Using tor as http proxy

[jelhan]

Using current stable version of gnupg and curl it's possible to use tor socks proxy as http-proxy option in keyserver-options. So there is no need for torsocks anymore.

$ gpg --keyserver-options http-proxy=socks5://127.0.0.1:9050 --search test@examples.com
gpg: searching for "test@examples.com" from hkps server hkps.pool.sks-keyservers.net
gpg: key "test@examples.com" not found on keyserver

On the other hand current implemation breaks if usage of tor is defined in gnupg configuration (~/.gnupg/gpg.conf). In this scenario torsocks adds a second tor layer and therefore connection fails:

$ torsocks gpg --keyserver-options http-proxy=socks5://127.0.0.1:9050 --search test@examples.com
gpg: searching for "test@examples.com" from hkps server hkps.pool.sks-keyservers.net
[Mar 10 01:59:15] WARNING torsocks[10135]: [connect] Connection to a local address are denied since it might be a TCP DNS query to a local DNS server. Rejecting it for safety reasons. (in tsocks_connect() at connect.c:177)
gpgkeys: HTTP search error 7: 
gpg: key "test@examples.com" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error

Therefore parcimonie.sh could not be used if tor should also be used for all other keyserver operations of gnupg. This is bad.

Tested with gnupg 1.4.16 and curl 7.37.1 running Ubuntu 14.10.

[EtiennePerot]

It's bad, but at least it's not bad in a way that compromises the user. I also rather prefer the torsocks approach because it shields against the case of a bug in gnupg not using the proxy, or poorly implementing it (doing DNS lookups in the clear or whatnot). I have no grudge against gnupg, but the people I trust the most to do proper Tor-ing of applications are the Tor people.

parcimonie.sh also can't just silently override --keyserver-options, because that will (probably silently) break people's setups if they have GNUPG_KEYSERVER_OPTIONS unset and a keyserver-options option set in their gnupg config file. I personally have a setup like this so that I can set a custom ca-cert-file value. In order to behave properly in such a setup, parcimonie.sh would need to parse the keyserver-options part of the gnupg config file, merge it together with GNUPG_KEYSERVER_OPTIONS, and finally add an extra http-proxy=socks5://127.0.0.1:9050 on top in order to act correctly. This isn't impossible, but it's not trivial in Bash either.

How about adding a new configuration variable like USE_TORSOCKS, enabled by default? If explicitly disabled, it is assumed that the user has configured gnupg correctly (either through the config file or through GNUPG_KEYSERVER_OPTIONS). Would this be an OK alternative?

[jelhan]

Partly override keyserver-option seems to be possible. So you could just override http-proxy but not ca-cert-file and other keyserver-options configuration:

Overriding http-proxy option in keyserver-options:

$ cat ~/.gnupg/gpg.conf 
# FILE CREATED BY SEAHORSE
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/home/main/.gnupg/sks-keyservers.netCA.pem http-proxy=socks5://127.0.0.1:9050

$ torsocks gpg --keyserver-options http-proxy= --search test@examples.com
gpg: searching for "test@examples.com" from hkps server hkps.pool.sks-keyservers.net
gpg: key "test@examples.com" not found on keyserver

Proving that ca-cert-file option was still used:

$ cat ~/.gnupg/gpg.conf 
# FILE CREATED BY SEAHORSE
keyserver hkps://hkps.pool.sks-keyservers.net
# keyserver-options ca-cert-file=/home/main/.gnupg/sks-keyservers.netCA.pem http-proxy=socks5://127.0.0.1:9050

$ torsocks gpg --keyserver-options http-proxy= --search test@examples.com
gpg: searching for "test@examples.com" from hkps server hkps.pool.sks-keyservers.net
gpgkeys: HTTP search error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
gpg: key "test@examples.com" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error

It's probably just about having http-proxy= as default in gnupgKeyserverOptions.

[EtiennePerot]

Oh, it's cool that it's additive like that. That makes it easier. I still have two objections:

• Using socks5:// still does the DNS resolution locally, leaking the keyserver hostname and the fact that you're connecting to it. There appears to be a non-leaky version called socks5h://, but just the fact that this is not the default worries me. These things are easy to get wrong.
• I don't see a way to specify the SOCKS user/password to use. This is necessary in order to force Tor to create unique circuits for each key refresh. I tried socks5h://user@pass:127.0.0.1:9050/ but that didn't work.

[jelhan]

I think I wasn't clear in my last post. I'm convinced that using torsocket in parcimonie.sh is the best way to go. But parcimonie.sh should also run when GnuPG is configured to proxy traffic through TOR by setting http-proxy. Therefore parcimonie.sh should silently override http-proxy by an empty string as default. As shown other keyserver-options are not affected.

I also tested socks5g:// and socks5h://. Both are affected by DNS leaks.

Setting user/password is working, your uri was just wrong formated. It should be: socks5h://user:pass@127.0.0.1:9050/ But since we should stick with torsocket that doesn't matter.

[EtiennePerot]

Ah I see, makes more sense now. Thanks :)

[MeisterP]

If I understand this correctly, the

If you already use torify connections to keyservers with gpg's http-proxy keyserver-option in your gpg.conf, you will need to pass http-proxy= here to disable it.

part in the README is now obsolete?

[EtiennePerot]

Updated README in ea857e66720b91aa3c6eed2fc214d587149ca034.