Does anyone still use key servers?

6 risposte [Ultimo contenuto]
Avron
Offline
Iscritto: 08/18/2020

When one downloads a Trisquel iso, the public GPG key to be used for verification is also provided on the same web page. Besides, when I try "gpg --recv-keys" for whatever key, I get "gpg: keyserver receive failed: No name" immediately.

I have read about a number of issues on key servers, then I wonder whether anyone still uses them.

jxself
Offline
Iscritto: 09/13/2010

What do you mean "still"? Of course they're used.

It sounds like maybe you need to set a key server in your ~/.gnupg/gpg.conf still:

keyserver NAME_OF_KEYSERVER

Avron
Offline
Iscritto: 08/18/2020

I have no gpg.conf, I failed to find how to create one by some command or to find any or any description of its contents to create it manually.

I spent some time searching through https://www.gnupg.org/documentation/ and other docs. Besides, some documentation says that one should use dirmngr.conf to set the keyserver instead of gpp.conf. I don't know which is right.

I noticed the thing that gets open to access stored passwords for email accounts (I use Gnome Evolution), Seahorse, can search for GPG keys and there are
hkp://keyserver.ubuntu.com:11371
hkp://pool.sks-keyservers.net
ldap://keyserver.pgp.com

When I search for something in Seahorse, I have immediately an error message about pool.sks-keyservers.net then it looks like it is still searching but nothing happens. If I remove that server in the search, no error message but it does not work.

I created a gpg.conf manually with a single line with keyserver, if I only put the host name it does not work, so I suppose I need some kind of URL like above, but I failed to find any documentation saying that. If I put two keyserver lines, one with hkp://pool.sks-keyservers.net and another one, I get the same results as if I only had hkp://pool.sks-keyservers.net (which is "no name"), so I have no clue how to set multiple keyservers.

Here are the results:

keyserver hkp://keyserver.ubuntu.com:11371

 
$ LC_ALL=C gpg --recv-keys 0x782F9DDBE36BA7F3D4DE49065F5DFCC14177E263
gpg: key 7651568F80374459: 23 signatures not checked due to missing keys
gpg: no writable keyring found: Not found
gpg: error reading '[stream]': General error
gpg: Total number processed: 0
$

keyserver hkp://pool.sks-keyservers.net

$ LC_ALL=C gpg --recv-keys 0x782F9DDBE36BA7F3D4DE49065F5DFCC14177E263
gpg: keyserver receive failed: No name
$

keyserver ldap://keyserver.pgp.com

$ LC_ALL=C gpg --recv-keys 0x782F9DDBE36BA7F3D4DE49065F5DFCC14177E263
gpg: keyserver receive failed: Not supported
$ 

I searched on internet and also tried some more:

keyserver hkps://keys.openpgp.org

$ LC_ALL=C gpg --recv-keys 0x782F9DDBE36BA7F3D4DE49065F5DFCC14177E263
gpg: key 7651568F80374459: no user ID
gpg: Total number processed: 1
$ 

keyserver hkp://pgp.mit.edu

$ LC_ALL=C gpg --recv-keys 0x782F9DDBE36BA7F3D4DE49065F5DFCC14177E263
gpg: key 7651568F80374459: 31 signatures not checked due to missing keys
gpg: no writable keyring found: Not found
gpg: error reading '[stream]': General error
gpg: Total number processed: 0
$

Any advice is welcome.

Avron
Offline
Iscritto: 08/18/2020

Since there was "no writable keyring found", I thought that maybe I should use sudo.

I did and then the keys were successfully imported but I had the following warning:

gpg: WARNING: unsafe ownership on homedir '/home/david/.gnupg'

Following the advice at https://unix.stackexchange.com/questions/452020/gpg-warning-unsafe-ownership-on-homedir-home-user-gnupg, I ran

sudo gpgconf --kill dirmngr
sudo chown -R $USER ~/.gnupg

Now, I can get keys from keyserver.ubuntu.com successfully without sudo, but I really have not much idea on how it all works.

Coming back to keyservers, I have read a number of things on the "poisoning" but I really understood nothing about it. In addition, it seems the servers used by default on Trisquel are no more working, see https://lists.gnupg.org/pipermail/gnupg-users/2021-June/065261.html

I really think that basic instructions to help Trisquel users with gnupg are needed. I find it impossible to get basic help with gnupg from the official documentation when something does not work.

Onsemeliot
Offline
Iscritto: 09/09/2011

From what I understand this isn't a Trisquel problem. I have the same issue on Debian Buster and on several Ubuntu systems. I actually stopped using keyservers and just import keys directly after people send their public keys. This is annoying but doesn't cause any other problems. (On Debian Buster Seahorse has been broken for years now. I could only reliably deal with GPG keys on Debian by using the command line.)

And I don't have a "~/.gnupg/gpg.conf" file on my systems either.

I didn't invest any time in resolving this problem yet but would be curious for a convenient solution too.

Avron
Offline
Iscritto: 08/18/2020

I actually stopped using keyservers and just import keys directly after people send their public keys.

I see more and more frequently people providing their public key via websites, the issues with key servers being down or the "poisoning" that I still haven't understood, and then you confirm that gpg.conf is not generated automatically for you too.

For me, even adding the key manually was not functional before I did what I indicated in my post, and I have a relatively recent installation of Trisquel 9 where i didn't play with configuration.

On Debian Buster Seahorse has been broken for years now. I could only reliably deal with GPG keys on Debian by using the command line.

Did you try with Bullseye already?

I am wondering whether I should try Gnupg and Seahorse from Guix on Trisquel. I had issues with Evolution from Guix and reverted to Trisquel's version.

Onsemeliot
Offline
Iscritto: 09/09/2011

No, I didn't try Bullseye with GnuPG yet. But hopefully I will find time to switch my device to it soon.