You are not logged in.

#1 2020-08-01 08:59:42

ben781
Member
Registered: 2016-12-11
Posts: 14

SSL certificate is expired for entire SKS keyserver pool

GPG fails to receive keys unless the user manually sets a different keyserver. Apparently, no one has been able to reach Kristian Fiskerstrand, who runs the SKS pool.

More info:
https://theregister.com/2020/06/24/openpgp_key_server/

Last edited by ben781 (2020-08-01 09:09:33)

Offline

#2 2020-08-01 10:54:56

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: SSL certificate is expired for entire SKS keyserver pool

sks.pod02.fleetstreetops.com has an updated certificate valid until 2021-06-25 issued by sks-keyservers.net CA certificate valid until 2022-10-07.
The single server is simply overloaded https://bbs.archlinux.org/viewtopic.php?id=257527
Edit:
You could ask for https://github.com/gpg/gnupg/commit/8fb … 17188ad1d9 to be reverted provided all arch packages are signed by keys that can be fetch using WKD.
If not pacman would need an update to set a custom keyserver e.g. revert https://git.archlinux.org/pacman.git/co … 75d6d02d30 or possibly create a keyserver just hosting the archlinux-keyring keys.

Last edited by loqs (2020-08-01 14:38:23)

Offline

#3 2020-08-01 16:26:07

ben781
Member
Registered: 2016-12-11
Posts: 14

Re: SSL certificate is expired for entire SKS keyserver pool

My issue is not as much with pacman-key because I have those keys from the archlinux-keyring package. It is when I need to import keys for an AUR package to build. That uses GPG as the user, not pacman-key as root.

Offline

#4 2020-08-01 18:12:25

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: SSL certificate is expired for entire SKS keyserver pool

ben781 wrote:

My issue is not as much with pacman-key because I have those keys from the archlinux-keyring package.

My point was I would expect Arch would not make a change to the gnupg package that would break the fallback behavior of pacman with respect to key fetching.

ben781 wrote:

It is when I need to import keys for an AUR package to build. That uses GPG as the user, not pacman-key as root.

Which is why you need to change the keyserver that that user uses as suggested in the thread I linked.

Offline

#5 2020-08-02 21:41:50

ben781
Member
Registered: 2016-12-11
Posts: 14

Re: SSL certificate is expired for entire SKS keyserver pool

You're saying, Arch would rather keep their default as the server pool which doesn't work for most users, when they could just modify the PKGBUILD to set a default that would work.

It is the users' responsibility to change their settings to a keyserver that works.

Last edited by ben781 (2020-08-02 21:51:46)

Offline

#6 2020-08-02 23:05:49

GaKu999
Member
From: US/Eastern
Registered: 2020-06-21
Posts: 522

Re: SSL certificate is expired for entire SKS keyserver pool

ben781 wrote:

You're saying, Arch would rather keep their default as the server pool which doesn't work for most users, when they could just modify the PKGBUILD to set a default that would work.

It is the users' responsibility to change their settings to a keyserver that works.

They are already discussing that in specific, just outside of this forum, eventually if the overload of that server keeps up probably the default keyserver will change...

Idk the intrinsics of that process, nor if it’s difficult or troublesome though...


My reposSome snippets

Heisenberg might have been here.

Offline

#7 2020-08-02 23:40:21

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,768

Re: SSL certificate is expired for entire SKS keyserver pool

Which keyserver do you all recommend? The keys.openpgp.org one, just FYI, is broken by design as it doesn't even include information for the actual key itself, let alone Web of Trust signatures like the ones pacman relies on.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#8 2020-08-03 00:51:27

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: SSL certificate is expired for entire SKS keyserver pool

@eschwartz what about for pacman's needs reverting https://git.archlinux.org/pacman.git/co … 75d6d02d30
Or is a requirement the pool must use hkps?  Also does the server used by pacman have to provide keys other than those for Arch developers and maintainers?
How far is WKD deployment from completion?

For the more general case I was suggesting reverting https://github.com/gpg/gnupg/commit/8fb … 17188ad1d9 which would change the error message from

gpg: keyserver receive failed: General error

to

gpg: No keyserver available

still requires user intervention to select a server that matches their needs but it might be more obvious what the issue is.
Edit:
Existing installs /etc/pacman.d/gnupg/gpg.conf would also need to be checked it contained a 'keyserver entry if pacman was to have a none default keyserver.

Last edited by loqs (2020-08-03 01:00:01)

Offline

#9 2020-08-03 01:45:35

ben781
Member
Registered: 2016-12-11
Posts: 14

Re: SSL certificate is expired for entire SKS keyserver pool

loqs wrote:

Also does the server used by pacman have to provide keys other than those for Arch developers and maintainers?

If the server used by pacman provided keys only for Arch maintainers, it would be impossible to add additional repositories to pacman.

Offline

#10 2020-08-03 01:51:43

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,768

Re: SSL certificate is expired for entire SKS keyserver pool

As far as I can tell, the SKS pool should be currently working again, as the article notes Kristian reappeared right after and fixed the issue after some downtime.

It's not clear to me that there's immediate benefit to be had from using the same load balancer but without SSL.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#11 2020-08-03 02:10:36

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: SSL certificate is expired for entire SKS keyserver pool

host pool.sks-keyservers.net
pool.sks-keyservers.net has address 87.118.94.9
pool.sks-keyservers.net has address 24.134.103.65
pool.sks-keyservers.net has address 85.230.102.212
pool.sks-keyservers.net has address 78.46.239.68
pool.sks-keyservers.net has address 185.56.33.53
pool.sks-keyservers.net has address 192.146.137.141
pool.sks-keyservers.net has address 128.180.2.174
pool.sks-keyservers.net has address 159.69.208.88
pool.sks-keyservers.net has address 4.35.226.103
pool.sks-keyservers.net has address 81.6.42.23
pool.sks-keyservers.net has IPv6 address 2001:470:de7a:10::
pool.sks-keyservers.net has IPv6 address 2a01:4f8:c2c:19a3::1
pool.sks-keyservers.net has IPv6 address 2001:468:c80:210f:0:162:701c:c917
pool.sks-keyservers.net has IPv6 address 2001:ba8:1f1:f2d4::2
pool.sks-keyservers.net has IPv6 address 2a01:4f8:1c17:5140::1
pool.sks-keyservers.net has IPv6 address 2001:67c:26b4:ff00::140
pool.sks-keyservers.net has IPv6 address 2a02:168:f405::37
pool.sks-keyservers.net has IPv6 address 2a01:4f9:c010:206b::1
pool.sks-keyservers.net has IPv6 address 2001:67c:26b4:ff00::141
pool.sks-keyservers.net has IPv6 address 2001:610:1:4001:145:100:186:254

host hkps.pool.sks-keyservers.net
hkps.pool.sks-keyservers.net has address 209.244.105.201

I still can not use hkps.pool.sks-keyservers.net.  With no keyserver specified:

gpg --search-keys ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Offline

#12 2020-08-03 02:42:12

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,768

Re: SSL certificate is expired for entire SKS keyserver pool

Interesting, I probably should have checked this. I've long since configured my dirmngr.conf to use keyserver.ubuntu.com though....

$ gpg --keyserver hkps://pool.sks-keyservers.net --search-key eschwartz@archlinux.org
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Yep, still broken. What is going on...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#13 2020-08-03 03:15:15

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 8,047

Re: SSL certificate is expired for entire SKS keyserver pool

eschwartz wrote:

Interesting, I probably should have checked this. I've long since configured my dirmngr.conf to use keyserver.ubuntu.com though....

$ gpg --keyserver hkps://pool.sks-keyservers.net --search-key eschwartz@archlinux.org
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Yep, still broken. What is going on...

The hkps "pool" is down to one server, and it can't handle it.

Offline

#14 2020-08-03 04:14:13

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: SSL certificate is expired for entire SKS keyserver pool

https://pgpkeys.co.uk/
https://pgpkeys.eu/
https://pgpkeys.uk/
The three servers operated by Dan Austin are up but using certificates issued by Lets Encrypt.

https://lists.nongnu.org/archive/html/sks-devel/ contains nothing in July when the old certificates for those servers expired.

Offline

#15 2020-11-15 12:03:45

zed123
Member
Registered: 2018-01-26
Posts: 6

Re: SSL certificate is expired for entire SKS keyserver pool

@eschwartz

"Reason for closing: ... You don't like it? Discuss it with upstream. Arch will not be your bludgeon to express your disagreement with upstream and sidestep their development process."

Sorry, but looks like you have some serious problems. Why don't you just close the request without accusing me. I didn't write anything about disagreeing with anybody. I just asked a question.

Offline

#16 2020-11-15 12:08:18

GaKu999
Member
From: US/Eastern
Registered: 2020-06-21
Posts: 522

Re: SSL certificate is expired for entire SKS keyserver pool

zed123 wrote:

@eschwartz

"Reason for closing: ... You don't like it? Discuss it with upstream. Arch will not be your bludgeon to express your disagreement with upstream and sidestep their development process."

Sorry, but looks like you have some serious problems. Why don't you just close the request without accusing me. I didn't write anything about disagreeing with anybody. I just asked a question.

This adds nothing to the current thread nor the current issues with the terrible non-optimal state of the gpg keyservers.
Arch is straight from upstream, no downstream patches, if upstream says no, Arch will say no as well.

Unless it's a critical bug, or the solution works, which wasn't the case, as already stated by the wizard eschwartz.

Last edited by GaKu999 (2020-11-15 12:13:07)


My reposSome snippets

Heisenberg might have been here.

Offline

#17 2020-11-15 13:26:13

progandy
Member
Registered: 2012-05-17
Posts: 3,930

Re: SSL certificate is expired for entire SKS keyserver pool

By the way, the single hkps server should work if you manually set hkp-cacert in dirmngr.conf:

hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#18 2020-11-15 17:22:29

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,768

Re: SSL certificate is expired for entire SKS keyserver pool

This is a bit of an unrelated thread to post in???

zed123 wrote:

@eschwartz

"Reason for closing: ... You don't like it? Discuss it with upstream. Arch will not be your bludgeon to express your disagreement with upstream and sidestep their development process."

Sorry, but looks like you have some serious problems. Why don't you just close the request without accusing me. I didn't write anything about disagreeing with anybody. I just asked a question.

Okay, so I'm not really sure how you think this works, but... this seems a bit, how shall I put this, "disingenuous"?

You (I assume) mentioned this (https://bugs.archlinux.org/task/68626):

GnuPG upstream has not merged the patch so far. Maybe they don't want to do it: https://dev.gnupg.org/T4393

Which I think is pretty darned well an indication you know upstream doesn't want this, given it's quite visibly marked "Closed, Wontfix" in your own link, and you furthermore directly acknowledged upstream isn't merging it.

This apparently bothered you enough to make you ask if we could merge it instead, hence "sidestep their development process". If it wasn't already obvious you knew upstream doesn't currently want to do it, the fact that you felt the need to get someone other than upstream to do so is a clear indicator you don't feel you can rely on upstream to merge it.
I'm not sure how you could possibly interpret this as something other than you disagreeing with their decision.

"I just asked a question" is a not very well implemented kind of attempt at lawyer-speak for dodging out of responsibility for the words one uses. It's a commonly used tactic I've seen in many areas of life (and its close relative "[...], just saying"), and I have no patience for it. You have either deliberately or inadvertently made use of this tactic.

Specifically, here, yes, you "just" asked a question. The question you asked was "I disagree with upstream, could you please side with me by applying the patch they aren't applying?"

If you think I "have some serious problems" for the high crime of daring to "accuse" you of such highly derogatory terms as being in a state of "disagreement" with the GnuPG developers, then I don't believe this conversation has anywhere productive to go.

Last edited by eschwartz (2020-11-15 17:26:59)


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB