dirmngrProject
ActivePublic

Members

  • This project does not have any members.

Watchers

  • This project does not have any watchers.

Recent Activity

Fri, Jun 21

Valodim added a comment to T4493: Default to HKPS, not HKP.

A possible exception here is that .onion TLDs should stick with HKP by default

Fri, Jun 21, 11:16 AM · dirmngr, Feature Request

Wed, Jun 19

dkg added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

Any word on this? i've pushed a fix for this into debian experimental as a part of 2.2.16-2, but i am concerned that there's no adoption from upstream. If there's a reason that this is the wrong fix, please do let me know!

Wed, Jun 19, 7:06 PM · gnupg (gpg22), dirmngr, Bug Report

Tue, Jun 18

dkg added a comment to T4512: gpg's --keyserver option should be more robustly deprecated.

If we only need it for backward compatibility, then the configuration in gpg.conf should *not* be overriding the preferred, forward-looking form of the configuration (in dirmngr.conf). If it is low priority to fix this, then there will be a generation of GnuPG users and toolchains which deliberately configure the value in gpg.conf instead of dirmngr.conf because they'll know that's the more robust way to do it.

Tue, Jun 18, 2:56 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report

Tue, Jun 11

dkg added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

@gouttegd good catch!

Tue, Jun 11, 9:41 AM · gnupg (gpg22), dirmngr, Bug Report

Sat, Jun 8

werner removed a project from T4566: dirmngr fails with HTTP 302 redirection to hkps: ntbtls.

I just assumed that is an ntbtls problem.

Sat, Jun 8, 10:26 PM · gnupg (gpg22), dirmngr, Bug Report
gouttegd added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

If I understand correctly, this is exactly the same problem that the one we encountered some time ago in the code dealing with fetching keys from HTTP (--fetch-keys), and that we fixed with this patch.

Sat, Jun 8, 10:17 PM · gnupg (gpg22), dirmngr, Bug Report
dkg added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

fwiw, the bug looks like it's in send_request in ks-engine-hkp.c, which re-uses the http_session object without re-initializing its tls_session member.

Sat, Jun 8, 4:16 PM · gnupg (gpg22), dirmngr, Bug Report
dkg updated subscribers of T4566: dirmngr fails with HTTP 302 redirection to hkps.

thanks for the triage, @werner!

Sat, Jun 8, 2:20 PM · gnupg (gpg22), dirmngr, Bug Report
werner triaged T4512: gpg's --keyserver option should be more robustly deprecated as Low priority.

We need --keyserver in gpg for just one reason: backward compatibility.

Sat, Jun 8, 10:40 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report
werner added a project to T4566: dirmngr fails with HTTP 302 redirection to hkps: gnupg (gpg22).
Sat, Jun 8, 10:38 AM · gnupg (gpg22), dirmngr, Bug Report
werner triaged T4566: dirmngr fails with HTTP 302 redirection to hkps as High priority.
Sat, Jun 8, 10:38 AM · gnupg (gpg22), dirmngr, Bug Report
dkg created T4566: dirmngr fails with HTTP 302 redirection to hkps.
Sat, Jun 8, 6:53 AM · gnupg (gpg22), dirmngr, Bug Report
dkg reopened T4512: gpg's --keyserver option should be more robustly deprecated as "Open".

thanks for fixing that error message, @werner. As @Valodim points out in discusson about hagrid, a gpg.conf keyserver option (deprecated according to the documentation) overrides the dirmngr.conf keyserver option (not deprecated according to the documentation.

Sat, Jun 8, 5:29 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report

Fri, May 31

werner triaged T4547: improve error message ("Not enabled") when using Tor network and standard resolver as Normal priority.
Fri, May 31, 9:19 AM · dirmngr, gnupg (gpg22), Bug Report

Tue, May 28

werner closed T3966: Dirmngr: no suitable certificate found to verify the OCSP response as Resolved.
Tue, May 28, 12:32 PM · gpg4win, dirmngr, S/MIME
werner added a commit to T3966: Dirmngr: no suitable certificate found to verify the OCSP response: rG5281ecbe3ae8: dirmngr: Allow for other hash algorithms than SHA-1 in OCSP..
Tue, May 28, 12:32 PM · gpg4win, dirmngr, S/MIME
werner added a commit to T3966: Dirmngr: no suitable certificate found to verify the OCSP response: rG405f41007c35: dirmngr: Allow for other hash algorithms than SHA-1 in OCSP..
Tue, May 28, 12:31 PM · gpg4win, dirmngr, S/MIME
werner added a comment to T3966: Dirmngr: no suitable certificate found to verify the OCSP response.

We only supported SHA-1 signed OCSP requests. Fix will go into 2.2.16.

Tue, May 28, 12:29 PM · gpg4win, dirmngr, S/MIME

May 27 2019

werner added a comment to T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached.

I doubt that we are going to implement this.

May 27 2019, 6:15 PM · Keyserver, Feature Request, dirmngr

May 24 2019

werner added a comment to T4538: Support PSS signed CRLs.

Interesting tinge: The main CRL of the dgn.de CA uses a nextUpdate in the year 2034 (15 years in the future) which would force dirmngr to cache the CRL until then. However, the CRL of the intermediate certificate has a nextUpdate only one month in the future. There is currently no entry in that second level CRL, so their idea might be that an updated second level CRL will also trigger a reload of the main CRL. I have not checked how we implement that in Dirmngr but I doubt that such a thing will work for us and that it is in any way standard compliant.

May 24 2019, 11:59 AM · dirmngr, S/MIME, libksba
werner added a subtask for T4538: Support PSS signed CRLs: T4523: Gpg4win: Multiple problems reported 05-2019.
May 24 2019, 9:10 AM · dirmngr, S/MIME, libksba
werner removed a parent task for T4538: Support PSS signed CRLs: T4523: Gpg4win: Multiple problems reported 05-2019.
May 24 2019, 9:10 AM · dirmngr, S/MIME, libksba
werner added a parent task for T4538: Support PSS signed CRLs: T4523: Gpg4win: Multiple problems reported 05-2019.
May 24 2019, 9:08 AM · dirmngr, S/MIME, libksba
werner created T4538: Support PSS signed CRLs.
May 24 2019, 8:58 AM · dirmngr, S/MIME, libksba

May 23 2019

wheelerlaw reopened T3065: dirmngr: proxy issues with dnslookup causing failure as "Open".

Are you not reading what I am saying to you?? Once again, your explanation is INVALID because that would mean that gnupg would be BROKEN, because it would be a NON-COMPLIANT http client according to the RFC I quoted.

May 23 2019, 1:58 PM · gnupg (gpg22), dns, dirmngr
werner edited projects for T3287: Improve http proxy support by honoring SRV RRs., added: gnupg (gpg23); removed gnupg (gpg22).
May 23 2019, 9:43 AM · gnupg (gpg23), dirmngr
werner closed T3065: dirmngr: proxy issues with dnslookup causing failure as Wontfix.

I explained why the keyserver access requires access to the DNS. If that is not possible the keyserver code will not work. If you don't allow DNS to work you either have to use Tor (which we use to also tunnel DNS requests) or get your keys from elsewhere. Also note that the keyserver network is current several broken and under DoS and thus it is unlikely that it can be operated in the future.

May 23 2019, 9:42 AM · gnupg (gpg22), dns, dirmngr

May 17 2019

werner triaged T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header as Normal priority.
May 17 2019, 6:47 PM · Keyserver, dns, dirmngr, Bug Report
aheinecke added a comment to T4511: dirmngr error logs claim that HTTP GET requests are percent-escaped, but they are not.

I agree with @dkg here.

May 17 2019, 12:42 PM · Bug Report, dirmngr

May 16 2019

dkg added a comment to T4511: dirmngr error logs claim that HTTP GET requests are percent-escaped, but they are not.

"requires too much changes" i can understand.

May 16 2019, 11:00 PM · Bug Report, dirmngr
werner triaged T4511: dirmngr error logs claim that HTTP GET requests are percent-escaped, but they are not as Wishlist priority.

This requires too much changes and does not reflect the reality. It actually makes debugging harder for us.

May 16 2019, 10:52 AM · Bug Report, dirmngr

May 15 2019

werner closed T4466: Clean up --keyserver documentation in gpg(1) as Resolved.

Thanks

May 15 2019, 9:20 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner added a commit to T4466: Clean up --keyserver documentation in gpg(1): rG0d669a360c6e: doc: Do not mention gpg's deprecated --keyserver option..
May 15 2019, 9:20 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner added a commit to T4466: Clean up --keyserver documentation in gpg(1): rG42adb56e660a: doc: Do not mention gpg's deprecated --keyserver option..
May 15 2019, 9:19 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner claimed T4466: Clean up --keyserver documentation in gpg(1).
May 15 2019, 9:06 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation

May 14 2019

dkg added a comment to T4511: dirmngr error logs claim that HTTP GET requests are percent-escaped, but they are not.

I think you are saying that dirmngr receives the query term as escaped data in the assuan connection from the dirmngr client (typically, gpg, which itself decides how to percent-escape what it feeds into libassuan).

May 14 2019, 4:10 PM · Bug Report, dirmngr
werner triaged T4513: dirmngr should try the configured keyservers anyway even if they are all dead as Normal priority.
May 14 2019, 10:09 AM · Feature Request, Keyserver, dirmngr
werner added a comment to T4511: dirmngr error logs claim that HTTP GET requests are percent-escaped, but they are not.

This is easy to explain: dirmngr receives already escaped data and that is what you see in the log. For proper parsing of the URI the escaping needs to be removed and only before sending the request the required escaping is applied. '@', '<', and '>' do not need to be escaped and thus you see them as they are.

May 14 2019, 9:59 AM · Bug Report, dirmngr
werner claimed T4511: dirmngr error logs claim that HTTP GET requests are percent-escaped, but they are not.
May 14 2019, 8:52 AM · Bug Report, dirmngr
werner closed T4512: gpg's --keyserver option should be more robustly deprecated as Resolved.

I removed this specialized error message. Thanks for reporting.

May 14 2019, 8:38 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report
werner added a commit to T4512: gpg's --keyserver option should be more robustly deprecated: rG8d645f1d1f2b: gpg: Do not print a hint to use the deprecated --keyserver option..
May 14 2019, 8:38 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report
werner added a commit to T4512: gpg's --keyserver option should be more robustly deprecated: rG7102d9b798b0: gpg: Do not print a hint to use the deprecated --keyserver option..
May 14 2019, 7:56 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report
dkg updated the task description for T4512: gpg's --keyserver option should be more robustly deprecated.
May 14 2019, 7:42 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report
dkg edited projects for T4466: Clean up --keyserver documentation in gpg(1), added: dirmngr, gnupg (gpg22), Keyserver; removed gnupg.
May 14 2019, 7:40 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

This is particularly bad for users who have manually specified a given keyserver in dirmngr.conf, because even a transient failure in that keyserver will prevent them from any future keyserver requests until dirmngr decides that the "death" has worn off.

May 14 2019, 1:00 AM · Feature Request, Keyserver, dirmngr
dkg created T4513: dirmngr should try the configured keyservers anyway even if they are all dead.
May 14 2019, 12:54 AM · Feature Request, Keyserver, dirmngr
dkg created T4512: gpg's --keyserver option should be more robustly deprecated.
May 14 2019, 12:49 AM · Documentation, gnupg (gpg22), Keyserver, dirmngr, Bug Report
dkg created T4511: dirmngr error logs claim that HTTP GET requests are percent-escaped, but they are not.
May 14 2019, 12:19 AM · Bug Report, dirmngr

May 13 2019

dkg added a comment to T4467: dirmngr keyserver option (and legacy gpg --keyserver) should assume `hkps://` or `hkp://` if no scheme is present.

further testing suggests that the invalid URI issue is only present for dirmngr's --keyserver option, and gpg's deprecated --keyserver option actually accepts schema-less hostnames.

May 13 2019, 11:33 PM · dirmngr
dkg updated the task description for T4467: dirmngr keyserver option (and legacy gpg --keyserver) should assume `hkps://` or `hkp://` if no scheme is present.
May 13 2019, 11:32 PM · dirmngr