Hi,

today i was able to catch up on gnupg and IPv6 (somehow I missed the
primer before). Long story below, here's the short fix:

echo "SocksPort 9050 IPv6Traffic" >> /etc/tor/torrc # don't run it

I have two issues with gpg on debian buster. dirmngr constantly fails
(does not anymore) to search for keys:

$ gpg --search 74A941BA219EC810
gpg: error searching keyserver: Permission denied
gpg: keyserver search failed: Permission denied


$ gpg --version
gpg (GnuPG) 2.2.9
libgcrypt 1.8.3
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html> This is free software: you are free
to change and redistribute it. There is NO WARRANTY, to the extent
permitted by law.

Home: /home/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Long version for Werner and other gurus I fail to name:

$ gpg --debug-level=guru --recv-key 74A941BA219EC810
gpg: enabled debug flags: packet mpi crypto filter
iobuf memory cache memstat trust hashing ipc clock lookup extp rog
gpg: DBG: [not enabled in the source]
start gpg: DBG: chan_3 <- # Home: /home/user/.gnupg
gpg: DBG: chan_3 <- #
Config: /home/user/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr
2.2.9 at your service gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.9
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0x74A941BA219EC810
gpg: DBG: chan_3 <- ERR 167804929 Keine Berechtigung <Dirmngr>
gpg: keyserver receive failed: Permission denied
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0
flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0   
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

) =
39 write(3, "KS_GET -- 0x74A941BA219EC810", 28) =
28 write(3, "\n", 1)                       =
1 read(3, "ERR 167804929 Keine Berechtigung"..., 1002) =
42 read(3, "\n", 960)                      =
1 write(2, "gpg: DBG: ", 10gpg: DBG: )              =
10 write(2, "chan_3 <- ERR 167804929 Keine Be"..., 53chan_3 <- ERR
167804929 Keine Berechtigung <Dirmngr> ) =
53 openat(AT_FDCWD,
"/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or dirctory) openat(AT_FDCWD,
"/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or diretory) openat(AT_FDCWD,
"/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory) openat(AT_FDCWD,
"/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directry) openat(AT_FDCWD,
"/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directoy) openat(AT_FDCWD,
"/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No
such file or directory) write(2, "gpg: keyserver receive failed: P"...,
48gpg: keyserver receive failed: Permission denied) = 48 write(2, "\n",
1 )                       = 1 write(2, "gpg: DBG: ", 10gpg:
DBG: )              = 10 write(2, "chan_3 -> BYE\n", 14chan_3 ->
BYE )         = 14 write(3, "BYE", 3)                      = 3 write(3,
"\n", 1)                       = 1
close(3)                                = 0 write(2, "gpg: DBG: [not
enabled in the so"..., 42gpg: DBG: [not enabled in the source] stop) =
42 write(2, "\n", 1 )                       = 1 write(2, "gpg: keydb:
handles=0 locks=0 pa"..., 43gpg: keydb: handles=0 locks=0 parse=0
get=0) = 43 write(2, "\n", 1 )                       = 1 write(2,
"gpg:        build=0 update=0 ins"..., 46gpg:        build=0 update=0
insert=0 delete=0) = 46 write(2, "\n", 1 )                       = 1
write(2, "gpg:        reset=0 found=0 not="..., 47gpg:        reset=0
found=0 not=0 cache=0 not=0) = 47 write(2, "\n",
1 )                       = 1 write(2, "gpg: kid_not_found_cache:
count="..., 50gpg: kid_not_found_cache: count=0 peak=0 flushes=0) = 50
write(2, "\n", 1 )                       =
1 write(2, "gpg: sig_cache: total=0 cached=0"..., 45gpg: sig_cache:
total=0 cached=0 good=0 bad=0) = 45 write(2, "\n", 1
)                       = 1
write(2, "\n", 1
)                       = 1
write(2, "gpg: random usage: poolsize=600 "..., 59gpg: random usage:
poolsize=600 mixed=0 polls=0/0 added=0/0) = 59
write(2, "\n", 1
)                       = 1
write(2, "              outmix=0 getlvl1=0"..., 46
outmix=0 getlvl1=0/0 getlvl2=0/0) = 46 write(2, "\n", 1
)                       = 1
write(2, "gpg: rndjent stat: collector=0x0"..., 55gpg: rndjent stat:
collector=0x00000000 calls=0 bytes=0) = 55 write(2, "\n", 1
)                       = 1
write(2, "gpg: secmem usage: 0/65536 bytes"..., 37gpg: secmem usage:
0/65536 bytes in 0) = 37 write(2, " blocks\n", 8 blocks
)                = 8
munmap(0xb7f68000, 65536)               = 0
exit_group(2)                           = ?
+++ exited with 2 +++

### End of log


I stopped dirmngr several times, tried 'dirmngr --flush', started it
with 'dirmngr --debug-all --standard-resolver' when searching for keys.
It showed nothing so I assume gpg starts another instance of dirmngr in
the background. Removing ~/.gnupg did not help either.


My second issue is trying to install latest dirmngr from git:

$ git clone https://dev.gnupg.org/source/gnupg.git ; cd gnupg
# apt install libksba-dev libnpth0-dev libassuan-dev libgcrypt20-dev
$ ./autogen.sh && ./configure --prefix=$HOME && make
[...]
        GnuPG v2.3.0-beta440 has been configured as
follows:                                                    

        Revision:  1b309d9f6  (6960)
        Platform:  GNU/Linux (i686-pc-linux-gnu)

        OpenPGP:   yes
        S/MIME:    yes
        Agent:     yes
        Smartcard: yes (without internal CCID driver)
        G13:       no
        Dirmngr:   yes
        Gpgtar:    yes
        WKS tools: no

        Protect tool:      (default)
        LDAP wrapper:      (default)
        Default agent:     (default)
        Default pinentry:  (default)
        Default scdaemon:  (default)
        Default dirmngr:   (default)

        Dirmngr auto start:  yes
        Readline support:    no
        LDAP support:        no
        TLS support:         gnutls
        TOFU support:        yes
        Tor support:         yes

make  all-recursive
make[1]: Entering directory '/media/user/src/gnupg'
Making all in m4
make[2]: Entering directory '/media/user/src/gnupg/m4'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/media/user/src/gnupg/m4'
Making all in common
make[2]: Entering directory '/media/user/src/gnupg/common'
make[2]: *** No rule to make target 'audit-events.h', needed by 'all'.
Stop. make[2]: Leaving directory '/media/user/src/gnupg/common'
make[1]: *** [Makefile:615: all-recursive] Error 1
make[1]: Leaving directory '/media/user/src/gnupg'
[make: *** [Makefile:535: all] Error 2

### End of log


Therefor I went back to investigate the origin of "ERR 167804929".
It is not a hardcoded in gnupg or tor, at least it doesn't show up in
the source with rgrep.

With the help of google (my favourite search engine left me on this)
I became aware of this log from ealier dirmngr 2.1.18, quoting
<https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1614900.html>:

Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 <- KS_SEARCH -- 
intrig...@debian.org
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2a01:4a0:59:1000:223:9eff:fe00:100f]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2600:1f16:41e:bd0a::73:6b73]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '216.66.15.2'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '192.146.137.11'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '68.187.0.77'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '51.15.53.138'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '37.191.226.104'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '18.191.65.131'
Jul 08 05:57:24 debian dirmngr[2574]: can't connect to 
'2001:bc8:4700:2300::10:f15': Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: error connecting to 
'https://[2001:bc8:4700:2300::10:f15]:443': Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: (Tor configuration problem)
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> S WARNING 
tor_config_problem 0 Please check that the "SocksPort" flag
"IPv6Traffic" is set in torrc
Jul 08 05:57:24 debian dirmngr[2574]: command 'KS_SEARCH' failed:
Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> ERR 167804929
Permission denied <Dirmngr>
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 <- BYE

### End of quote


This error helped significantly, adding to torrc:

SocksPort PORT IPv6Traffic



It however may timeout with "No data" several times before succeeding.
Would be a great feature to catch this and retry for the sake of
scripted installations.

I imagine this could affect a lot of users, so it could have some
user time to restore this error message. Note that "gpg: DBG:
[not enabled in the source] stop" is the default packaged gnugp on
debian based systems.

Thanks for joining me on this interesting journey and please send back
suggestions on the compilation error. If you are interested, read part
two below when I try reproduce the error.

Best,
kardan


PartII: How to reproduct "Permission denied" with dirmngr

A usual quest after fixing an error is to try to make it happen again.
In this case, i removed the IPv6Traffic from the torrc line, stopped
tor altogether, killed all instances of dirmngr and gpgagent and
deleted the key:

$ gpg --delete-key 74A941BA219EC810
$ gpg --verbose --recv
74A941BA219EC810 gpg: data source:
https://216.66.15.2:443 gpg: ASCII-Hülle: Version: SKS
1.1.6 gpg: ASCII-Hülle: Comment: Hostname:
zimmermann.mayfirst.org gpg: pub  rsa2048/0xEE8CBC9E886DDD89
2009-09-04  deb.torproject.org archive signing key
...
gpg: Tiefe: 0  gültig:   6  signiert:   0  Vertrauen: 0-, 0q, 0n, 0m,
0f, 6u gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2018-12-20
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

This is confusing because it should fail when tor is enabled:

$ cat ~/.gnupg/dirmngr.conf

###+++--- GPGConf ---+++###
use-tor
###+++--- GPGConf ---+++### Wed Jul 25 16:16:02 2018 CEST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.

And 'torsocks w3m http://ic6au7wa3f6naxjq.onion' fails as expected.

So either gnupg ships it's own tor instance and runs it hiddenly, or it
found out how to recycle the circuit of my TBB or it silently falls back
to non-tor connections which is a bug.

So here I am left unable to reproduce the error, but at least this story
will help some later me to solve it again.

Thanks for following part II, am happy to read your thoughts on my
remaining questions:

1.  is it hard to restore the error from 2.1.18 (where to start)

2. how to fix: No rule to make target 'audit-events.h'

3. How does dirmngr connect when no tor circuit is available

4. Why does a foreground dirmngr does not show connections

5. How to enable "DBG: [not enabled in the source]"

6. Where's the database to look up ERR 167804929

7. How can I change the timeout?

I know that all answers can be solved by looking at the code, but maybe
someone can save me some time and I might be able to prepare a patch
stub in the next days. Thanks for taking the time to go through all
this.

Have a nice day!
kardan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to