search

ioerror / torbirdy

Torbutton for Thunderbird and related *bird forks
BSD 2-Clause "Simplified" License
84 stars 20 forks source link

GPG keyserver becomes exclusive tor hidden service that prevents key import #25

Open intelemetry opened 9 years ago

intelemetry commented 9 years ago
screen shot 2015-11-09 at 1 41 56 pm screen shot 2015-11-09 at 1 40 49 pm screen shot 2015-11-09 at 1 40 43 pm
u451f commented 8 years ago

I confirm having the same problem (running on Debian Sid) but I am not sure if this is a Torbirdy bug or a bug in GnuPG and I did not do enough testing to find out. But at first glance it looks like this might be due to some resolving issue (see link to upstream discussion.)

Here is what the command line gives (this leads me to think the bug is not in Torbirdy) :

➜  ~  . torsocks on
➜  ~  gpg --search-keys 451f --keyserver hkp://qdigse2yzvuglcix.onion
gpg: searching for "451f --keyserver hkp://qdigse2yzvuglcix.onion" on hkp server hkps.pool.sks-keyservers.net
gpg: Key "451f --keyserver hkp://qdigse2yzvuglcix.onion" not found on keyserver
➜  ~  gpg --search-keys 451f                                         
gpg: searching for "451f" on hkp server hkps.pool.sks-keyservers.net
(1)  xxxxxxxx <u @ 451f.org>
      4096 bit RSA key 0xB14BB0C38D861CF1, created: 2014-01-30, expires: 2016-12-31

I've found corresponding upstream discussion about this here only https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030446.html and I am not sure if this issue might actually be due to the fact that I might be missing the latest libassuan and GnuPG on Debian Sid. Note that this discussion is not very old yet.

One would need to verify the latest versions of libassuan & GnuPG to check if that's not actually the reason for this behaviour but I lack time to do so. Maybe you could try yourself and report back?

psivesely commented 8 years ago

So GPG has bad error reporting when it comes to specifying an invalid keyserver. The qdigse2yzvuglcix.onion SKS keyserver mirror went down some weeks ago. IMO opinion, this should be fixed by using the SKS pool with HKPS and passing the self-signed SKS cert to the ca-cert-file keyserver-option to override the default system cert store as Tails does in it's gpg.conf. See https://github.com/freedomofpress/securedrop/pull/1256.

azadi commented 8 years ago

Hi,

This seems to work. Is this still an issue? Can @intelemetry or @u451f confirm? Thanks.

u451f commented 8 years ago

That doesn't work for me. I've imported the PEM and specified the keyserver and certificate to use in gpg.conf and Thunderbird. Still get the same error. Maybe @intelemetry can try?

dkg commented 8 years ago

On Tue 2016-03-08 16:22:49 -0500, Noah Vesely wrote:

So GPG has bad error reporting when it comes to specifying an invalid keyserver. The qdigse2yzvuglcix.onion SKS keyserver mirror went down some weeks ago.

This keyserver appears to work for me. If there are problems with any particular keyserver being up, please point them out on sks-devel@nongnu.org, where they are more likely to be noticed by somone who can fix them.

--dkg