You are not logged in.

#1 2020-09-12 15:21:43

x-yuri
Member
Registered: 2013-01-06
Posts: 137

How do I make gnupg notice changes in dirmngr.conf?

Steps to reproduce:

1. Comment out keyservers in $GNUPGHOME/dirmngr.conf, searching for a key succeeds:

$ gpg --debug-level 10 --search-key DF6FD971306037D9
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/yuri/dir/.gnupg
gpg: DBG: chan_3 <- # Config: /home/yuri/dir/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.23 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.23
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_SEARCH -- DF6FD971306037D9
gpg: DBG: chan_3 <- S PROGRESS tick ? 0 0
gpg: DBG: chan_3 <- S SOURCE http://hkps.pool.sks-keyservers.net:11371
gpg: DBG: chan_3 <- D info:1:1%0Apub:6C37DC12121A5006BC1DB804DF6FD971306037D9:1:4096:1316781134::%0Auid:P%25C3%25A1draig Brady <P@draigBrady.com>:1316782295::%0Auid:P%25C3%25A1draig Brady <pbrady@redhat.com>:1316782093::%0Auid:P%25C3%25A1draig Brady <pixelbeat@gnu.org>:1316782260::%0A%0D%0A
gpg: data source: http://hkps.pool.sks-keyservers.net:11371
gpg: DBG: chan_3 <- OK
gpg: DBG: iobuf-1.0: close '?'
(1) Pádraig Brady <P@draigBrady.com>
    Pádraig Brady <pbrady@redhat.com>
    Pádraig Brady <pixelbeat@gnu.org>
      4096 bit RSA key DF6FD971306037D9, created: 2011-09-23
gpg: cannot open '/dev/tty': No such device or address

$ ps -p `pgrep dirmngr | paste -sd,` -o pid=,ppid=,comm=,args=
   2076       1 dirmngr         dirmngr --daemon --homedir /home/yuri/dir/.gnupg

2. `pkill dirmngr`, searching for a key fails:

$ gpg --debug-level 10 --search-key DF6FD971306037D9
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/yuri/dir/.gnupg
gpg: DBG: chan_3 <- # Config: /home/yuri/dir/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.23 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.23
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_SEARCH -- DF6FD971306037D9
gpg: DBG: chan_3 <- ERR 1 General error <Unspecified source>
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/32768 bytes in 0 blocks

$ ps -p `pgrep dirmngr | paste -sd,` -o pid=,ppid=,comm=,args=
   6031       1 dirmngr         dirmngr --daemon --homedir /home/yuri/dir/.gnupg

3. Uncomment keyservers, searching for a key fails.

4. `pkill dirmngr`, searching for a key succeeds.

5. Comment out keyservers, restart the dirmngr service, searching for a key succeeds:

$ ps -p `pgrep dirmngr | paste -sd,` -o pid=,ppid=,comm=,args=
   7547       1 dirmngr         dirmngr --daemon --homedir /home/yuri/dir/.gnupg
$ systemctl --user restart dirmngr
$ ps -p `pgrep dirmngr | paste -sd,` -o pid=,ppid=,comm=,args=
   7547       1 dirmngr         dirmngr --daemon --homedir /home/yuri/dir/.gnupg
   8071     520 dirmngr         /usr/bin/dirmngr --supervised

6. Reload the dirmngr service, searching for a key succeeds:

$ systemctl --user reload dirmngr
$ ps -p `pgrep dirmngr | paste -sd,` -o pid=,ppid=,comm=,args=
   7547       1 dirmngr         dirmngr --daemon --homedir /home/yuri/dir/.gnupg
   8071     520 dirmngr         /usr/bin/dirmngr --supervised

Additionally, restarting/reloading the dirmngr service creates ~/.gnupg,
although my gpg home is elsewhere. It might be relevant here that I'm using awesome windows manager which is started by LightDM via ~/.xinitrc. And GNUPGHOME is set in ~/.bash_profile. At first I thought that dirmngr thinks the home is at ~/.gnupg, but as can be seen from the communication between gpg and dirmngr, that's not the case. And `pkill dirmngr` doesn't lead to creation of ~/.gnupg, `systemctl --user restart/reload` does.

Am I missing something? Is `pkill dirmngr` the way to apply configuration changes? And possibly... Why does it create the ~/.gnupg dir?

Last edited by x-yuri (2020-09-12 17:12:34)

Offline

#2 2020-09-12 15:27:26

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: How do I make gnupg notice changes in dirmngr.conf?

x-yuri wrote:

6. Reload the dirmngr service...

restart not reload

x-yuri wrote:

Why does it create the ~/.gnupg dir?

https://wiki.archlinux.org/index.php/Gn … figuration


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2020-09-12 19:33:19

x-yuri
Member
Registered: 2013-01-06
Posts: 137

Re: How do I make gnupg notice changes in dirmngr.conf?

Trilby wrote:
x-yuri wrote:

6. Reload the dirmngr service...

restart not reload

You're probably referring to:

ArchWiki wrote:

You can connect to a keyserver using a proxy by setting the http_proxy environment variable and setting honor-http-proxy in dirmngr.conf. Alternatively, set http-proxy host[:port] in dirmngr.conf, overriding the http_proxy environment variable. Restart the dirmngr.service user service for the changes to take effect.

Okay, let it be restart. But still it doesn't produce any effect. E.g. `$GNUPGHOME/dirmngr.conf` contains:

keyserver hkp://jirk5u4osbsr34t5.onion
keyserver hkp://keys.gnupg.net

I search for a key:

$ gpg --debug-level 10 --search-key DF6FD971306037D9
...
gpg: DBG: chan_3 <- # Home: /home/yuri/dir/.gnupg
gpg: DBG: chan_3 <- # Config: /home/yuri/dir/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.23 at your service
gpg: DBG: connection to the dirmngr established
...
gpg: DBG: chan_3 -> KS_SEARCH -- DF6FD971306037D9
gpg: DBG: chan_3 <- S SOURCE http://hkps.pool.sks-keyservers.net:11371
gpg: DBG: chan_3 <- D info:1:1%0Apub:6C37DC12121A5006BC1DB804DF6FD971306037D9:1:4096:1316781134::%0Auid:P%25C3%25A1draig Brady <P@draigBrady.com>:1316782295::%0Auid:P%25C3%25A1draig Brady <pbrady@redhat.com>:1316782093::%0Auid:P%25C3%25A1draig Brady <pixelbeat@gnu.org>:1316782260::%0A%0D%0A
gpg: data source: http://hkps.pool.sks-keyservers.net:11371
gpg: DBG: chan_3 <- OK
...

Then I comment out the keyserver lines in `dirmngr.conf`, do `systemctl --user restart dirmngr`, but the search still succeeds:

$ gpg --debug-level 10 --search-key DF6FD971306037D9
...
gpg: DBG: chan_3 <- # Home: /home/yuri/dir/.gnupg
gpg: DBG: chan_3 <- # Config: /home/yuri/dir/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.23 at your service
gpg: DBG: connection to the dirmngr established
...
gpg: DBG: chan_3 -> KS_SEARCH -- DF6FD971306037D9
gpg: DBG: chan_3 <- S PROGRESS tick ? 0 0
gpg: DBG: chan_3 <- S SOURCE http://hkps.pool.sks-keyservers.net:11371
gpg: DBG: chan_3 <- D info:1:1%0Apub:6C37DC12121A5006BC1DB804DF6FD971306037D9:1:4096:1316781134::%0Auid:P%25C3%25A1draig Brady <P@draigBrady.com>:1316782295::%0Auid:P%25C3%25A1draig Brady <pbrady@redhat.com>:1316782093::%0Auid:P%25C3%25A1draig Brady <pixelbeat@gnu.org>:1316782260::%0A%0D%0A
gpg: data source: http://hkps.pool.sks-keyservers.net:11371
gpg: DBG: chan_3 <- OK
...

Then I do `pkill dirmngr`, and now it fails:

$ gpg --debug-level 10 --search-key DF6FD971306037D9
...
gpg: DBG: chan_3 <- # Home: /home/yuri/dir/.gnupg
gpg: DBG: chan_3 <- # Config: /home/yuri/dir/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.23 at your service
gpg: DBG: connection to the dirmngr established
...
gpg: DBG: chan_3 -> KS_SEARCH -- DF6FD971306037D9
gpg: DBG: chan_3 <- ERR 1 General error <Unspecified source>
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error
...
Trilby wrote:
x-yuri wrote:

Why does it create the ~/.gnupg dir?

https://wiki.archlinux.org/index.php/Gn … figuration

I've managed to figure out that `~/.gnupg` is created when I do `systemctl --user restart dirmngr`. Normally there exists only one `dirmngr` process. Or to be precise `dirmngr` is not started during boot. One instance is started when I do `gpg --search-key DF6FD971306037D9`:

$ pgrep dirmngr | while IFS= read -r; do ppid=`ps -p "$REPLY" -o ppid:1=`; ps -p "$ppid" -o pid=,ppid=,comm=,args=; ps -p "$REPLY" -o pid=,ppid=,comm=,args=; done
      1       0 systemd         /sbin/init
   6966       1 dirmngr         dirmngr --daemon --homedir /home/yuri/dir/.gnupg

I didn't inspect it thoroughly, but I guess with this instance I can perform any sort of operation `gpg` provides.

But when I do `systemctl --user restart dirmngr` another instance is started:

$ pgrep dirmngr | while IFS= read -r; do ppid=`ps -p "$REPLY" -o ppid:1=`; ps -p "$ppid" -o pid=,ppid=,comm=,args=; ps -p "$REPLY" -o pid=,ppid=,comm=,args=; done
      1       0 systemd         /sbin/init
   6966       1 dirmngr         dirmngr --daemon --homedir /home/yuri/dir/.gnupg
    512       1 systemd         /usr/lib/systemd/systemd --user
   8233     512 dirmngr         /usr/bin/dirmngr --supervised

And it was this second instance that was creating the `~/.gnupg` dir, because it had no my custom GNUPGHOME variable. So I did: `systemctl --user edit dirmngr` and now:

$ cat ~/.config/systemd/user/dirmngr.service.d/override.conf
[Service]
Environment=GNUPGHOME=/home/yuri/dir/.gnupg

After this `~/.gnupg` doesn't get created.

What still strikes me as weird is this second instance itself, governed by my systemd user instance. From what I can see it's never used. `gpg` starts `dirmngr` as needed:

$ pkill dirmngr && strace -s 1000 -fe trace=process gpg --search-key DF6FD971306037D9
execve("/usr/bin/gpg", ["gpg", "--search-key", "DF6FD971306037D9"], 0x7ffe290f4340 /* 66 vars */) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process 14476 attached
, child_tidptr=0x7fc8f0317a10) = 14476
[pid 14475] wait4(14476,  <unfinished ...>
[pid 14476] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process 14477 attached
, child_tidptr=0x7fc8f0317a10) = 14477
[pid 14476] exit_group(0)               = ?
[pid 14476] +++ exited with 0 +++
[pid 14475] <... wait4 resumed>NULL, 0, NULL) = 14476
[pid 14475] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=14476, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
[pid 14477] execve("/usr/bin/dirmngr", ["dirmngr", "--daemon", "--homedir", "/home/yuri/dir/.gnupg"], 0x7fffcd4595b8 /* 66 vars */) = 0
[pid 14477] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process 14478 attached
, child_tidptr=0x7f9e84f26050) = 14478
[pid 14477] exit_group(0)               = ?
[pid 14477] +++ exited with 0 +++
[pid 14478] clone(child_stack=0x7f9e84c3bcf0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 14479 attached
, parent_tid=[14479], tls=0x7f9e84c3c640, child_tidptr=0x7f9e84c3c910) = 14479
gpg: data source: http://hkps.pool.sks-keyservers.net:11371
(1)	Pádraig Brady <P@draigBrady.com>
	Pádraig Brady <pbrady@redhat.com>
	Pádraig Brady <pixelbeat@gnu.org>
	  4096 bit RSA key DF6FD971306037D9, created: 2011-09-23
gpg: cannot open '/dev/tty': No such device or address
[pid 14475] exit_group(2)               = ?
[pid 14475] +++ exited with 2 +++
[pid 14479] exit(0)                     = ?
[pid 14479] +++ exited with 0 +++
strace: Process 14478 detached

What is it for? From what I can see, the upstream instructions were followed.

$ ls /usr/lib/systemd/user/dirmngr* /usr/lib/systemd/user/gpg*
/usr/lib/systemd/user/dirmngr.service
/usr/lib/systemd/user/dirmngr.socket
/usr/lib/systemd/user/gpg-agent-browser.socket
/usr/lib/systemd/user/gpg-agent-extra.socket
/usr/lib/systemd/user/gpg-agent.service
/usr/lib/systemd/user/gpg-agent.socket
/usr/lib/systemd/user/gpg-agent-ssh.socket

A list of active units:

$ systemctl --user list-units dirmngr* gpg*
  UNIT                     LOAD   ACTIVE SUB       DESCRIPTION                                                             
  dirmngr.socket           loaded active listening GnuPG network certificate management daemon                             
  gpg-agent-browser.socket loaded active listening GnuPG cryptographic agent and passphrase cache (access for web browsers)
  gpg-agent-extra.socket   loaded active listening GnuPG cryptographic agent and passphrase cache (restricted)             
  gpg-agent-ssh.socket     loaded active listening GnuPG cryptographic agent (ssh-agent emulation)                         
  gpg-agent.socket         loaded active listening GnuPG cryptographic agent and passphrase cache                          

`dirmngr.socket` is enabled:

$ systemctl --user is-enabled dirmngr.socket
enabled

An upstream bug? A misconfiguration?

Last edited by x-yuri (2020-09-12 19:36:00)

Offline

#4 2020-09-12 20:04:54

x-yuri
Member
Registered: 2013-01-06
Posts: 137

Re: How do I make gnupg notice changes in dirmngr.conf?

I think I've found the culprit. Socket activation doesn't seem to work. In `/usr/lib/systemd/user/dirmngr.socket`:

ListenStream=%t/gnupg/S.dirmngr

From `man systemd.unit`:

"%t"      │ Runtime directory root                              │ This is either /run (for the system manager) or the path "$XDG_RUNTIME_DIR" resolves to (for user managers).
$ set | grep XDG_RUNTIME_DIR
XDG_RUNTIME_DIR=/run/user/1000

Now when I start `gpg --search-key DF6FD971306037D9`, `gpg` looks for the socket in the wrong directory, receives ECONNREFUSED, and starts `dirmngr` itself:

$ ls /run/user/1000/gnupg
S.dirmngr
S.gpg-agent
S.gpg-agent.browser
S.gpg-agent.extra
S.gpg-agent.ssh

$ strace -s 1000 -fe execve,clone,connect gpg --search-key DF6FD971306037D9
execve("/usr/bin/gpg", ["gpg", "--search-key", "DF6FD971306037D9"], 0x7ffd5a2ff020 /* 66 vars */) = 0
connect(3, {sa_family=AF_UNIX, sun_path="/run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz/S.dirmngr"}, 59) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_UNIX, sun_path="/run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz/S.dirmngr"}, 59) = -1 ENOENT (No such file or directory)
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process 3066 attached
, child_tidptr=0x7fa4ba696a10) = 3066
[pid  3066] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process 3067 attached
, child_tidptr=0x7fa4ba696a10) = 3067
[pid  3066] +++ exited with 0 +++
[pid  3065] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3066, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
[pid  3067] execve("/usr/bin/dirmngr", ["dirmngr", "--daemon", "--homedir", "/home/yuri/dir/.gnupg"], 0x7fff864777f8 /* 66 vars */ <unfinished ...>
[pid  3065] connect(3, {sa_family=AF_UNIX, sun_path="/run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz/S.dirmngr"}, 59) = -1 ENOENT (No such file or directory)
[pid  3067] <... execve resumed>)       = 0
[pid  3065] connect(3, {sa_family=AF_UNIX, sun_path="/run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz/S.dirmngr"}, 59) = -1 ENOENT (No such file or directory)
[pid  3065] connect(3, {sa_family=AF_UNIX, sun_path="/run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz/S.dirmngr"}, 59) = -1 ENOENT (No such file or directory)
[pid  3065] connect(3, {sa_family=AF_UNIX, sun_path="/run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz/S.dirmngr"}, 59) = -1 ENOENT (No such file or directory)
[pid  3067] connect(3, {sa_family=AF_INET, sin_port=htons(9050), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
[pid  3067] connect(3, {sa_family=AF_INET, sin_port=htons(9150), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
[pid  3067] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fa2f20c6050) = 3068
strace: Process 3068 attached
[pid  3067] +++ exited with 0 +++
[pid  3065] connect(3, {sa_family=AF_UNIX, sun_path="/run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz/S.dirmngr"}, 59) = 0
[pid  3068] clone(child_stack=0x7fa2f1ddbcf0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3069], tls=0x7fa2f1ddc640, child_tidptr=0x7fa2f1ddc910) = 3069
strace: Process 3069 attached
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(9050), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(9150), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
[pid  3069] connect(6, {sa_family=AF_INET, sin_port=htons(11371), sin_addr=inet_addr("209.244.105.201")}, 16) = -1 EINPROGRESS (Operation now in progress)

gpg: signal 15 caught ... exiting
strace: Process 3065 detached
strace: Process 3068 detached
strace: Process 3069 detached

$ ls /run/user/1000/gnupg
d.8fzkopk8kpkda6radgaom1gz
S.dirmngr
S.gpg-agent
S.gpg-agent.browser
S.gpg-agent.extra
S.gpg-agent.ssh

$ ls /run/user/1000/gnupg/d.8fzkopk8kpkda6radgaom1gz
S.dirmngr

A packaging issue? An upstream bug?

UPD There was this discussion, but nevertheless they later added it. Maybe at some point the path had changed and either they forgot to update the systemd files, or didn't know how to resolve it right away.

Last edited by x-yuri (2020-09-12 20:51:14)

Offline

Board footer

Powered by FluxBB