Jim Popovitch wrote: > On Wed, 2019-02-27 at 00:45 +0100, deloptes wrote: >> Jim Popovitch wrote: >> >> > On Tue, 2019-02-26 at 20:31 +0100, deloptes wrote: >> > > Jim Popovitch wrote: >> > > >> > > > What's up with dirmngr? If dirmngr is installed Evolution >> > > > often takes ages to open signed emails. If dirmngr is not >> > > > installed then (according to p.d.o/buster/dirmngr) "the parts >> > > > of the GnuPG suite that try to interact with the network will >> > > > fail" >> > > > >> > > > How can dirmngr be so tightly integrated but work so poorly >> > > > querying services? /r >> > > >> > > why should it be dirmngrs fault? perhaps it is a kind of buster >> > > or other issue. >> > > >> > > Try to find out where the waiting is coming from and post back. >> > > For example waiting for keyserver to respond or similar or >> > > waiting for something to time out. >> > >> > Glad you asked! >> > >> > dirmngr uses sks-keyservers.net which has at least one NS with >> > issues: >> > https://ednscomp.isc.org/ednscomp/0f65feeaa7 >> > >> >> Hmm, I just wonder why you would need to run dirmngr all the time, or >> each time you have to read encrypted mail. you should have imported >> the keys locally. > > I don't choose to run dirmngr all the time, something within Evolution > or gpg-agent makes that choice, and there's no way for me to know who > on the d-u@l.d.o is going to sign their emails therefore I can't pre- > import their keys. >
by all the time I mean each time Evolution opens a signed mail. I use Trinity Desktop and there - I only see that signature could not be verified. BTW if you are advanced Linux user as it seems to be ... you may try Trinity - saves a lot of troubles - but depends what you expect from it. >> I even do not see any evidence that it is dirmngr that is blocking. >> When I start the gpg client and search for a key I see dirmngr is >> started >> >> $ while true; do ps -A | grep dir; sleep 1; done >> >> > But more to the point, It's not an easy program to debug.... >> > >> > Following man page, I created ~/.gnupg/dirmngr.conf and populated >> > it >> > with: >> > verbose >> > debug-level expert >> > keyserver na.pool.sks-keyservers.net >> > disable-ipv6 >> > disable-ldap >> > log-file ~/dirmngr.log >> > allow-ocsp >> > >> >> interesting but on my end I use pool.sks-keyservers.net and there >> were no issues - well how often you download or upload a key to the >> server? > > I hardly ever upload, but reading this list results in 2 or 3 key > downloads every few hours. > So it might be a configuration to automatically search and download keys not present - what if you configure to manually do so (this might be in Evolution or at system level for the user) >> If I search for a key it takes like 3sec - and yes I think it goes >> via dirmngr - but sorry no time to bother setting up a config. >> >> The config I find here is the default >> cat ~/.gnupg/dirmngr.conf >> >> ###+++--- GPGConf ---+++### >> disable-ldap >> debug-level basic >> log-file socket:///home/pizza/.gnupg/log-socket >> ###+++--- GPGConf ---+++### Thu 06 Dec 2018 01:45:13 AM CET >> # GPGConf edited this configuration file. >> # It will disable options before this marked block, but it will >> # never change anything below these lines. > > Interesting. My 2 Stretch systems did not have that file by default, I > had to create it. > Yes it is created by the Trinity Kgpg app AFAIR. >> > and then I fired up Evolution and opened emails with gpg sigs, but >> > still no data in the file ~/dirmngr.log. :-( >> > >> > What I suspect the problem to be, and what is alluded to on the >> > sks-keyservers status page, is that there is a big >> > inconsistency/availability with their servers (they have more off- >> > pool servers listed than in-pool). Obviously it's a freebie so >> > complaints seem childish, but it is an important service.. just >> > like pool.ntp.org (which ironically Debian has taken responsibility >> > for at least sanitizing that with debian.pool.ntp.org) >> > >> > -Jim P. >> >> Some time ago keyservers got consolidated - so now we have >> pool.sks-keyservers.net. I am not sure if you are taking this with >> prejudices - might be only your setup. > > :-) I do run a clean, simple, tighten-down, secure setup. One of those > things is a DNSSEC validating recursor.... which I now see that dnsviz > reports DNSSEC errors in... wait for it... sks-keyservers.net <sigh> > > http://dnsviz.net/d/pool.sks-keyservers.net/dnssec/ > > Now, imagine if pool.ntp.org had those DNSSEC problems and the impact > it would have on the world. > I am sure not only sks-keyservers.net reports back, but I agree this might be part of the issue you report. >> I know dirmngr is somehow coupled with gpg, but never bothered to >> look into that as it was always working properly. >> The keyserver is not configured in ~/.gnupg/dirmngr.conf but in >> ~/.gnupg/gpg.conf >> >> Show your ~/.gnupg/gpg.conf (or at least the relevant parts) > > ~$ cat .gnupg/gpa.conf > default-key 3F1C1EF2E6019EAC646CE45227155EB4C45A2705 > keyserver hkp://na.pool.sks-keyservers.net > advanced-ui > I don't have the protocol (hkp) - but the point was to remove the keyserver from dirmngr.conf - not sure if it is right for your DE though. regards