Issues with keyserver

[rskuipers]

Hi,

First of all, thank you for developing this tool. This seems to answer my needs regarding dependency management.

I tried this tool last week, but got stuck on trying to install anything because search for anything on hkps.pool.sks-keyservers.net would result in a bad gateway.

One week later, I've just tried running the command and it's now tripping over another server error. When checking, I now see that https://hkps.pool.sks-keyservers.net has an invalid certificate (issued to pgpkeys.co.uk).

All in all my conclusion is that this keyserver isn't very stable, and considering this is tooling I'll use in my pipelines, this is far from ideal.

Would it be possible to make the keyserver pool configurable? Or perhaps rely on a keyserver with more stability?

I'd be happy to contribute if I know which direction we want to go.

Thank you in advance.

[rskuipers]

The strange part is that it sometimes seems to work just fine. These two commands were seconds apart:

$ phive install -c phpstan
Phive 0.12.1 - Copyright (C) 2015-2018 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/phpstan/phpstan/releases
Downloading https://github.com/phpstan/phpstan/releases/download/0.10.6/phpstan.phar
Downloading https://github.com/phpstan/phpstan/releases/download/0.10.6/phpstan.phar.asc
Downloading key 8E730BA25823D8B5
Trying hkps.pool.sks-keyservers.net (192.146.137.99)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0x8E730BA25823D8B5&op=index&options=mr
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0x8E730BA25823D8B5&op=get&options=mr
Successfully downloaded key

    Fingerprint: 19AB 1FB8 9EF5 88C9 6EF0 A00B 8E73 0BA2 5823 D8B5

    Ondrej Mirtes <ondrej@mirtes.cz> (2017-08-15)

    Created: 2017-08-15

Import this key? [y|N] y
Copying phpstan.phar to **REDACTED**/phpstan

$ phive install -c phpunit
Phive 0.12.1 - Copyright (C) 2015-2018 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://phar.phpunit.de/phpunit-7.5.0.phar
Downloading https://phar.phpunit.de/phpunit-7.5.0.phar.asc
Downloading key 4AA394086372C20A
Trying hkps.pool.sks-keyservers.net (192.146.137.99)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0x4AA394086372C20A&op=get&options=mr
[WARNING]  Failed with error code 504: Server reported an error 
Trying hkps.pool.sks-keyservers.net (192.146.137.98)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0x4AA394086372C20A&op=get&options=mr
[WARNING]  Failed with error code 504: Server reported an error 
Trying hkps.pool.sks-keyservers.net (46.4.246.179)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0x4AA394086372C20A&op=get&options=mr
[WARNING]  Failed with error code 504: Server reported an error 
Trying hkps.pool.sks-keyservers.net (2001:67c:26b4::98:0)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0x4AA394086372C20A&op=get&options=mr
[WARNING]  Failed with error code 504: Server reported an error 
Trying hkps.pool.sks-keyservers.net (2a01:4f8:222:2401:1::179)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0x4AA394086372C20A&op=get&options=mr
[WARNING]  Failed with error code 504: Server reported an error 
[ERROR]    PublicKey 4AA394086372C20A not found on key servers 

[theseer]

Yes, the instability of keyservers is annoying.

We have #158 as the most "stable" work around. Other than that, I'm considering to add additional keyservers into the config. Funny thing is that the usual suspects like pgp.mit.edu are actually part of the hkps pool, which is why we removed them from the array.

But maybe it's time to add them again...

I'll close this ticket. Feel free to comment in #158.

[theseer]

Sidenote: The hkps pool uses custom certificates. So that's a non-issue.

[MacDada]

Hi, thanks for the great tool.

I'm having issue installing php-cs-fixer. Adding --force-accept-unsigned does not help.

$ bin/composer.phar phive:run install --force-accept-unsigned php-cs-fixer
Phive 0.12.1 - Copyright (C) 2015-2019 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/FriendsOfPHP/PHP-CS-Fixer/releases
Downloading https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.14.0/php-cs-fixer.phar
Downloading https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.14.0/php-cs-fixer.phar.asc
Downloading key E82B2FB314E9906E
Trying hkps.pool.sks-keyservers.net (46.4.246.179)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr
[WARNING] Failed with error code 502: Server reported an error
Trying hkps.pool.sks-keyservers.net (37.17.173.9)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr
[WARNING] Failed with error code 502: Server reported an error
Trying hkps.pool.sks-keyservers.net (192.146.137.98)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr
[WARNING] Failed with error code 502: Server reported an error
Trying hkps.pool.sks-keyservers.net (192.146.137.99)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr
[WARNING] Failed with error code 502: Server reported an error
Trying hkps.pool.sks-keyservers.net (37.191.231.105)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr
[WARNING] Failed with error code 502: Server reported an error
Trying hkps.pool.sks-keyservers.net (51.38.91.189)
Downloading https://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr
[WARNING] Failed with error code 502: Server reported an error
[ERROR]   PublicKey E82B2FB314E9906E not found on key servers

I've checked the urls manually and it looks like https://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr has a broken certificate.

Http (not secure) connection works fine: http://hkps.pool.sks-keyservers.net/pks/lookup?search=0xE82B2FB314E9906E&op=index&options=mr

The questions are:

1. Is it a temporary problem that is gonna "resolve itself" soon (like maybe tomorrow)?
2. Where can I report the problem to have it fixed?
3. Can I somehow force phive to work anyway? Ignore the certificate? Download over http? Add some other keyserver?

BTW, I've install phpcs, psalm and phan with no problems today.

[theseer]

Hi,

the certificate is not broken. It's a custom certificate signed by a custom ca from sks-keyservers to make the round robin stuff work. Otherwise they'd have to share the private key with everybody in the pool.

The 502 error code shows it's a (temporary) problem with the keyserver pool. It's not really anything we can do about that itself. I'm not aware of any means to report that anywhere.

We plan to add key details to the metadata (see #158) to make this less of a problem.

The --force-accept-unsigned switch is not helping since the phar is signed. There is no switch to not check a signature when available.

A work around: You can manually import the gpg key in phive's keychain (in ~/.phive/gpg) so phive does not have to download it.

[MacDada]

Well, a few minutes ago it worked. So I can confirm that those are temporary problems.

[B-Galati]

I struggled a bit to import the key manually in ~/phive/gpg Here is a solution that worked for me GNUPGHOME=~/.phive/gpg gpg --keyserver pool.sks-keyservers.net --recv-keys 8E730BA25823D8B5