Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 31.07.21 um 17:40 schrieb Werner Koch: > On Thu, 29 Jul 2021 18:36, Andrew Gallagher said: > >> If you built gnupg from its default configuration, it does not >> automatically look in /etc/ssl/certs for CA certificates. You may want > > On Unix and unless gnupg was build with --with-default-trust-store-file > the following collections of certificates are used for TLS: > > { "/etc/ssl/ca-bundle.pem" }, > { "/etc/ssl/certs/ca-certificates.crt" }, > { "/etc/pki/tls/cert.pem" }, > { "/usr/local/share/certs/ca-root-nss.crt" }, > { "/etc/ssl/cert.pem" } > Thanks. None of those files is on my system. So it's probably no wonder that "--search-keys" didn't work. Either I messed up big or LFS/BLFS uses a setup for the certificates that is not what gnupg expects. In the latter case --with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt may indeed be the way to go for LFS/BLFS systems. I'll cc this to blfs-support so that the editors can draw their own conclusions. Or castigate me for being too stupid to follow the instructions somewhere. ;) >> to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so >> that dirmngr looks in the Mozilla certificate library. > > Not a too good idea becuase these certificates are used for a different > purpose. > > > FWIW, here is the list of internal certificate classes used: > > CERTTRUST_CLASS_SYSTEM = 1, /* From the system's list of trusted certs. */ > CERTTRUST_CLASS_CONFIG = 2, /* From dirmngr's config files. */ > CERTTRUST_CLASS_HKP = 4, /* From --hkp-cacert*/ > CERTTRUST_CLASS_HKPSPOOL= 8, /* The one and only from sks-keyservers */ > > > Shalom-Salam, > >Werner > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
On Thu, 29 Jul 2021 18:36, Andrew Gallagher said: > If you built gnupg from its default configuration, it does not > automatically look in /etc/ssl/certs for CA certificates. You may want On Unix and unless gnupg was build with --with-default-trust-store-file the following collections of certificates are used for TLS: { "/etc/ssl/ca-bundle.pem" }, { "/etc/ssl/certs/ca-certificates.crt" }, { "/etc/pki/tls/cert.pem" }, { "/usr/local/share/certs/ca-root-nss.crt" }, { "/etc/ssl/cert.pem" } > to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so > that dirmngr looks in the Mozilla certificate library. Not a too good idea becuase these certificates are used for a different purpose. FWIW, here is the list of internal certificate classes used: CERTTRUST_CLASS_SYSTEM = 1, /* From the system's list of trusted certs. */ CERTTRUST_CLASS_CONFIG = 2, /* From dirmngr's config files. */ CERTTRUST_CLASS_HKP = 4, /* From --hkp-cacert*/ CERTTRUST_CLASS_HKPSPOOL= 8, /* The one and only from sks-keyservers */ Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 29.07.21 um 19:36 schrieb Andrew Gallagher: > On 29/07/2021 17:52, Rainer Fiebig wrote: >> >> ~> openssl x509 -text > After" >> Not After : Sep 30 14:01:15 2021 GMT > > So the file exists, and appears to have the correct contents (the > difference in checksum is probably whitespace or commentary, I wouldn't > worry about it). > > I'm going to refer back to my earlier statement: "It looks like dirmngr > isn't using the same set of CAs that curl is using". > > If you built gnupg from its default configuration, it does not > automatically look in /etc/ssl/certs for CA certificates. You may want > to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so > that dirmngr looks in the Mozilla certificate library. > Perhaps solved. As the main issue here seemed to be that gnupg could not find the certificate(s) and the symlink to /etc/ssl/certs (all .pem) did not work, I re-built gnupg with this configure-switch: --with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt And now --search-keys is working: ~> gpg --search-keys E3FF2839C048B25C084DEBE9B26995E310250568 gpg: data source: https://keys.openpgp.org:443 (1) Łukasz Langa (GPG langa.pl) Łukasz Langa Łukasz Langa 4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > ~> gpg --keyserver hkps://keys.openpgp.org --search-keys E3FF2839C048B25C084DEBE9B26995E310250568 gpg: data source: https://keys.openpgp.org:443 (1) Łukasz Langa (GPG langa.pl) Łukasz Langa Łukasz Langa 4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > ~> gpg --keyserver hkps://pgpkeys.eu --search-keys E3FF2839C048B25C084DEBE9B26995E310250568 gpg: data source: https://pgpkeys.eu:443 (1) Łukasz Langa (GPG langa.pl) Łukasz Langa Łukasz Langa Łukasz Langa (Work e-mail account) 4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > However, having to build gnupg with this switch feels somewhat akward, like a workaround, not like it should be. I'll post this solution over at blfs-supp...@lists.linuxfromscratch.org and see what they think about it. Perhaps they have a more elegant solution or can tell me whether I've made a configuration-mistake elsewhere. Thank you guys for your time and suggestions. They helped a lot! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 29.07.21 um 19:36 schrieb Andrew Gallagher: > On 29/07/2021 17:52, Rainer Fiebig wrote: >> >> ~> openssl x509 -text > After" >> Not After : Sep 30 14:01:15 2021 GMT > > So the file exists, and appears to have the correct contents (the > difference in checksum is probably whitespace or commentary, I wouldn't > worry about it). > > I'm going to refer back to my earlier statement: "It looks like dirmngr > isn't using the same set of CAs that curl is using". Yes, that seems to be at the heart of the matter. Curl is built with this ./configure switch: --with-ca-path=/etc/ssl/certs and so it finds the correct certificate. There's no such switch for gnupg. So I guess dirmngr looks in /etc/pki for the certs? And maybe the DST_Root_CA_X3 (in "ca-bundle.crt) there is different (outdated?) from the one in /etc/ssl/certs. > > If you built gnupg from its default configuration, it does not > automatically look in /etc/ssl/certs for CA certificates. You may want > to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so > that dirmngr looks in the Mozilla certificate library. > The manpage for dirmngr says that the certificates in /etc/gnupg/trusted-certs are expected to be in .der or .crt encoding. Those in /etc/ssl are .pem, though. I created a symlink /etc/gnupg/trusted-certs -> /etc/ssl/certs/ but gpg --search-keys still fails, probably due to the .pem encoding. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
On 29/07/2021 17:52, Rainer Fiebig wrote: ~> openssl x509 -text So the file exists, and appears to have the correct contents (the difference in checksum is probably whitespace or commentary, I wouldn't worry about it). I'm going to refer back to my earlier statement: "It looks like dirmngr isn't using the same set of CAs that curl is using". If you built gnupg from its default configuration, it does not automatically look in /etc/ssl/certs for CA certificates. You may want to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so that dirmngr looks in the Mozilla certificate library. -- Andrew Gallagher OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 29.07.21 um 18:45 schrieb Andrew Gallagher: > On 29/07/2021 17:33, Rainer Fiebig wrote: >> Thanks. File exists but has a different checksum: >> >> /etc/ssl/certs> sha256sum DST_Root_CA_X3.pem >> 4b3ecda4db3f417f23f5dfa84eb4d59d6cc2959446ebaf89c7df5866d31e9980 >> DST_Root_CA_X3.pem > > Ah, I wonder is the expiry date different. Can you incant the following > please? > > ``` > openssl x509 -text ``` > > Mine says: > > ``` > Not After : Sep 30 14:01:15 2021 GMT > ``` > Same here: ~> openssl x509 -text http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
On 29/07/2021 17:33, Rainer Fiebig wrote: Thanks. File exists but has a different checksum: /etc/ssl/certs> sha256sum DST_Root_CA_X3.pem 4b3ecda4db3f417f23f5dfa84eb4d59d6cc2959446ebaf89c7df5866d31e9980 DST_Root_CA_X3.pem Ah, I wonder is the expiry date different. Can you incant the following please? ``` openssl x509 -text OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 29.07.21 um 18:16 schrieb Andrew Gallagher: > On 29/07/2021 08:41, Rainer Fiebig via Gnupg-users wrote: >> Am 28.07.21 um 21:38 schrieb Ingo Klöcker: >>> On Mittwoch, 28. Juli 2021 18:38:07 CEST Rainer Fiebig via Gnupg-users > wrote: >>> >>> Does 'gpg --keyserver hkps://pgpkeys.eu --search-keys ...' work for you? >>> >> No, same output as reported initially. > > The common problem is the LetsEncrypt R3 certificate. > >> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 >> * ALPN, server accepted to use http/1.1 >> * Server certificate: >> * subject: CN=keys.openpgp.org >> * start date: Jul 26 04:32:08 2021 GMT >> * expire date: Oct 24 04:32:06 2021 GMT >> * subjectAltName: host "keys.openpgp.org" matched cert's >> "keys.openpgp.org" >> * issuer: C=US; O=Let's Encrypt; CN=R3 >> * SSL certificate verify ok. > ... >> Looks OK to me. The Let's Encrypt certificate is recognized and >> verified. Or what do you think? > > I think it looks like dirmngr isn't using the same set of CAs that curl > is using. > > The missing root certificate is: > >> 2021-07-28 16:06:50 dirmngr[4135.6] issuer certificate: #/CN=DST Root > CA >> X3,O=Digital Signature Trust Co. > Can you confirm that /etc/ssl/certs/DST_Root_CA_X3.pem exists on your > machine and has the following checksum? > > ``` > andrewg@whippet:~$ sha256sum /etc/ssl/certs/DST_Root_CA_X3.pem > 139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99 > /etc/ssl/certs/DST_Root_CA_X3.pem > ``` > Thanks. File exists but has a different checksum: /etc/ssl/certs> sha256sum DST_Root_CA_X3.pem 4b3ecda4db3f417f23f5dfa84eb4d59d6cc2959446ebaf89c7df5866d31e9980 DST_Root_CA_X3.pem > Also, is your system clock correct? (long shot, but always worth asking > when debugging TLS cert issues) > System clock is OK. No problem asking - I'm happy for every clue I can get in this matter. ;) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
On 29/07/2021 08:41, Rainer Fiebig via Gnupg-users wrote: Am 28.07.21 um 21:38 schrieb Ingo Klöcker: On Mittwoch, 28. Juli 2021 18:38:07 CEST Rainer Fiebig via Gnupg-users wrote: >> Does 'gpg --keyserver hkps://pgpkeys.eu --search-keys ...' work for you? No, same output as reported initially. The common problem is the LetsEncrypt R3 certificate. * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=keys.openpgp.org * start date: Jul 26 04:32:08 2021 GMT * expire date: Oct 24 04:32:06 2021 GMT * subjectAltName: host "keys.openpgp.org" matched cert's "keys.openpgp.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. ... Looks OK to me. The Let's Encrypt certificate is recognized and verified. Or what do you think? I think it looks like dirmngr isn't using the same set of CAs that curl is using. The missing root certificate is: 2021-07-28 16:06:50 dirmngr[4135.6] issuer certificate: #/CN=DST Root CA X3,O=Digital Signature Trust Co. Can you confirm that /etc/ssl/certs/DST_Root_CA_X3.pem exists on your machine and has the following checksum? ``` andrewg@whippet:~$ sha256sum /etc/ssl/certs/DST_Root_CA_X3.pem 139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99 /etc/ssl/certs/DST_Root_CA_X3.pem ``` Also, is your system clock correct? (long shot, but always worth asking when debugging TLS cert issues) -- Andrew Gallagher OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 28.07.21 um 21:38 schrieb Ingo Klöcker: > On Mittwoch, 28. Juli 2021 18:38:07 CEST Rainer Fiebig via Gnupg-users wrote: >> Am 28.07.21 um 17:42 schrieb Andrew Gallagher: >>> On 28/07/2021 15:19, Rainer Fiebig via Gnupg-users wrote: 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Verbinden mit 'https://keys.openpgp.org:443': Fehlendes Herausgeberzertifikat in der Kette 2021-07-28 16:06:50 dirmngr[4135.6] command 'KS_SEARCH' failed: Fehlendes Herausgeberzertifikat in der Kette 2021-07-28 16:06:50 dirmngr[4135.6] Handhabungsroutine für den fd 6 beendet >>> >>> "Fehlendes Herausgeberzertifikat in der Kette" translates as "Missing >>> publisher certificate in the chain", is that correct? >> >> Correct. >> >>> keys.openpgp.org uses LetsEncrypt as their TLS CA. Can you connect to >>> other keyservers that also use LetsEncrypt? For example, pgpkeys.eu uses >>> the same intermediate certificate (LetsEncrypt R3) as keys.openpgp.org. >> >> This works: >> >> ~> gpg --keyserver pgpkeys.eu --search-keys >> E3FF2839C048B25C084DEBE9B26995E310250568 >> gpg: enabled debug flags: memstat >> gpg: data source: http://pgpkeys.eu:11371 >> (1) Łukasz Langa (GPG langa.pl) >> Łukasz Langa >> Łukasz Langa >> Łukasz Langa (Work e-mail account) >>4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 >> Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe >> von Nummern, Nächste (N) oder Abbrechen (Q) > > > Doesn't use TLS. Just plain HTTP. > >> Each of these lines in dirmngr.conf also work: >> keyserver http://keys2.andreas-puls.de/ >> keyserver http://pgpkeys.eu/ > > Ditto. Since your problems seem to be related to TLS it's not really > surprising that keyservers not using https work. > At least I now know that such keyservers still exist. ;) > Does 'gpg --keyserver hkps://pgpkeys.eu --search-keys ...' work for you? > No, same output as reported initially. > What does 'curl -v https://keys.openpgp.org' say? > ~> curl --max-filesize 1 -v https://keys.openpgp.org * Trying 37.218.245.50:443... * Connected to keys.openpgp.org (37.218.245.50) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=keys.openpgp.org * start date: Jul 26 04:32:08 2021 GMT * expire date: Oct 24 04:32:06 2021 GMT * subjectAltName: host "keys.openpgp.org" matched cert's "keys.openpgp.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: keys.openpgp.org > User-Agent: curl/7.77.0 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx/1.14.2 < Date: Thu, 29 Jul 2021 07:20:26 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 1761 < Connection: keep-alive < Vary: Accept-Encoding < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block < X-Content-Type-Options: nosniff < Referrer-Policy: no-referrer-when-downgrade < Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; report-uri https://keysopenpgporg.report-uri.com/r/d/csp/enforce < Strict-Transport-Security: max-age=31536000; includeSubDomains < Expect-CT: max-age=31536000, report-uri="https://keysopenpgporg.report-uri.com/r/d/ct/reportOnly; < alt-svc: h2="zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion:443"; ma=86400; persist=1 < [..] Looks OK to me. The Let's Encrypt certificate is recognized and verified. Or what do you think? > Regards, > Ingo > Thanks for your help! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
On Mittwoch, 28. Juli 2021 18:38:07 CEST Rainer Fiebig via Gnupg-users wrote: > Am 28.07.21 um 17:42 schrieb Andrew Gallagher: > > On 28/07/2021 15:19, Rainer Fiebig via Gnupg-users wrote: > >> 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Verbinden mit > >> 'https://keys.openpgp.org:443': Fehlendes Herausgeberzertifikat in der > >> Kette > >> 2021-07-28 16:06:50 dirmngr[4135.6] command 'KS_SEARCH' failed: > >> Fehlendes Herausgeberzertifikat in der Kette > >> 2021-07-28 16:06:50 dirmngr[4135.6] Handhabungsroutine für den fd 6 > >> beendet > > > > "Fehlendes Herausgeberzertifikat in der Kette" translates as "Missing > > publisher certificate in the chain", is that correct? > > Correct. > > > keys.openpgp.org uses LetsEncrypt as their TLS CA. Can you connect to > > other keyservers that also use LetsEncrypt? For example, pgpkeys.eu uses > > the same intermediate certificate (LetsEncrypt R3) as keys.openpgp.org. > > This works: > > ~> gpg --keyserver pgpkeys.eu --search-keys > E3FF2839C048B25C084DEBE9B26995E310250568 > gpg: enabled debug flags: memstat > gpg: data source: http://pgpkeys.eu:11371 > (1) Łukasz Langa (GPG langa.pl) > Łukasz Langa > Łukasz Langa > Łukasz Langa (Work e-mail account) > 4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 > Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe > von Nummern, Nächste (N) oder Abbrechen (Q) > Doesn't use TLS. Just plain HTTP. > Each of these lines in dirmngr.conf also work: > keyserver http://keys2.andreas-puls.de/ > keyserver http://pgpkeys.eu/ Ditto. Since your problems seem to be related to TLS it's not really surprising that keyservers not using https work. Does 'gpg --keyserver hkps://pgpkeys.eu --search-keys ...' work for you? What does 'curl -v https://keys.openpgp.org' say? Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 28.07.21 um 17:42 schrieb Andrew Gallagher: > On 28/07/2021 15:19, Rainer Fiebig via Gnupg-users wrote: >> 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Verbinden mit >> 'https://keys.openpgp.org:443': Fehlendes Herausgeberzertifikat in der >> Kette >> 2021-07-28 16:06:50 dirmngr[4135.6] command 'KS_SEARCH' failed: >> Fehlendes Herausgeberzertifikat in der Kette >> 2021-07-28 16:06:50 dirmngr[4135.6] Handhabungsroutine für den fd 6 >> beendet > > "Fehlendes Herausgeberzertifikat in der Kette" translates as "Missing > publisher certificate in the chain", is that correct? > Correct. > keys.openpgp.org uses LetsEncrypt as their TLS CA. Can you connect to > other keyservers that also use LetsEncrypt? For example, pgpkeys.eu uses > the same intermediate certificate (LetsEncrypt R3) as keys.openpgp.org. > This works: ~> gpg --keyserver pgpkeys.eu --search-keys E3FF2839C048B25C084DEBE9B26995E310250568 gpg: enabled debug flags: memstat gpg: data source: http://pgpkeys.eu:11371 (1) Łukasz Langa (GPG langa.pl) Łukasz Langa Łukasz Langa Łukasz Langa (Work e-mail account) 4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > Each of these lines in dirmngr.conf also work: keyserver http://keys2.andreas-puls.de/ keyserver http://pgpkeys.eu/ ~> gpg --search-keys E3FF2839C048B25C084DEBE9B26995E310250568 gpg: enabled debug flags: memstat gpg: data source: http://keys2.andreas-puls.de:80 (1) Łukasz Langa (GPG langa.pl) Łukasz Langa Łukasz Langa Łukasz Langa (Work e-mail account) 4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > > What OS are you using? Do you have the latest version of ca-certificates > (or equivalent) installed? > Linux From Scratch, latest stable. The ca-certificates (from Mozilla.org) are updated regularly (automated). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
On 28/07/2021 15:19, Rainer Fiebig via Gnupg-users wrote: 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Verbinden mit 'https://keys.openpgp.org:443': Fehlendes Herausgeberzertifikat in der Kette 2021-07-28 16:06:50 dirmngr[4135.6] command 'KS_SEARCH' failed: Fehlendes Herausgeberzertifikat in der Kette 2021-07-28 16:06:50 dirmngr[4135.6] Handhabungsroutine für den fd 6 beendet "Fehlendes Herausgeberzertifikat in der Kette" translates as "Missing publisher certificate in the chain", is that correct? keys.openpgp.org uses LetsEncrypt as their TLS CA. Can you connect to other keyservers that also use LetsEncrypt? For example, pgpkeys.eu uses the same intermediate certificate (LetsEncrypt R3) as keys.openpgp.org. What OS are you using? Do you have the latest version of ca-certificates (or equivalent) installed? -- Andrew Gallagher OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Am 28.07.21 um 15:45 schrieb Bernhard Reiter: > Hi Rainer, > > Am Mittwoch 28 Juli 2021 11:22:18 schrieb Rainer Fiebig via Gnupg-users: >> Hi! I'm having a problem when searching for keys on keyservers when >> using "gpg --search-keys". >> >> The only line in dirmngr.conf (except for comments) is: >> keyserver hkps://keys.openpgp.org > > note that this particular keyserver has decided to be incompatible with > the current OpenPGP standard, by ommitting a valid user id, unless > it was "validated". > (It says so it in its FAQ and there is port of a discussion here > https://dev.gnupg.org/T4393#133695) > This could potentially cause problems. > >> However, this (and only this) works: >> >> ~> gpg --keyserver keyserver.ubuntu.com --search-keys >> E3FF2839C048B25C084DEBE9B26995E310250568 > > Have you tried some other keyservers like http://keys2.andreas-puls.de/ ? > Or you can set some dirmngr options to get more diagnostic output > in its logfile. (See dirmngr's documentation.) > > Regards, > Bernhard > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Thanks for your quick reply. Set dirmngr to "verbose". The output points to a certificate-issue (again my apologies to non German-speaking members): ~> cat dirmngr.log 2021-07-28 16:06:49 dirmngr[4134] Es wird auf Socket `/run/user/1000/gnupg/S.dirmngr' gehört 2021-07-28 16:06:49 dirmngr[4135.0]dauerhaft geladene Zertifikate: 0 2021-07-28 16:06:49 dirmngr[4135.0] zwischengespeicherte Zertifikate: 0 2021-07-28 16:06:49 dirmngr[4135.0] vertrauenswürdige Zertifikate: 0 (0,0,0,0) 2021-07-28 16:06:49 dirmngr[4135.6] Handhabungsroutine für fd 6 gestartet 2021-07-28 16:06:49 dirmngr[4135.6] connection from process 4132 (1000:1000) 2021-07-28 16:06:50 dirmngr[4135.6] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known] 2021-07-28 16:06:50 dirmngr[4135.6] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known] 2021-07-28 16:06:50 dirmngr[4135.6] detected interfaces: IPv4 IPv6 2021-07-28 16:06:50 dirmngr[4135.6] Zertifikat wurde zwischengespeichert 2021-07-28 16:06:50 dirmngr[4135.6] Zertifikat wurde zwischengespeichert 2021-07-28 16:06:50 dirmngr[4135.6] Hinweis: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt 2021-07-28 16:06:50 dirmngr[4135.6] Das Zertifikat ist korrekt 2021-07-28 16:06:50 dirmngr[4135.6] Hinweis: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt 2021-07-28 16:06:50 dirmngr[4135.6] Das Zertifikat ist korrekt 2021-07-28 16:06:50 dirmngr[4135.6] Hinweis: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Holen des Zertifikats mittels Subject: Konfigurationsfehler 2021-07-28 16:06:50 dirmngr[4135.6] issuer certificate {C4A7B1A47B2C71FADBE14B9075FFC41560858910} not found using authorityKeyIdentifier 2021-07-28 16:06:50 dirmngr[4135.6] Herausgeberzertifikat nicht gefunden 2021-07-28 16:06:50 dirmngr[4135.6] issuer certificate: #/CN=DST Root CA X3,O=Digital Signature Trust Co. 2021-07-28 16:06:50 dirmngr[4135.6] TLS handshake failed: Fehlendes Herausgeberzertifikat in der Kette 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Verbinden mit 'https://keys.openpgp.org:443': Fehlendes Herausgeberzertifikat in der Kette 2021-07-28 16:06:50 dirmngr[4135.6] command 'KS_SEARCH' failed: Fehlendes Herausgeberzertifikat in der Kette 2021-07-28 16:06:50 dirmngr[4135.6] Handhabungsroutine für den fd 6 beendet ~> Have to admit that I'm a bit clueless here. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Hi Rainer, Am Mittwoch 28 Juli 2021 11:22:18 schrieb Rainer Fiebig via Gnupg-users: > Hi! I'm having a problem when searching for keys on keyservers when > using "gpg --search-keys". > > The only line in dirmngr.conf (except for comments) is: > keyserver hkps://keys.openpgp.org note that this particular keyserver has decided to be incompatible with the current OpenPGP standard, by ommitting a valid user id, unless it was "validated". (It says so it in its FAQ and there is port of a discussion here https://dev.gnupg.org/T4393#133695) This could potentially cause problems. > However, this (and only this) works: > > ~> gpg --keyserver keyserver.ubuntu.com --search-keys > E3FF2839C048B25C084DEBE9B26995E310250568 Have you tried some other keyservers like http://keys2.andreas-puls.de/ ? Or you can set some dirmngr options to get more diagnostic output in its logfile. (See dirmngr's documentation.) Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users