You are not logged in.

#1 2020-08-01 08:59:42

ben781
Member
Registered: 2016-12-11
Posts: 14

SSL certificate is expired for entire SKS keyserver pool

GPG fails to receive keys unless the user manually sets a different keyserver. Apparently, no one has been able to reach Kristian Fiskerstrand, who runs the SKS pool.

More info:
https://theregister.com/2020/06/24/openpgp_key_server/

Last edited by ben781 (2020-08-01 09:09:33)

Offline

#2 2020-08-01 10:54:56

loqs
Member
Registered: 2014-03-06
Posts: 11,864

Re: SSL certificate is expired for entire SKS keyserver pool

sks.pod02.fleetstreetops.com has an updated certificate valid until 2021-06-25 issued by sks-keyservers.net CA certificate valid until 2022-10-07.
The single server is simply overloaded https://bbs.archlinux.org/viewtopic.php?id=257527
Edit:
You could ask for https://github.com/gpg/gnupg/commit/8fb … 17188ad1d9 to be reverted provided all arch packages are signed by keys that can be fetch using WKD.
If not pacman would need an update to set a custom keyserver e.g. revert https://git.archlinux.org/pacman.git/co … 75d6d02d30 or possibly create a keyserver just hosting the archlinux-keyring keys.

Last edited by loqs (2020-08-01 14:38:23)

Offline

#3 2020-08-01 16:26:07

ben781
Member
Registered: 2016-12-11
Posts: 14

Re: SSL certificate is expired for entire SKS keyserver pool

My issue is not as much with pacman-key because I have those keys from the archlinux-keyring package. It is when I need to import keys for an AUR package to build. That uses GPG as the user, not pacman-key as root.

Offline

#4 2020-08-01 18:12:25

loqs
Member
Registered: 2014-03-06
Posts: 11,864

Re: SSL certificate is expired for entire SKS keyserver pool

ben781 wrote:

My issue is not as much with pacman-key because I have those keys from the archlinux-keyring package.

My point was I would expect Arch would not make a change to the gnupg package that would break the fallback behavior of pacman with respect to key fetching.

ben781 wrote:

It is when I need to import keys for an AUR package to build. That uses GPG as the user, not pacman-key as root.

Which is why you need to change the keyserver that that user uses as suggested in the thread I linked.

Offline

#5 2020-08-02 21:41:50

ben781
Member
Registered: 2016-12-11
Posts: 14

Re: SSL certificate is expired for entire SKS keyserver pool

You're saying, Arch would rather keep their default as the server pool which doesn't work for most users, when they could just modify the PKGBUILD to set a default that would work.

It is the users' responsibility to change their settings to a keyserver that works.

Last edited by ben781 (2020-08-02 21:51:46)

Offline

#6 2020-08-02 23:05:49

GaKu999
Member
From: US/Eastern
Registered: 2020-06-21
Posts: 376

Re: SSL certificate is expired for entire SKS keyserver pool

ben781 wrote:

You're saying, Arch would rather keep their default as the server pool which doesn't work for most users, when they could just modify the PKGBUILD to set a default that would work.

It is the users' responsibility to change their settings to a keyserver that works.

They are already discussing that in specific, just outside of this forum, eventually if the overload of that server keeps up probably the default keyserver will change...

Idk the intrinsics of that process, nor if it’s difficult or troublesome though...


My reposSome snippets

Heisenberg might have been here.

Offline

#7 2020-08-02 23:40:21

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,693

Re: SSL certificate is expired for entire SKS keyserver pool

Which keyserver do you all recommend? The keys.openpgp.org one, just FYI, is broken by design as it doesn't even include information for the actual key itself, let alone Web of Trust signatures like the ones pacman relies on.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#8 2020-08-03 00:51:27

loqs
Member
Registered: 2014-03-06
Posts: 11,864

Re: SSL certificate is expired for entire SKS keyserver pool

@eschwartz what about for pacman's needs reverting https://git.archlinux.org/pacman.git/co … 75d6d02d30
Or is a requirement the pool must use hkps?  Also does the server used by pacman have to provide keys other than those for Arch developers and maintainers?
How far is WKD deployment from completion?

For the more general case I was suggesting reverting https://github.com/gpg/gnupg/commit/8fb … 17188ad1d9 which would change the error message from

gpg: keyserver receive failed: General error

to

gpg: No keyserver available

still requires user intervention to select a server that matches their needs but it might be more obvious what the issue is.
Edit:
Existing installs /etc/pacman.d/gnupg/gpg.conf would also need to be checked it contained a 'keyserver entry if pacman was to have a none default keyserver.

Last edited by loqs (2020-08-03 01:00:01)

Offline

#9 2020-08-03 01:45:35

ben781
Member
Registered: 2016-12-11
Posts: 14

Re: SSL certificate is expired for entire SKS keyserver pool

loqs wrote:

Also does the server used by pacman have to provide keys other than those for Arch developers and maintainers?

If the server used by pacman provided keys only for Arch maintainers, it would be impossible to add additional repositories to pacman.

Offline

#10 2020-08-03 01:51:43

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,693

Re: SSL certificate is expired for entire SKS keyserver pool

As far as I can tell, the SKS pool should be currently working again, as the article notes Kristian reappeared right after and fixed the issue after some downtime.

It's not clear to me that there's immediate benefit to be had from using the same load balancer but without SSL.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#11 2020-08-03 02:10:36

loqs
Member
Registered: 2014-03-06
Posts: 11,864

Re: SSL certificate is expired for entire SKS keyserver pool

host pool.sks-keyservers.net
pool.sks-keyservers.net has address 87.118.94.9
pool.sks-keyservers.net has address 24.134.103.65
pool.sks-keyservers.net has address 85.230.102.212
pool.sks-keyservers.net has address 78.46.239.68
pool.sks-keyservers.net has address 185.56.33.53
pool.sks-keyservers.net has address 192.146.137.141
pool.sks-keyservers.net has address 128.180.2.174
pool.sks-keyservers.net has address 159.69.208.88
pool.sks-keyservers.net has address 4.35.226.103
pool.sks-keyservers.net has address 81.6.42.23
pool.sks-keyservers.net has IPv6 address 2001:470:de7a:10::
pool.sks-keyservers.net has IPv6 address 2a01:4f8:c2c:19a3::1
pool.sks-keyservers.net has IPv6 address 2001:468:c80:210f:0:162:701c:c917
pool.sks-keyservers.net has IPv6 address 2001:ba8:1f1:f2d4::2
pool.sks-keyservers.net has IPv6 address 2a01:4f8:1c17:5140::1
pool.sks-keyservers.net has IPv6 address 2001:67c:26b4:ff00::140
pool.sks-keyservers.net has IPv6 address 2a02:168:f405::37
pool.sks-keyservers.net has IPv6 address 2a01:4f9:c010:206b::1
pool.sks-keyservers.net has IPv6 address 2001:67c:26b4:ff00::141
pool.sks-keyservers.net has IPv6 address 2001:610:1:4001:145:100:186:254

host hkps.pool.sks-keyservers.net
hkps.pool.sks-keyservers.net has address 209.244.105.201

I still can not use hkps.pool.sks-keyservers.net.  With no keyserver specified:

gpg --search-keys ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Offline

#12 2020-08-03 02:42:12

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,693

Re: SSL certificate is expired for entire SKS keyserver pool

Interesting, I probably should have checked this. I've long since configured my dirmngr.conf to use keyserver.ubuntu.com though....

$ gpg --keyserver hkps://pool.sks-keyservers.net --search-key eschwartz@archlinux.org
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Yep, still broken. What is going on...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#13 2020-08-03 03:15:15

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 7,976

Re: SSL certificate is expired for entire SKS keyserver pool

eschwartz wrote:

Interesting, I probably should have checked this. I've long since configured my dirmngr.conf to use keyserver.ubuntu.com though....

$ gpg --keyserver hkps://pool.sks-keyservers.net --search-key eschwartz@archlinux.org
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Yep, still broken. What is going on...

The hkps "pool" is down to one server, and it can't handle it.

Offline

#14 2020-08-03 04:14:13

loqs
Member
Registered: 2014-03-06
Posts: 11,864

Re: SSL certificate is expired for entire SKS keyserver pool

https://pgpkeys.co.uk/
https://pgpkeys.eu/
https://pgpkeys.uk/
The three servers operated by Dan Austin are up but using certificates issued by Lets Encrypt.

https://lists.nongnu.org/archive/html/sks-devel/ contains nothing in July when the old certificates for those servers expired.

Offline

Board footer

Powered by FluxBB