Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-07-28 Thread Cyril Brulebois 
Hi,

And sorry for the lag…

intrigeri  (2018-07-08):
> So indeed, the default GnuPG configuration in Stretch cannot work out
> of the box once "use-tor" is enabled. One needs to:
> 
>  - either specify a keyserver whose hostname won't resolve to IPv6, like:
> 
>  echo 'keyserver hkp://jirk5u4osbsr34t5.onion' \
>   >> ~/.gnupg/dirmngr.conf

That plus killing dirmngr (so that it gets restarted) leads to a
successful key search indeed.

>  - or edit /etc/tor/torrc to enable the "IPv6Traffic" flag for the
>"SocksPort" that's used by dirmngr, i.e. something along the lines
>of:
> 
>  echo 'SocksPort 9050 IPv6Traffic' | sudo tee -a /etc/tor/torrc && \
>  sudo systemctl restart tor@default

Reverting the change above (and restarting dirmngr) and implementing
this instead also leads to a successful search.

> Can you please confirm that one of those fixes the problem you're
> facing?

Both do, thanks!


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-07-08 Thread intrigeri 
Control: reassign -1 dirmngr
Control: found -1 2.1.18-8~deb9u1
Control: found -1 2.1.18-8~deb9u2
Control: fixed -1 2.2.8-3

Hi,

intrigeri:
> I'm sure I've noticed this problem before and we've discussed it
> already, either with dkg or weasel, and I hope it's well tracked
> somewhere. I'll check and will then adjust BTS metadata accordingly.

FTR that was #849845, whose resolution was twofold:

 - tor now enables IPv6 traffic on the SocksPort by default
   (in stretch-backports and Buster)

 - if IPv6 traffic is not enabled, dirmngr now tells the user what the
   problem is and how to fix it (not sure in which version but
   definitely in the Buster one)

On the parcimonie side of things, I've updated the manpage so that
setup instructions that should now cover most common cases. This will
be part of the upcoming 0.10.4 but of course that won't help
Stretch users.

This bug is clearly not in parcimonie, but in dirmngr: parcimonie
"just" triggers it 100% of the time on a default Stretch installation.
So I'm reassigning to dirmngr. I'd like to treat this bug report as
one about the UX with the default config in Stretch (while #849845 was
about how to fix the root cause of the problem in tor) but that it
does not affect Buster (thanks to the default Tor config change).

The thing is, the UX improvements mentioned on
https://dev.gnupg.org/T2902 *are* in Stretch:

 - dirmngr tells "Tor is not properly configured"
 - with --verbose, I see:
   gpg: (further info: Please check that the "SocksPort" flag "IPv6Traffic" is 
set in torrc)

… but honestly that does not seem good enough to me:

 - Quite simply, the fact someone like Cyril did not get what was
   going on, and that it took me some time to diagnose the problem,
   is quite telling in itself.

 - The fact that one needs to pass --verbose to have any clue what is
   going on is worrying: in a situation where the user is told
   something that's hard to understand already ("Tor is not properly
   configured", while Tor works just fine for most practical
   purposes), they should not have to guess yet they have to manually
   do another thing in order to be told what exactly is wrong with the
   tor configuration. I would suggest the IPv6Traffic hint is
   displayed by default on Stretch, and not guarded behind --verbose.
   On Buster and newer, IMO we can stick to what upstream does since
   the default Tor configuration was fixed, so this UX problem should
   be moot :)

Dear GnuPG maintainers, feel free to merge with #849845, adjust the
metadata as you wish, and possibly improve the UX in Stretch by
implementing the suggestion above or something better.
Or just call it something that won't affect enough Stretch users to
warrant a s-p-u and then wontfix, your call :)

Cheers,
-- 
intrigeri

Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-07-08 Thread intrigeri 
Hi,

I've tested this in a clean Stretch VM.

I've added these lines to ~/.gnupg/dirmngr.conf in order to get more
info:

verbose
debug 1024

And what I see when searching for my key is:

Jul 08 05:57:22 debian systemd[1022]: Started GnuPG network certificate 
management daemon.
Jul 08 05:57:22 debian dirmngr[2574]: dirmngr[2574]: enabled debug flags: ipc
Jul 08 05:57:22 debian dirmngr[2574]: dirmngr[2574]: error opening 
'/home/toto/.gnupg/dirmngr_ldapservers.conf': No such file or directory
Jul 08 05:57:22 debian dirmngr[2574]: permanently loaded certificates: 0
Jul 08 05:57:22 debian dirmngr[2574]: runtime cached certificates: 0
Jul 08 05:57:22 debian dirmngr[2574]: handler for fd 5 started
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> # Home: /home/toto/.gnupg
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> # Config: 
/home/toto/.gnupg/dirmngr.conf
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> OK Dirmngr 2.1.18 at your 
service
Jul 08 05:57:22 debian dirmngr[2574]: connection from process 2573 (1000:1000)
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 <- GETINFO version
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> D 2.1.18
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> OK
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 <- KS_SEARCH -- 
intrig...@debian.org
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2a01:4a0:59:1000:223:9eff:fe00:100f]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2600:1f16:41e:bd0a::73:6b73]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '216.66.15.2'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '192.146.137.11'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '68.187.0.77'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '51.15.53.138'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '37.191.226.104'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '18.191.65.131'
Jul 08 05:57:24 debian dirmngr[2574]: can't connect to 
'2001:bc8:4700:2300::10:f15': Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: error connecting to 
'https://[2001:bc8:4700:2300::10:f15]:443': Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: (Tor configuration problem)
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> S WARNING 
tor_config_problem 0 Please check that the "SocksPort" flag "IPv6Traffic" is 
set in torrc
Jul 08 05:57:24 debian dirmngr[2574]: command 'KS_SEARCH' failed: Permission 
denied
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> ERR 167804929 Permission 
denied 
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 <- BYE
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> OK closing connection
Jul 08 05:57:24 debian dirmngr[2574]: handler for fd 5 terminated

So indeed, the default GnuPG configuration in Stretch cannot work out
of the box once "use-tor" is enabled. One needs to:

 - either specify a keyserver whose hostname won't resolve to IPv6, like:

 echo 'keyserver hkp://jirk5u4osbsr34t5.onion' \
  >> ~/.gnupg/dirmngr.conf

 - or edit /etc/tor/torrc to enable the "IPv6Traffic" flag for the
   "SocksPort" that's used by dirmngr, i.e. something along the lines
   of:

 echo 'SocksPort 9050 IPv6Traffic' | sudo tee -a /etc/tor/torrc && \
 sudo systemctl restart tor@default

Can you please confirm that one of those fixes the problem
you're facing?

I'm sure I've noticed this problem before and we've discussed it
already, either with dkg or weasel, and I hope it's well tracked
somewhere. I'll check and will then adjust BTS metadata accordingly.

Cheers,
-- 
intrigeri

Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-06-30 Thread Cyril Brulebois 
Hi,

intrigeri  (2018-06-30):
> Thanks for the prompt reply!

No worries.

> OK, so it looks I was wrong to reassign to parcimonie.
> Before I draw conclusions, I need a little bit more info:
> 
>  - Can you please check that tor listens on 127.0.0.1:9050 (TCP)?

Yes:
tcp0  0 127.0.0.1:9050  0.0.0.0:*   LISTEN  
-   

>  - Does "torsocks curl https://www.debian.org/; work fine?

Yes, I get the index page in less than a second.

>  - Could you please share your ~/.gnupg/dirmngr.conf and
>~/.gnupg/gpg.conf with me (possibly privately)?

I don't think there are (or were) private things in there. I did rename
.gnupg/ away a while ago, trying to get back to a default configuration
(which I never tweaked much anyway) before reporting this issue. AFAICT
the only bits of tweaking I did was reinjecting my private keys in
there. I suppose what you're seeing below is indeed the result of
parcimonie's integration bits (App/Parcimonie/GnuPG/Interface.pm at
first glance), with the auto enabling of use-tor.

kibi@armor:~$ cat .gnupg/dirmngr.conf

###+++--- GPGConf ---+++###
#use-tor
use-tor
###+++--- GPGConf ---+++### Sat 30 Jun 2018 16:33:06 CEST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.

No gpg.conf at all.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-06-30 Thread intrigeri 
Cyril Brulebois:
> intrigeri  (2018-06-30):
>> May I assume that you have no tor service running?

> Well:

> kibi@armor:~$ gpg --search-keys k...@mraw.org
> gpg: WARNING: Tor is not properly configured
> gpg: error searching keyserver: Permission denied
> gpg: keyserver search failed: Permission denied

> kibi@armor:~$ ps faux|grep tor
> debian-+ 895 0.0 0.2 89636 38352 ? Ss Jun23 8:52 /usr/bin/tor 
> --defaults-torrc
> /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

Thanks for the prompt reply!

OK, so it looks I was wrong to reassign to parcimonie.
Before I draw conclusions, I need a little bit more info:

 - Can you please check that tor listens on 127.0.0.1:9050 (TCP)?

 - Does "torsocks curl https://www.debian.org/; work fine?

 - Could you please share your ~/.gnupg/dirmngr.conf and
   ~/.gnupg/gpg.conf with me (possibly privately)?


> I'm not sure I'm ticking all these boxes…

Indeed.

Cheers,
-- 
intrigeri

Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-06-30 Thread Cyril Brulebois 
Hi,

intrigeri  (2018-06-30):
> I believe that for the time being, this problem cannot be fixed in
> GnuPG but rather in parcimonie.
> 
> Cyril Brulebois:
> > Ever since the dist-upgrade to stretch (last september), I'm unable to
> > search keys, and parcimonie is failing on me:
> > | kibi@armor:~$ gpg --search-keys some@mail.address
> > | gpg: WARNING: Tor is not properly configured
> > | gpg: error searching keyserver: Permission denied
> > | gpg: keyserver search failed: Permission denied
> 
> May I assume that you have no tor service running?

Well:

kibi@armor:~$ gpg --search-keys k...@mraw.org
gpg: WARNING: Tor is not properly configured
gpg: error searching keyserver: Permission denied
gpg: keyserver search failed: Permission denied

kibi@armor:~$ ps faux|grep tor
debian-+   895  0.0  0.2  89636 38352 ?Ss   Jun23   8:52 
/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f 
/etc/tor/torrc --RunAsDaemon 0
kibi  3094  0.0  0.0 126772  3356 ?Ss   Jun23   0:00 dirmngr 
--daemon --homedir /home/kibi/.local/share/torbrowser/gnupg_homedir
kibi  3099  0.0  0.0  91572   432 ?Ss   Jun23   0:00 gpg-agent 
--homedir /home/kibi/.local/share/torbrowser/gnupg_homedir 
--use-standard-socket --daemon

> parcimonie enables the use-tor option in ~/.gnupg/dirmngr.conf.
> It's being debated on another bug report (filed against parcimonie)
> whether it's a feature or a bug, and if the latter how to fix it.
> Anyway: currently, as soon as parcimonie has been run once as a given
> user, then any dirmngr network operation run as that user require
> a working tor daemon.
> 
> Now, parcimonie merely "Recommends: tor" (since 2011). I don't recall
> why I did not add a strict dependency back then; possibly I wanted to
> be nice to Tor Browser users who don't want to run a system tor, and
> instead use the tor that comes bundled with Tor Browser (there are
> good reasons for setting things up like this, such as having a single
> place to configure bridges etc. and being able to do so in a GUI).

Relatedly, I have this installed:

ii  torbrowser-launcher   0.2.9-3~bpo9+1

> So, in some way a Recommends is correct: one of the major use cases of
> parcimonie works just fine without Debian's tor service (using
> 3rd-party software though). OTOH, parcimonie will simply be broken for
> whoever has disabled installation of Recommends by default, unless
> they know exactly that they want to run tor in a different way, and
> how to do so. So there's a case to be made to turn this
> "Recommends: tor" into "Depends: tor".
> 
> > How come gpg fails this badly in stable, with a default configuration?
> 
> I think the default gpg configuration in stable works fine… as long as
> one is not unlucky enough to meet all these conditions:
> 
>  - having disabled installation of Recommends by default (or manually
>de-installed tor, or manually disabled the tor service)
>  - not running Tor Browser
>  - having installed parcimonie

I'm not sure I'm ticking all these boxes…


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-06-30 Thread intrigeri 
Control: reassign -1 parcimonie
Control: tag -1 + moreinfo

Hi,

I believe that for the time being, this problem cannot be fixed in
GnuPG but rather in parcimonie.

Cyril Brulebois:
> Ever since the dist-upgrade to stretch (last september), I'm unable to
> search keys, and parcimonie is failing on me:
> | kibi@armor:~$ gpg --search-keys some@mail.address
> | gpg: WARNING: Tor is not properly configured
> | gpg: error searching keyserver: Permission denied
> | gpg: keyserver search failed: Permission denied

May I assume that you have no tor service running?

parcimonie enables the use-tor option in ~/.gnupg/dirmngr.conf.
It's being debated on another bug report (filed against parcimonie)
whether it's a feature or a bug, and if the latter how to fix it.
Anyway: currently, as soon as parcimonie has been run once as a given
user, then any dirmngr network operation run as that user require
a working tor daemon.

Now, parcimonie merely "Recommends: tor" (since 2011). I don't recall
why I did not add a strict dependency back then; possibly I wanted to
be nice to Tor Browser users who don't want to run a system tor, and
instead use the tor that comes bundled with Tor Browser (there are
good reasons for setting things up like this, such as having a single
place to configure bridges etc. and being able to do so in a GUI).

So, in some way a Recommends is correct: one of the major use cases of
parcimonie works just fine without Debian's tor service (using
3rd-party software though). OTOH, parcimonie will simply be broken for
whoever has disabled installation of Recommends by default, unless
they know exactly that they want to run tor in a different way, and
how to do so. So there's a case to be made to turn this
"Recommends: tor" into "Depends: tor".

> How come gpg fails this badly in stable, with a default configuration?

I think the default gpg configuration in stable works fine… as long as
one is not unlucky enough to meet all these conditions:

 - having disabled installation of Recommends by default (or manually
   de-installed tor, or manually disabled the tor service)
 - not running Tor Browser
 - having installed parcimonie

Cheers,
-- 
intrigeri

Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

2018-05-06 Thread Cyril Brulebois 
Package: gnupg
Version: 2.1.18-8~deb9u1
Severity: important

Hi,

Ever since the dist-upgrade to stretch (last september), I'm unable to
search keys, and parcimonie is failing on me:
| kibi@armor:~$ gpg --search-keys some@mail.address
| gpg: WARNING: Tor is not properly configured
| gpg: error searching keyserver: Permission denied
| gpg: keyserver search failed: Permission denied

and;
| Sleeping for 1 hour and 32 minutes...
| Fetching key ...
| Failed to fetch key : gpg:
| WARNING: Tor is not properly configured
| gpg: keyserver receive failed: Permission denied
|  at /usr/share/perl5/App/Parcimonie/Daemon.pm line 350.
| .
| Sleeping for 1 day and 4 minutes...

I've also had much troubles with caff but I don't have specific logs
handy any more; I just remember having trashed the whole .gnupg
directory and reinjected keys there, to be extra sure I had no specific
configuration files that might be getting in the way.

How come gpg fails this badly in stable, with a default configuration?


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  gnupg-agent2.1.18-8~deb9u1
ii  libassuan0 2.4.3-2
ii  libbz2-1.0 1.0.6-8.1
ii  libc6  2.24-11+deb9u3
ii  libgcrypt201.7.6-2+deb9u2
ii  libgpg-error0  1.26-2
ii  libksba8   1.3.5-2
ii  libreadline7   7.0-3
ii  libsqlite3-0   3.16.2-5+deb9u1
ii  zlib1g 1:1.2.8.dfsg-5

Versions of packages gnupg recommends:
ii  dirmngr 2.1.18-8~deb9u1
ii  gnupg-l10n  2.1.18-8~deb9u1

Versions of packages gnupg suggests:
ii  parcimonie  0.10.2-4
pn  xloadimage  

-- no debconf information