Arch Linux

fwalch

Member

Registered: 2008-04-29

Posts: 8

GnuPG: Can't access keyserver over HKPS

Accessing a keyserver over HKP works, but HKPS doesn't. I'm using GnuPG 2.1.1-1.

# HKP - works
$ gpg --keyserver hkp://hkps.pool.sks-keyservers.net --search-keys 9741E8AC
gpg: data source: http://srv01.secure-u.de:11371
(1)	Pierre Schmitz <pierre@archlinux.de>
	  2048 bit RSA key 9741E8AC, created: 2011-04-10

# HKPS - general error
$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --debug 1024 --search-keys 9741E8AC
gpg: reading options from '/home/florian/.gnupg/gpg.conf'
gpg: enabled debug flags: extprog assuan
gpg: DBG: chan_3 <- # Home: /home/florian/.gnupg
gpg: DBG: chan_3 <- # Config: /home/florian/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.1.1 at your service
gpg: DBG: chan_4 <- # Home: /home/florian/.gnupg
gpg: DBG: chan_4 <- # Config: /home/florian/.gnupg/dirmngr.conf
gpg: DBG: chan_4 <- OK Dirmngr 2.1.1 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_4 -> KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> KS_SEARCH -- 9741E8AC
gpg: DBG: chan_4 <- ERR 1 General error <Unspecified source>
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error
gpg: DBG: chan_4 -> BYE
gpg: secmem usage: 0/32768 bytes in 0 blocks

Tried this with both an empty dirmngr.conf and the following (from the bottom of https://sks-keyservers.net/overview-of-pools.php):

hkp-cacert /home/florian/.gnupg/sks-keyservers.netCA.pem no-honor-keyserver-url

The gpg.conf is completely empty.

Any idea what's going wrong here?

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: GnuPG: Can't access keyserver over HKPS

I have the same problem.

It works on all debian base distros using gnupg-curl package and I can't find one for Arch...

jasonwryan

Anarchist

From: .nz

Registered: 2009-05-09

Posts: 30,426

Website

Re: GnuPG: Can't access keyserver over HKPS

┌─[Shiv ~ ]
└─╼ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 9741E8AC 
gpg: data source: http://itunix.eu:11371
(1)     Pierre Schmitz <pierre@archlinux.de>
          2048 bit RSA key 9741E8AC, created: 2011-04-10
Keys 1-1 of 1 for "9741E8AC".  Enter number(s), N)ext, or Q)uit > n
┌─[Shiv ~ ]
└─╼ pacman -Q gnupg
gnupg 2.1.1-1

---

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

clfarron4

Member

From: London, UK

Registered: 2013-06-28

Posts: 2,165

Website

Re: GnuPG: Can't access keyserver over HKPS

Works here with gnupg 2.1.0-7 (when hkps support was (re-?)implemented).

claire@claire ~ % gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys DCE0E484
gpg: data source: http://pgp.mit.edu:80
(1)	Andes Ho <andesho91@gmail.com>
	Andes Ho (RHUL MSC) <mxah002@live.rhul.ac.uk>
	Andes Ho (RHUL MSC) <andes.ho.2012@live.rhul.ac.uk>
	  4096 bit RSA key DCE0E484, created: 2014-12-25
Keys 1-1 of 1 for "DCE0E484".  Enter number(s), N)ext, or Q)uit > n
claire@claire ~ % pacman -Q gnupg
gnupg 2.1.0-7

---

Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: GnuPG: Can't access keyserver over HKPS

Finally it works for me. I use the version 2.1 of gnupg and I followed the steps to connect to sks-keyservers.net via HKPS.

Last edited by heyom (2014-12-29 17:50:10)

flokli

Member

Registered: 2013-08-22

Posts: 4

Re: GnuPG: Can't access keyserver over HKPS

I'm still not able to get it to work.

I used the config file from https://raw.githubusercontent.com/ioerr … g/gpg.conf

and changed the following:

~/.gnupg/gpg.conf:

keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options hkp-cacert=/usr/local/etc/ssl/certs/hkps.pool.sks-keyservers.net.pem

~/.gnupg/dirmngr.conf:

hkp-cacert /usr/local/etc/ssl/certs/hkps.pool.sks-keyservers.net.pem

I still get

# gpg --recv-keys 9741E8AC
gpg: keyserver receive failed: General error

fwalch

Member

Registered: 2008-04-29

Posts: 8

Re: GnuPG: Can't access keyserver over HKPS

Can any of you post your (working) gpg.conf/dirmngr.conf? heyom's config should be the same as flokli's, but that's also basically what I use and it doesn't work for me either.

clfarron4

Member

From: London, UK

Registered: 2013-06-28

Posts: 2,165

Website

Re: GnuPG: Can't access keyserver over HKPS

I don't have a ~/.gnupg/dirmngr.conf and my ~/.gnupg/gpg.conf is untouched from installation.

---

Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

fwalch

Member

Registered: 2008-04-29

Posts: 8

Re: GnuPG: Can't access keyserver over HKPS

@clfarron4: So you didn't change gpg.conf from the default (sorry if I understood this incorrectly)? If so, I think HKPS isn't actually used. See this output, using default gpg.conf:

 ~ mv .gnupg/ gpg
 ~ gpg
gpg: directory '/home/florian/.gnupg' created
gpg: new configuration file '/home/florian/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/florian/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/home/florian/.gnupg/pubring.kbx' created
gpg: Go ahead and type your message ...
^C
gpg: signal Interrupt caught ... exiting
 ~ gpg --debug 1024 --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 9741E8AC
gpg: reading options from '/home/florian/.gnupg/gpg.conf'
gpg: enabled debug flags: extprog assuan
gpg: DBG: chan_3 <- # Home: /home/florian/.gnupg
gpg: DBG: chan_3 <- # Config: [none]
gpg: DBG: chan_3 <- OK Dirmngr 2.1.1 at your service
gpg: DBG: chan_4 <- # Home: /home/florian/.gnupg
gpg: DBG: chan_4 <- # Config: [none]
gpg: DBG: chan_4 <- OK Dirmngr 2.1.1 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_4 -> KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> KEYSERVER hkp://keys.gnupg.net
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> KS_SEARCH -- 9741E8AC
gpg: DBG: chan_4 <- S PROGRESS tick ? 0 0
gpg: DBG: chan_4 <- S SOURCE http://206.176.170.195:11371
gpg: DBG: chan_4 <- D info:1:1%0Apub:4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC:1:2048:1302428133::%0Auid:Pierre Schmitz <pierre@archlinux.de>:1302428133::%0A%0D%0A
gpg: data source: http://206.176.170.195:11371
gpg: DBG: chan_4 <- OK
(1)	Pierre Schmitz <pierre@archlinux.de>
	  2048 bit RSA key 9741E8AC, created: 2011-04-10
Keys 1-1 of 1 for "9741E8AC".  Enter number(s), N)ext, or Q)uit > 
gpg: signal Interrupt caught ... exiting

As you can see, this does work, but doesn't actually use the keyserver specified with --keyserver. It falls back to the one from the config, which uses an unencrypted connection (HKP). Also see http://lists.gnupg.org/pipermail/gnupg- … 29219.html:

Gnupg sends the dirmngr the keyserver it should use with a KEYSERVER command.
In dirmngr's debug output you can see that it sends KEYSERVER --clear <foo>
and then another KEYSERVER command for each keyserver configured.

In my tests it always used the last one.

@jasonwryan: do you have any keyserver(s) specified in your gpg.conf? If yes, then HKPS might not work for you after all. You should be able to check with --debug 1024.

Last edited by fwalch (2015-01-02 10:24:00)

clfarron4

Member

From: London, UK

Registered: 2013-06-28

Posts: 2,165

Website

Re: GnuPG: Can't access keyserver over HKPS

@clfarron4: So you didn't change gpg.conf from the default (sorry if I understood this incorrectly)? If so, I think HKPS isn't actually used. See this output, using default gpg.conf

Indeed you understand correctly.

And good catch indeed. My output looks to "gpg --debug 1024 --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 9741E8AC" looks the same as yours.

---

Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

fwalch

Member

Registered: 2008-04-29

Posts: 8

Re: GnuPG: Can't access keyserver over HKPS

Created a bug report at https://bugs.archlinux.org/task/43364.

Runiq

Member

From: Germany

Registered: 2008-10-29

Posts: 1,053

Re: GnuPG: Can't access keyserver over HKPS

Looks like it's a bug in dirmngr: https://bugs.g10code.com/gnupg/issue1792

---

Dotfiles

Xelvet

Member

Registered: 2014-02-20

Posts: 88

Re: GnuPG: Can't access keyserver over HKPS

Still relevant?

~/.gnupg % gpg --debug-all --search-keys 'wtf'                                                            :(
gpg: DBG: chan_4 -> KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> KS_SEARCH -- wtf
gpg: DBG: chan_4 <- ERR 1 General error <Unspecified source>
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Last edited by Xelvet (2015-03-30 11:57:18)

runical

Member

From: The Netherlands

Registered: 2012-03-03

Posts: 896

Re: GnuPG: Can't access keyserver over HKPS

Still relevant?

~/.gnupg % gpg --debug-all --search-keys 'wtf'                                                            :(
gpg: DBG: chan_4 -> KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> KS_SEARCH -- wtf
gpg: DBG: chan_4 <- ERR 1 General error <Unspecified source>
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

I think you are better off starting your own topic and link to this one as potentially relevant.

---

For all your makepkg signature checking troubles

blueyed

Member

Registered: 2015-09-19

Posts: 5

Re: GnuPG: Can't access keyserver over HKPS

The bug report for Arch has been re-opened: https://bugs.archlinux.org/task/43364.