Hi, today i was able to catch up on gnupg and IPv6 (somehow I missed the primer before). Long story below, here's the short fix:
echo "SocksPort 9050 IPv6Traffic" >> /etc/tor/torrc # don't run it I have two issues with gpg on debian buster. dirmngr constantly fails (does not anymore) to search for keys: $ gpg --search 74A941BA219EC810 gpg: error searching keyserver: Permission denied gpg: keyserver search failed: Permission denied $ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/user/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Long version for Werner and other gurus I fail to name: $ gpg --debug-level=guru --recv-key 74A941BA219EC810 gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extp rog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_3 <- # Home: /home/user/.gnupg gpg: DBG: chan_3 <- # Config: /home/user/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.2.9 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.2.9 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KS_GET -- 0x74A941BA219EC810 gpg: DBG: chan_3 <- ERR 167804929 Keine Berechtigung <Dirmngr> gpg: keyserver receive failed: Permission denied gpg: DBG: chan_3 -> BYE gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0 gpg: secmem usage: 0/65536 bytes in 0 blocks ) = 39 write(3, "KS_GET -- 0x74A941BA219EC810", 28) = 28 write(3, "\n", 1) = 1 read(3, "ERR 167804929 Keine Berechtigung"..., 1002) = 42 read(3, "\n", 960) = 1 write(2, "gpg: DBG: ", 10gpg: DBG: ) = 10 write(2, "chan_3 <- ERR 167804929 Keine Be"..., 53chan_3 <- ERR 167804929 Keine Berechtigung <Dirmngr> ) = 53 openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or dirctory) openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or diretory) openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directry) openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directoy) openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "gpg: keyserver receive failed: P"..., 48gpg: keyserver receive failed: Permission denied) = 48 write(2, "\n", 1 ) = 1 write(2, "gpg: DBG: ", 10gpg: DBG: ) = 10 write(2, "chan_3 -> BYE\n", 14chan_3 -> BYE ) = 14 write(3, "BYE", 3) = 3 write(3, "\n", 1) = 1 close(3) = 0 write(2, "gpg: DBG: [not enabled in the so"..., 42gpg: DBG: [not enabled in the source] stop) = 42 write(2, "\n", 1 ) = 1 write(2, "gpg: keydb: handles=0 locks=0 pa"..., 43gpg: keydb: handles=0 locks=0 parse=0 get=0) = 43 write(2, "\n", 1 ) = 1 write(2, "gpg: build=0 update=0 ins"..., 46gpg: build=0 update=0 insert=0 delete=0) = 46 write(2, "\n", 1 ) = 1 write(2, "gpg: reset=0 found=0 not="..., 47gpg: reset=0 found=0 not=0 cache=0 not=0) = 47 write(2, "\n", 1 ) = 1 write(2, "gpg: kid_not_found_cache: count="..., 50gpg: kid_not_found_cache: count=0 peak=0 flushes=0) = 50 write(2, "\n", 1 ) = 1 write(2, "gpg: sig_cache: total=0 cached=0"..., 45gpg: sig_cache: total=0 cached=0 good=0 bad=0) = 45 write(2, "\n", 1 ) = 1 write(2, "\n", 1 ) = 1 write(2, "gpg: random usage: poolsize=600 "..., 59gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0) = 59 write(2, "\n", 1 ) = 1 write(2, " outmix=0 getlvl1=0"..., 46 outmix=0 getlvl1=0/0 getlvl2=0/0) = 46 write(2, "\n", 1 ) = 1 write(2, "gpg: rndjent stat: collector=0x0"..., 55gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0) = 55 write(2, "\n", 1 ) = 1 write(2, "gpg: secmem usage: 0/65536 bytes"..., 37gpg: secmem usage: 0/65536 bytes in 0) = 37 write(2, " blocks\n", 8 blocks ) = 8 munmap(0xb7f68000, 65536) = 0 exit_group(2) = ? +++ exited with 2 +++ ### End of log I stopped dirmngr several times, tried 'dirmngr --flush', started it with 'dirmngr --debug-all --standard-resolver' when searching for keys. It showed nothing so I assume gpg starts another instance of dirmngr in the background. Removing ~/.gnupg did not help either. My second issue is trying to install latest dirmngr from git: $ git clone https://dev.gnupg.org/source/gnupg.git ; cd gnupg # apt install libksba-dev libnpth0-dev libassuan-dev libgcrypt20-dev $ ./autogen.sh && ./configure --prefix=$HOME && make [...] GnuPG v2.3.0-beta440 has been configured as follows: Revision: 1b309d9f6 (6960) Platform: GNU/Linux (i686-pc-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes (without internal CCID driver) G13: no Dirmngr: yes Gpgtar: yes WKS tools: no Protect tool: (default) LDAP wrapper: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) Dirmngr auto start: yes Readline support: no LDAP support: no TLS support: gnutls TOFU support: yes Tor support: yes make all-recursive make[1]: Entering directory '/media/user/src/gnupg' Making all in m4 make[2]: Entering directory '/media/user/src/gnupg/m4' make[2]: Nothing to be done for 'all'. make[2]: Leaving directory '/media/user/src/gnupg/m4' Making all in common make[2]: Entering directory '/media/user/src/gnupg/common' make[2]: *** No rule to make target 'audit-events.h', needed by 'all'. Stop. make[2]: Leaving directory '/media/user/src/gnupg/common' make[1]: *** [Makefile:615: all-recursive] Error 1 make[1]: Leaving directory '/media/user/src/gnupg' [make: *** [Makefile:535: all] Error 2 ### End of log Therefor I went back to investigate the origin of "ERR 167804929". It is not a hardcoded in gnupg or tor, at least it doesn't show up in the source with rgrep. With the help of google (my favourite search engine left me on this) I became aware of this log from ealier dirmngr 2.1.18, quoting <https://www.mail-archive.com/[email protected]/msg1614900.html>: Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 <- KS_SEARCH -- [email protected] Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a01:4a0:59:1000:223:9eff:fe00:100f]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2600:1f16:41e:bd0a::73:6b73]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '216.66.15.2' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '192.146.137.11' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '68.187.0.77' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.53.138' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '37.191.226.104' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '18.191.65.131' Jul 08 05:57:24 debian dirmngr[2574]: can't connect to '2001:bc8:4700:2300::10:f15': Permission denied Jul 08 05:57:24 debian dirmngr[2574]: error connecting to 'https://[2001:bc8:4700:2300::10:f15]:443': Permission denied Jul 08 05:57:24 debian dirmngr[2574]: (Tor configuration problem) Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> S WARNING tor_config_problem 0 Please check that the "SocksPort" flag "IPv6Traffic" is set in torrc Jul 08 05:57:24 debian dirmngr[2574]: command 'KS_SEARCH' failed: Permission denied Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> ERR 167804929 Permission denied <Dirmngr> Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 <- BYE ### End of quote This error helped significantly, adding to torrc: SocksPort PORT IPv6Traffic It however may timeout with "No data" several times before succeeding. Would be a great feature to catch this and retry for the sake of scripted installations. I imagine this could affect a lot of users, so it could have some user time to restore this error message. Note that "gpg: DBG: [not enabled in the source] stop" is the default packaged gnugp on debian based systems. Thanks for joining me on this interesting journey and please send back suggestions on the compilation error. If you are interested, read part two below when I try reproduce the error. Best, kardan PartII: How to reproduct "Permission denied" with dirmngr A usual quest after fixing an error is to try to make it happen again. In this case, i removed the IPv6Traffic from the torrc line, stopped tor altogether, killed all instances of dirmngr and gpgagent and deleted the key: $ gpg --delete-key 74A941BA219EC810 $ gpg --verbose --recv 74A941BA219EC810 gpg: data source: https://216.66.15.2:443 gpg: ASCII-Hülle: Version: SKS 1.1.6 gpg: ASCII-Hülle: Comment: Hostname: zimmermann.mayfirst.org gpg: pub rsa2048/0xEE8CBC9E886DDD89 2009-09-04 deb.torproject.org archive signing key ... gpg: Tiefe: 0 gültig: 6 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 6u gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2018-12-20 gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: importiert: 1 This is confusing because it should fail when tor is enabled: $ cat ~/.gnupg/dirmngr.conf ###+++--- GPGConf ---+++### use-tor ###+++--- GPGConf ---+++### Wed Jul 25 16:16:02 2018 CEST # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. And 'torsocks w3m http://ic6au7wa3f6naxjq.onion' fails as expected. So either gnupg ships it's own tor instance and runs it hiddenly, or it found out how to recycle the circuit of my TBB or it silently falls back to non-tor connections which is a bug. So here I am left unable to reproduce the error, but at least this story will help some later me to solve it again. Thanks for following part II, am happy to read your thoughts on my remaining questions: 1. is it hard to restore the error from 2.1.18 (where to start) 2. how to fix: No rule to make target 'audit-events.h' 3. How does dirmngr connect when no tor circuit is available 4. Why does a foreground dirmngr does not show connections 5. How to enable "DBG: [not enabled in the source]" 6. Where's the database to look up ERR 167804929 7. How can I change the timeout? I know that all answers can be solved by looking at the code, but maybe someone can save me some time and I might be able to prepare a patch stub in the next days. Thanks for taking the time to go through all this. Have a nice day! kardan _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
