152] DBG: SHA1 fingerprint: 8647D98EE3F7ADF2BB151AEAAF462BA2BDAFCDA4 2022-08-22 21:31:21 dirmngr[1152] DBG: END Certificate 2022-08-22 21:31:21 dirmngr[1152] Note: non-critical certificate policy not allowed 2022-08-22 21:31:21 dirmngr[1152] DBG: find_cert_bysubject: certificate found in the cache by subject DN 2022-08-22 21:31:21 dirmngr[1152] DBG: got issuer's certificate: 2022-08-22 21:31:21 dirmngr[1152] DBG: BEGIN Certificate 'issuer': 2022-08-22 21:31:21 dirmngr[1152] DBG: serial: 400175048314A4C8218C84A90C16CDDF 2022-08-22 21:31:21 dirmngr[1152] DBG: notBefore: 2020-10-07 19:21:40 2022-08-22 21:31:21 dirmngr[1152] DBG: notAfter: 2021-09-29 19:21:40 2022-08-22 21:31:21 dirmngr[1152] DBG: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. 2022-08-22 21:31:21 dirmngr[1152] DBG: subject: CN=R3,O=Let's Encrypt,C=US 2022-08-22 21:31:21 dirmngr[1152] DBG: hash algo: 1.2.840.113549.1.1.11 2022-08-22 21:31:21 dirmngr[1152] DBG: SHA1 fingerprint: 48504E974C0DAC5B5CD476C8202274B24C8C7172 2022-08-22 21:31:21 dirmngr[1152] DBG: END Certificate 2022-08-22 21:31:21 dirmngr[1152] DBG: sigval: (sig-val 2022-08-22 21:31:21 dirmngr[1152] DBG: (rsa 2022-08-22 21:31:21 dirmngr[1152] DBG: (s #33074E9B2D6823CFFEBF5744AAD2A132B42ED88ACFEE01AF908D51F04D582E5EE29126D705F0BA2734504EF143B8FFFEE9BBA6DBDDAE010450A3B0AA42CAEED9ADBC3AC22B45E4FEEC6E49AAABF4C557BE8D9833F4815AC8080F3ADADAE654BBBA5328DBB7FFC1EB5EAE166076884BF57B4F052B155843EF17236529CE9D702D6E4FE8DFDC69BD713758140457EE85C8E8D07F48EFC8F3E256518527D02F177356AF10DB5B23BEC31D10208733FFA48667C887E42F7EE03466CFEFD0E068403C5A539CA041CB062571AE38827DDEE24E6EBC376D3C59DCF3E594B516398AE9C35CFE816FA4CFAE2A240FDAF21BF298B68501A967A6AE967017534FC40406E33B#) 2022-08-22 21:31:21 dirmngr[1152] DBG: ) 2022-08-22 21:31:21 dirmngr[1152] DBG: (hash sha256)) 2022-08-22 21:31:21 dirmngr[1152] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffff003031300d0609608648016503040201050004207d \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 20adb93aafb8ffddebf14f6bf2430074c4967b9f55a80f31a62556bf74ac98 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffff003031300d0609608648016503040201050004207d \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 20adb93aafb8ffddebf14f6bf2430074c4967b9f55a80f31a62556bf74ac98 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify sig:+33074e9b2d6823cffebf5744aad2a132b42ed88acfee01af908d51f04d582e5e \ 2022-08-22 21:31:21 dirmngr[1152] DBG: e29126d705f0ba2734504ef143b8fffee9bba6dbddae010450a3b0aa42caeed9 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: adbc3ac22b45e4feec6e49aaabf4c557be8d9833f4815ac8080f3adadae654bb \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ba5328dbb7ffc1eb5eae166076884bf57b4f052b155843ef17236529ce9d702d \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 6e4fe8dfdc69bd713758140457ee85c8e8d07f48efc8f3e256518527d02f1773 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 56af10db5b23bec31d10208733ffa48667c887e42f7ee03466cfefd0e068403c \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 5a539ca041cb062571ae38827ddee24e6ebc376d3c59dcf3e594b516398ae9c3 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 5cfe816fa4cfae2a240fdaf21bf298b68501a967a6ae967017534fc40406e33b 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify n:+bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c5 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 4cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53b \ 2022-08-22 21:31:21 dirmngr[1152] DBG: c32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cac \ 2022-08-22 21:31:21 dirmngr[1152] DBG: e19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add2 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 86583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f1 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 18f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb15 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify e:+010001 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffff003031300d0609608648016503040201050004207d \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 20adb93aafb8ffddebf14f6bf2430074c4967b9f55a80f31a62556bf74ac98 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify => Good 2022-08-22 21:31:21 dirmngr[1152] DBG: gcry_pk_verify: Success 2022-08-22 21:31:21 dirmngr[1152] certificate is good 2022-08-22 21:31:21 dirmngr[1152] certificate has expired 2022-08-22 21:31:21 dirmngr[1152] (expired at 2021-09-29 19:21:40) 2022-08-22 21:31:21 dirmngr[1152] Note: non-critical certificate policy not allowed 2022-08-22 21:31:21 dirmngr[1152] DBG: find_cert_bysubject: certificate found in the cache by subject DN 2022-08-22 21:31:21 dirmngr[1152] DBG: got issuer's certificate: 2022-08-22 21:31:21 dirmngr[1152] DBG: BEGIN Certificate 'issuer': 2022-08-22 21:31:21 dirmngr[1152] DBG: serial: 44AFB080D6A327BA893039862EF8406B 2022-08-22 21:31:21 dirmngr[1152] DBG: notBefore: 2000-09-30 21:12:19 2022-08-22 21:31:21 dirmngr[1152] DBG: notAfter: 2021-09-30 14:01:15 2022-08-22 21:31:21 dirmngr[1152] DBG: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. 2022-08-22 21:31:21 dirmngr[1152] DBG: subject: CN=DST Root CA X3,O=Digital Signature Trust Co. 2022-08-22 21:31:21 dirmngr[1152] DBG: hash algo: 1.2.840.113549.1.1.5 2022-08-22 21:31:21 dirmngr[1152] DBG: SHA1 fingerprint: DAC9024F54D8F6DF94935FB1732638CA6AD77C13 2022-08-22 21:31:21 dirmngr[1152] DBG: END Certificate 2022-08-22 21:31:21 dirmngr[1152] DBG: sigval: (sig-val 2022-08-22 21:31:21 dirmngr[1152] DBG: (rsa 2022-08-22 21:31:21 dirmngr[1152] DBG: (s #D94CE0C9F584883731DBBB13E2B3FC8B6B62126C58B7497E3C02B7A81F2861EBCEE02E73EF49077A35841F1DAD68F0D8FE56812F6D7F58A66E3536101C73C3E5BD6D5E01D76E72FB2AA0B8D35764E55BC269D4D0B2F77C4BC3178E887273DCFDFC6DBDE3C90B8E613A16587D74362B55803DC763BE8443C639A10E6B579E3F29C180F6B2BD47CBAA306CB732E159540B1809175E636CFB96673C1C730C938BC611762486DE400707E47D2D66B525A39658C8EA80EECF693B96FCE68DC033F389F8292D14142D7EF06170955DF70BE5C0FB24FAEC8ECB61C8EE637128A82C053B77EF9B5E0364F051D1E485535CB00297D47EC634D2CE1000E4B1DF3AC2EA17BE#) 2022-08-22 21:31:21 dirmngr[1152] DBG: ) 2022-08-22 21:31:21 dirmngr[1152] DBG: (hash sha256)) 2022-08-22 21:31:21 dirmngr[1152] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffff003031300d06096086480165030402010500042032 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffff003031300d06096086480165030402010500042032 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify sig:+d94ce0c9f584883731dbbb13e2b3fc8b6b62126c58b7497e3c02b7a81f2861eb \ 2022-08-22 21:31:21 dirmngr[1152] DBG: cee02e73ef49077a35841f1dad68f0d8fe56812f6d7f58a66e3536101c73c3e5 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: bd6d5e01d76e72fb2aa0b8d35764e55bc269d4d0b2f77c4bc3178e887273dcfd \ 2022-08-22 21:31:21 dirmngr[1152] DBG: fc6dbde3c90b8e613a16587d74362b55803dc763be8443c639a10e6b579e3f29 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: c180f6b2bd47cbaa306cb732e159540b1809175e636cfb96673c1c730c938bc6 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 11762486de400707e47d2d66b525a39658c8ea80eecf693b96fce68dc033f389 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: f8292d14142d7ef06170955df70be5c0fb24faec8ecb61c8ee637128a82c053b \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 77ef9b5e0364f051d1e485535cb00297d47ec634d2ce1000e4b1df3ac2ea17be 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify n:+dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c11814 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 8be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8c \ 2022-08-22 21:31:21 dirmngr[1152] DBG: e5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify e:+010001 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \ 2022-08-22 21:31:21 dirmngr[1152] DBG: ffffffffffffffffffffff003031300d06096086480165030402010500042032 \ 2022-08-22 21:31:21 dirmngr[1152] DBG: 86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988 2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify => Good 2022-08-22 21:31:21 dirmngr[1152] DBG: gcry_pk_verify: Success 2022-08-22 21:31:21 dirmngr[1152] certificate is good 2022-08-22 21:31:21 dirmngr[1152] certificate has expired 2022-08-22 21:31:21 dirmngr[1152] (expired at 2021-09-30 14:01:15) 2022-08-22 21:31:21 dirmngr[1152] root certificate is good and trusted 2022-08-22 21:31:21 dirmngr[1152] target certificate is NOT valid 2022-08-22 21:31:21 dirmngr[1152] TLS handshake failed: Certificate expired <Dirmngr> 2022-08-22 21:31:21 dirmngr[1152] error connecting to 'https://keys.openpgp.org:443': Certificate expired 2022-08-22 21:31:21 dirmngr[1152] command 'KS_SEARCH' failed: Certificate expired 2022-08-22 21:31:21 dirmngr[1152] DBG: chan_0x000002c0 -> ERR 167772261 Certificate expired <Dirmngr> 2022-08-22 21:31:21 dirmngr[1152] DBG: chan_0x000002c0 <- BYE 2022-08-22 21:31:21 dirmngr[1152] DBG: chan_0x000002c0 -> OK closing connection 2022-08-22 21:31:21 dirmngr[1152] handler for fd 704 terminated
Valodim added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
It seems we were still providing the expired DST certificate, which led to an additional yet invalid trust path, which gnupg didn't consider "valid" overall. Mainstream TLS implementations are more lenient here which masked the issue for a bit.
Aug 18 2022
Aug 18 2022
Jun 24 2022
Jun 24 2022
Saklad5 updated the task description for T6040: Allow embedding preferred keyserver URL in signatures.
Saklad5 updated the task description for T6020: Make %-expandos available for --default-keyserver-url.
Saklad5 added a comment to T6040: Allow embedding preferred keyserver URL in signatures.
Valodim added a comment to T6040: Allow embedding preferred keyserver URL in signatures.
I suppose you're right, we might have crossed that bridge a while ago. Simple availability of certificate- or even signature-specific keyserver URIs just make the risks of honor-keyserver-url more obvious than before.
• ikloecker added a comment to T6040: Allow embedding preferred keyserver URL in signatures.
Valodim added a comment to T6040: Allow embedding preferred keyserver URL in signatures.
This is a reasonable feature, however it should be noted that this implies a fairly large metadata leak: You are essentially adding a URI to signatures that will be pinged on signature verification.
Saklad5 updated the task description for T6040: Allow embedding preferred keyserver URL in signatures.
Saklad5 added a comment to T6040: Allow embedding preferred keyserver URL in signatures.
I don't see why this is a child task of T6020: the features are similar, but they don't actually impact each other in any way.
Saklad5 renamed T6040: Allow embedding preferred keyserver URL in signatures from Allow embedding default keyserver URL in signatures to Allow embedding preferred keyserver URL in signatures.
Jun 23 2022
Jun 23 2022
Saklad5 changed the edit policy for T6020: Make %-expandos available for --default-keyserver-url.
Saklad5 changed the edit policy for T6040: Allow embedding preferred keyserver URL in signatures.
Jun 22 2022
Jun 22 2022
Saklad5 raised the priority of T6020: Make %-expandos available for --default-keyserver-url from Wishlist to Needs Triage.