KeyserverTag
ActivePublic

Members

  • This project does not have any members.

Recent Activity

Jul 18 2019

dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

I'm aware of you releasing an RC for comments, and i apologize for not catching this particular case earlier. As you know from T4607, i was even advocating for it. i didn't understand the full implications of the "import-then-clean" approach at the time, and was thinking it would only apply to the incoming material, not the stored material.

Jul 18 2019, 4:26 PM · Keyserver, gnupg (gpg22), Bug Report
werner added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

The code has comments why we do a first clean_key on the imported keyblock.

Jul 18 2019, 11:07 AM · Keyserver, gnupg (gpg22), Bug Report
dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

i've merged a variant of rGbe99eec2b105eb5f8e3759147ae351dcc40560ad into the GnuPG packaging in debian unstable as of version 2.2.17-3 to avoid the risks of data loss and signature verification failures. I'll revert it if i see the concern addressed upstream.

Jul 18 2019, 12:17 AM · Keyserver, gnupg (gpg22), Bug Report

Jul 16 2019

dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

that pseudocode is strange to me -- it looks like you have (two) duplicate calls to clean_key (imported_keyblock) (though maybe i just don't know what .... means in this pseudocode).

Jul 16 2019, 6:36 PM · Keyserver, gnupg (gpg22), Bug Report
werner triaged T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned as Normal priority.
Jul 16 2019, 8:25 AM · Keyserver, gnupg (gpg22), Bug Report
werner added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

You are partly right. I missed that we also do clean the original keyblock while updating a key. The code is

Jul 16 2019, 8:17 AM · Keyserver, gnupg (gpg22), Bug Report

Jul 15 2019

dkg added a commit to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned: rGbe99eec2b105: gpg: drop import-clean from default keyserver import options.
Jul 15 2019, 10:37 PM · Keyserver, gnupg (gpg22), Bug Report
dkg added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

I think dropping import-clean from the default keyserver options is the right way to go. It is not clear what additional benefit import-clean provides given that we are already using self-sigs-only. And the idea of non-additive behavior to the local keyring when pulling from a keyserver is a deeply surprising change for multiple users i've talked to.

Jul 15 2019, 10:35 PM · Keyserver, gnupg (gpg22), Bug Report
dkg created T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.
Jul 15 2019, 7:09 PM · Keyserver, gnupg (gpg22), Bug Report
werner triaged T4617: Odd behavior for HTTP(S) scheme in --keyserver config as Low priority.
Jul 15 2019, 8:16 AM · Documentation, Keyserver, dirmngr

Jul 14 2019

dkg added a project to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: Documentation.
Jul 14 2019, 6:49 PM · Documentation, Keyserver, dirmngr

Jul 10 2019

Valodim updated subscribers of T4617: Odd behavior for HTTP(S) scheme in --keyserver config.

Ah, that makes sense, good catch. Seems this is just an issue of documentation, then.

Jul 10 2019, 6:20 PM · Documentation, Keyserver, dirmngr
dkg added projects to T4617: Odd behavior for HTTP(S) scheme in --keyserver config: dirmngr, Keyserver.
Jul 10 2019, 6:11 PM · Documentation, Keyserver, dirmngr
Valodim added a comment to T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default.

We should put it of the agenda od the Brussesl summit in 3 weeks. I have a few ideas what we can do in gpg.

Jul 10 2019, 4:36 PM · gnupg, Keyserver

Jul 4 2019

werner edited projects for T4512: gpg's --keyserver option should be more robustly deprecated, added: gnupg (gpg23); removed gnupg (gpg22), dirmngr.

Given the recent problems with the keyservers, I expect that the keyserver feature will go away anyway and thus I do not think we will put any more effort into this. Thus I re-tag this as gpg 2.3.

Jul 4 2019, 5:15 PM · gnupg (gpg23), Documentation, Keyserver, Bug Report

Jun 18 2019

dkg added a comment to T4512: gpg's --keyserver option should be more robustly deprecated.

If we only need it for backward compatibility, then the configuration in gpg.conf should *not* be overriding the preferred, forward-looking form of the configuration (in dirmngr.conf). If it is low priority to fix this, then there will be a generation of GnuPG users and toolchains which deliberately configure the value in gpg.conf instead of dirmngr.conf because they'll know that's the more robust way to do it.

Jun 18 2019, 2:56 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report

Jun 8 2019

werner triaged T4512: gpg's --keyserver option should be more robustly deprecated as Low priority.

We need --keyserver in gpg for just one reason: backward compatibility.

Jun 8 2019, 10:40 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
dkg reopened T4512: gpg's --keyserver option should be more robustly deprecated as "Open".

thanks for fixing that error message, @werner. As @Valodim points out in discusson about hagrid, a gpg.conf keyserver option (deprecated according to the documentation) overrides the dirmngr.conf keyserver option (not deprecated according to the documentation.

Jun 8 2019, 5:29 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report

May 27 2019

werner added a comment to T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached.

I doubt that we are going to implement this.

May 27 2019, 6:15 PM · Keyserver, Feature Request, dirmngr

May 17 2019

werner triaged T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header as Normal priority.
May 17 2019, 6:47 PM · Keyserver, dns, dirmngr, Bug Report

May 15 2019

werner closed T4466: Clean up --keyserver documentation in gpg(1) as Resolved.

Thanks

May 15 2019, 9:20 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner added a commit to T4466: Clean up --keyserver documentation in gpg(1): rG0d669a360c6e: doc: Do not mention gpg's deprecated --keyserver option..
May 15 2019, 9:20 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner added a commit to T4466: Clean up --keyserver documentation in gpg(1): rG42adb56e660a: doc: Do not mention gpg's deprecated --keyserver option..
May 15 2019, 9:19 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
werner claimed T4466: Clean up --keyserver documentation in gpg(1).
May 15 2019, 9:06 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation

May 14 2019

werner triaged T4513: dirmngr should try the configured keyservers anyway even if they are all dead as Normal priority.
May 14 2019, 10:09 AM · Feature Request, Keyserver, dirmngr
werner closed T4512: gpg's --keyserver option should be more robustly deprecated as Resolved.

I removed this specialized error message. Thanks for reporting.

May 14 2019, 8:38 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
werner added a commit to T4512: gpg's --keyserver option should be more robustly deprecated: rG8d645f1d1f2b: gpg: Do not print a hint to use the deprecated --keyserver option..
May 14 2019, 8:38 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
werner added a commit to T4512: gpg's --keyserver option should be more robustly deprecated: rG7102d9b798b0: gpg: Do not print a hint to use the deprecated --keyserver option..
May 14 2019, 7:56 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
dkg updated the task description for T4512: gpg's --keyserver option should be more robustly deprecated.
May 14 2019, 7:42 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report
dkg edited projects for T4466: Clean up --keyserver documentation in gpg(1), added: dirmngr, gnupg (gpg22), Keyserver; removed gnupg.
May 14 2019, 7:40 AM · Keyserver, gnupg (gpg22), dirmngr, Documentation
dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

This is particularly bad for users who have manually specified a given keyserver in dirmngr.conf, because even a transient failure in that keyserver will prevent them from any future keyserver requests until dirmngr decides that the "death" has worn off.

May 14 2019, 1:00 AM · Feature Request, Keyserver, dirmngr
dkg created T4513: dirmngr should try the configured keyservers anyway even if they are all dead.
May 14 2019, 12:54 AM · Feature Request, Keyserver, dirmngr
dkg created T4512: gpg's --keyserver option should be more robustly deprecated.
May 14 2019, 12:49 AM · gnupg (gpg23), Documentation, Keyserver, Bug Report

Apr 1 2019

robbat2 added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

HTTP/1.1 spec, RFC 7230, Section 5.4, paragraph 2:
https://tools.ietf.org/html/rfc7230#section-5.4

Apr 1 2019, 8:24 PM · Keyserver, dns, dirmngr, Bug Report
werner added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

Please be so kind and point me to the specs stating that you should put the IP address into Host:

Apr 1 2019, 8:01 PM · Keyserver, dns, dirmngr, Bug Report
robbat2 added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

It's up to GPG to send the Host header that shows the user's intent.

Apr 1 2019, 6:20 PM · Keyserver, dns, dirmngr, Bug Report
werner added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

So in short you want:

  1. Allow to specify a keyserver by IP without any DNS lookups.
  2. When connecting via IP use the IP address for Host:.
Apr 1 2019, 12:55 PM · Keyserver, dns, dirmngr, Bug Report

Mar 31 2019

robbat2 created T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.
Mar 31 2019, 10:35 PM · Keyserver, dns, dirmngr, Bug Report

Mar 13 2019

wuximeniyu added a comment to T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached.

There is a solution for it:

Mar 13 2019, 9:55 PM · Keyserver, Feature Request, dirmngr

Feb 9 2019

kristianf closed T4354: dirmngr should send "fingerprint=on" to keyservers as Resolved.

So, the keyserver operator had thrown in a hockeypuck server in the pool, causing this.. While the keyserver remains in the exclude list until confirmation it has been resolved, that explains the behavior and it has been made clear that separate software needs to use different names in the future.

Feb 9 2019, 8:43 PM · dirmngr, Keyserver, Bug Report

Feb 4 2019

werner updated subscribers of T4354: dirmngr should send "fingerprint=on" to keyservers.

@kristianf we talked about this on Saturday evening. Would you be so kind and have a quick look at the problem with the hu server?

Feb 4 2019, 5:45 PM · dirmngr, Keyserver, Bug Report

Feb 1 2019

steve added a comment to T4354: dirmngr should send "fingerprint=on" to keyservers.

Hi Werner and thanks for looking into this.

Feb 1 2019, 10:32 AM · dirmngr, Keyserver, Bug Report

Jan 30 2019

werner edited projects for T4354: dirmngr should send "fingerprint=on" to keyservers, added: Keyserver, dirmngr; removed Feature Request.

According to sks-keyservers.net both servers you mention run the very same software. Thus I would like to understand why you think they require the use of a legacy option.

Jan 30 2019, 3:22 PM · dirmngr, Keyserver, Bug Report

Oct 29 2018

werner triaged T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached as High priority.

It actually tries several servers but we need to set a limit because we need to cope with longer timeouts. Do you suggest to toggle between v4 and v6 addresses? That is if a v6 address fails, first try the next v4 address and it that fails, another v6 address, etc.

Oct 29 2018, 9:41 AM · Keyserver, Feature Request, dirmngr

Oct 2 2018

werner added a comment to T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default.

The problem is that the keyserver network is abused as free and
permanent data storage. We can't do much about it without larger
changes on the search capabilities of the keyservers. For more
information see the archives of the sks-devel list starting in July.

Oct 2 2018, 8:50 AM · gnupg, Keyserver

Oct 1 2018

aheinecke added a subtask for T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default: T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached.
Oct 1 2018, 2:39 PM · gnupg, Keyserver
aheinecke triaged T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default as Normal priority.
Oct 1 2018, 10:24 AM · gnupg, Keyserver
aheinecke claimed T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default.

Ok. I was not aware that HKPS should already have the highest quality.

Oct 1 2018, 10:23 AM · gnupg, Keyserver
kristianf added a comment to T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default.

hkps pool really should be the most responsive, and it already requires clustered only servers for a couple of weeks to try to increase the responsiveness. Experience has shown that any keyserver with less than 3 nodes in a cluster should not be used towards end-users. But do you have any more debugging output as to the problem at hand?

Oct 1 2018, 10:19 AM · gnupg, Keyserver
aheinecke created T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default.
Oct 1 2018, 9:40 AM · gnupg, Keyserver