KeyserverTag
ActivePublic

Members

  • This project does not have any members.

Recent Activity

Mon, Nov 25

werner closed T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached, a subtask of T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default, as Resolved.
Mon, Nov 25, 10:17 PM · gnupg, Keyserver
werner closed T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached as Resolved.

Unusable v6 interfaces are now detected on Windows and then not used.

Mon, Nov 25, 10:17 PM · Keyserver, Feature Request, dirmngr
werner closed T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned as Resolved.
Mon, Nov 25, 10:15 PM · Keyserver, gnupg (gpg22), Bug Report

Wed, Nov 20

werner lowered the priority of T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned from Normal to Wishlist.
Wed, Nov 20, 8:58 AM · Keyserver, gnupg (gpg22), Bug Report

Nov 7 2019

werner moved T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned from Backlog to For next release on the gnupg (gpg22) board.
Nov 7 2019, 3:15 PM · Keyserver, gnupg (gpg22), Bug Report
werner changed the status of T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned from Open to Testing.
Nov 7 2019, 3:14 PM · Keyserver, gnupg (gpg22), Bug Report
werner added a commit to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned: rG2975868ede40: gpg: Fix a potential loss of key sigs during import with self-sigs-only..
Nov 7 2019, 3:13 PM · Keyserver, gnupg (gpg22), Bug Report
werner added a commit to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned: rG6701a38f8e4a: gpg: Fix a potential loss of key sigs during import with self-sigs-only..
Nov 7 2019, 3:10 PM · Keyserver, gnupg (gpg22), Bug Report

Oct 25 2019

mgorny added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

Ping.

Oct 25 2019, 10:54 AM · Keyserver, dns, dirmngr, Bug Report

Oct 24 2019

dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

There is a growing bit of popular lore in the GnuPG community that "when keyserver operations fail, you solve that problem with killall dirmngr." I believe this suggestion is potentially damaging (the long-running daemon may be in the middle of operations for a client that you don't know about), but i suspect it is circulating as advice because it resolves the situation outlined in this ticket. For whatever ephemeral reason, dirmngr gets stuck, and fails to notice that this situation has resolved itself.

Oct 24 2019, 5:39 PM · Feature Request, Keyserver, dirmngr

Jul 18 2019

dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

I'm aware of you releasing an RC for comments, and i apologize for not catching this particular case earlier. As you know from T4607, i was even advocating for it. i didn't understand the full implications of the "import-then-clean" approach at the time, and was thinking it would only apply to the incoming material, not the stored material.

Jul 18 2019, 4:26 PM · Keyserver, gnupg (gpg22), Bug Report
werner added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

The code has comments why we do a first clean_key on the imported keyblock.

Jul 18 2019, 11:07 AM · Keyserver, gnupg (gpg22), Bug Report
dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

i've merged a variant of rGbe99eec2b105eb5f8e3759147ae351dcc40560ad into the GnuPG packaging in debian unstable as of version 2.2.17-3 to avoid the risks of data loss and signature verification failures. I'll revert it if i see the concern addressed upstream.

Jul 18 2019, 12:17 AM · Keyserver, gnupg (gpg22), Bug Report

Jul 16 2019

dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

that pseudocode is strange to me -- it looks like you have (two) duplicate calls to clean_key (imported_keyblock) (though maybe i just don't know what .... means in this pseudocode).

Jul 16 2019, 6:36 PM · Keyserver, gnupg (gpg22), Bug Report
werner triaged T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned as Normal priority.
Jul 16 2019, 8:25 AM · Keyserver, gnupg (gpg22), Bug Report
werner added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

You are partly right. I missed that we also do clean the original keyblock while updating a key. The code is

Jul 16 2019, 8:17 AM · Keyserver, gnupg (gpg22), Bug Report

Jul 15 2019

dkg added a commit to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned: rGbe99eec2b105: gpg: drop import-clean from default keyserver import options.
Jul 15 2019, 10:37 PM · Keyserver, gnupg (gpg22), Bug Report
dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

I think dropping import-clean from the default keyserver options is the right way to go. It is not clear what additional benefit import-clean provides given that we are already using self-sigs-only. And the idea of non-additive behavior to the local keyring when pulling from a keyserver is a deeply surprising change for multiple users i've talked to.

Jul 15 2019, 10:35 PM · Keyserver, gnupg (gpg22), Bug Report
dkg created T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.
Jul 15 2019, 7:09 PM · Keyserver, gnupg (gpg22), Bug Report
werner triaged T4617: Odd behavior for HTTP(S) scheme in --keyserver config as Low priority.
Jul 15 2019, 8:16 AM · Documentation, Keyserver, dirmngr

Jul 14 2019

dkg added a project to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: Documentation.
Jul 14 2019, 6:49 PM · Documentation, Keyserver, dirmngr

Jul 10 2019

Valodim updated subscribers of T4617: Odd behavior for HTTP(S) scheme in --keyserver config.

Ah, that makes sense, good catch. Seems this is just an issue of documentation, then.

Jul 10 2019, 6:20 PM · Documentation, Keyserver, dirmngr
dkg added projects to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: dirmngr, Keyserver.
Jul 10 2019, 6:11 PM · Documentation, Keyserver, dirmngr
Valodim added a comment to T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default.

We should put it of the agenda od the Brussesl summit in 3 weeks. I have a few ideas what we can do in gpg.

Jul 10 2019, 4:36 PM · gnupg, Keyserver

Jul 4 2019

werner edited projects for T4512: gpg's --keyserver option should be more robustly deprecated, added: gnupg (gpg23); removed gnupg (gpg22), dirmngr.

Given the recent problems with the keyservers, I expect that the keyserver feature will go away anyway and thus I do not think we will put any more effort into this. Thus I re-tag this as gpg 2.3.

Jul 4 2019, 5:15 PM · gnupg (gpg23), Documentation, Keyserver, Bug Report

Jun 18 2019

dkg added a comment to T4512: gpg's --keyserver option should be more robustly deprecated.

If we only need it for backward compatibility, then the configuration in gpg.conf should *not* be overriding the preferred, forward-looking form of the configuration (in dirmngr.conf). If it is low priority to fix this, then there will be a generation of GnuPG users and toolchains which deliberately configure the value in gpg.conf instead of dirmngr.conf because they'll know that's the more robust way to do it.

Jun 18 2019, 2:56 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report

Jun 8 2019

werner triaged T4512: gpg's --keyserver option should be more robustly deprecated as Low priority.

We need --keyserver in gpg for just one reason: backward compatibility.

Jun 8 2019, 10:40 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
dkg reopened T4512: gpg's --keyserver option should be more robustly deprecated as "Open".

thanks for fixing that error message, @werner. As @Valodim points out in discusson about hagrid, a gpg.conf keyserver option (deprecated according to the documentation) overrides the dirmngr.conf keyserver option (not deprecated according to the documentation.

Jun 8 2019, 5:29 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report

May 27 2019

werner added a comment to T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached.

I doubt that we are going to implement this.

May 27 2019, 6:15 PM · Keyserver, Feature Request, dirmngr

May 17 2019

werner triaged T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header as Normal priority.
May 17 2019, 6:47 PM · Keyserver, dns, dirmngr, Bug Report

May 15 2019

werner closed T4466: Clean up --keyserver documentation in gpg(1) as Resolved.

Thanks

May 15 2019, 9:20 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner added a commit to T4466: Clean up --keyserver documentation in gpg(1): rG0d669a360c6e: doc: Do not mention gpg's deprecated --keyserver option..
May 15 2019, 9:20 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner added a commit to T4466: Clean up --keyserver documentation in gpg(1): rG42adb56e660a: doc: Do not mention gpg's deprecated --keyserver option..
May 15 2019, 9:19 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner claimed T4466: Clean up --keyserver documentation in gpg(1).
May 15 2019, 9:06 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation

May 14 2019

werner triaged T4513: dirmngr should try the configured keyservers anyway even if they are all dead as Normal priority.
May 14 2019, 10:09 AM · Feature Request, Keyserver, dirmngr
werner closed T4512: gpg's --keyserver option should be more robustly deprecated as Resolved.

I removed this specialized error message. Thanks for reporting.

May 14 2019, 8:38 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
werner added a commit to T4512: gpg's --keyserver option should be more robustly deprecated: rG8d645f1d1f2b: gpg: Do not print a hint to use the deprecated --keyserver option..
May 14 2019, 8:38 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
werner added a commit to T4512: gpg's --keyserver option should be more robustly deprecated: rG7102d9b798b0: gpg: Do not print a hint to use the deprecated --keyserver option..
May 14 2019, 7:56 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
dkg updated the task description for T4512: gpg's --keyserver option should be more robustly deprecated.
May 14 2019, 7:42 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
dkg edited projects for T4466: Clean up --keyserver documentation in gpg(1), added: dirmngr, gnupg (gpg22), Keyserver; removed gnupg.
May 14 2019, 7:40 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

This is particularly bad for users who have manually specified a given keyserver in dirmngr.conf, because even a transient failure in that keyserver will prevent them from any future keyserver requests until dirmngr decides that the "death" has worn off.

May 14 2019, 1:00 AM · Feature Request, Keyserver, dirmngr
dkg created T4513: dirmngr should try the configured keyservers anyway even if they are all dead.
May 14 2019, 12:54 AM · Feature Request, Keyserver, dirmngr
dkg created T4512: gpg's --keyserver option should be more robustly deprecated.
May 14 2019, 12:49 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report

Apr 1 2019

robbat2 added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

HTTP/1.1 spec, RFC 7230, Section 5.4, paragraph 2:
https://tools.ietf.org/html/rfc7230#section-5.4

Apr 1 2019, 8:24 PM · Keyserver, dns, dirmngr, Bug Report
werner added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

Please be so kind and point me to the specs stating that you should put the IP address into Host:

Apr 1 2019, 8:01 PM · Keyserver, dns, dirmngr, Bug Report
robbat2 added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

It's up to GPG to send the Host header that shows the user's intent.

Apr 1 2019, 6:20 PM · Keyserver, dns, dirmngr, Bug Report
werner added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

So in short you want:

  1. Allow to specify a keyserver by IP without any DNS lookups.
  2. When connecting via IP use the IP address for Host:.
Apr 1 2019, 12:55 PM · Keyserver, dns, dirmngr, Bug Report

Mar 31 2019

robbat2 created T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.
Mar 31 2019, 10:35 PM · Keyserver, dns, dirmngr, Bug Report

Mar 13 2019

wuximeniyu added a comment to T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached.

There is a solution for it:

Mar 13 2019, 9:55 PM · Keyserver, Feature Request, dirmngr

Feb 9 2019

kristianf closed T4354: dirmngr should send "fingerprint=on" to keyservers as Resolved.

So, the keyserver operator had thrown in a hockeypuck server in the pool, causing this.. While the keyserver remains in the exclude list until confirmation it has been resolved, that explains the behavior and it has been made clear that separate software needs to use different names in the future.

Feb 9 2019, 8:43 PM · dirmngr, Keyserver, Bug Report