I know some people on here sign their messages and I understand why at least some of them do it. What I don't understand is how to make use of those signatures. Taking just one recent signed message as an example, I tried to check the signature on one of Carlos' recent messages. When I clicked on the icon to verify it my MUA (Claws) said: Key 0xB533181C6D8D47D5 not available to verify this signature and when I look at a more detailed explanation, it says: Importing key ID B533181C6D8D47D5: This key couldn't be imported to your keyring. Key servers are sometimes slow. You can try to import it manually with the command: "/usr/bin/gpg2" --batch --no-tty --recv-keys B533181C6D8D47D5 When I try to run that command (and I have no idea why it quotes the command - what's that all about?): $ "/usr/bin/gpg2" --batch --no-tty --recv-keys B533181C6D8D47D5 gpg: keyserver receive failed: Cannot assign requested address Searching hasn't provided me with any enlightenment and the man page doesn't list or explain the error messages. So can anybody point me to an idiot's guide to what's supposed to happen and how to make it so? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Samstag, 27. Juli 2019, 22:36:00 CEST schrieb Dave Howorth:
Searching hasn't provided me with any enlightenment and the man page doesn't list or explain the error messages. So can anybody point me to an idiot's guide to what's supposed to happen and how to make it so?
the shortest possible version: you are trying to fetch the key from a keyserver that is broken / dead, or you don't have a keyserver listed in ~/.gnupg/gpg.conf edit the file ~/.gnupg/gpg.conf and find the line that starts with the keyword "keyserver", and make sure you list one that works. Then gpg --recv-keys should work as expected. I have this in my gpg.conf: keyserver hkp://pool.sks-keyservers.net and it works fine. Cheers MH *Mathias Homann* Senior Systems Engineer, IT Consultant. IT Trainer Mathias.Homann@eregion.de[1] LinkedIn: http://de.linkedin.com/in/mathiashomann/[2] *gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102* -------- [1] mailto:Mathias.Homann@eregion.de [2] http://de.linkedin.com/in/mathiashomann/
On 7/27/19 11:44 PM, Mathias Homann wrote:
Am Samstag, 27. Juli 2019, 22:36:00 CEST schrieb Dave Howorth:
Searching hasn't provided me with any enlightenment and the man page doesn't list or explain the error messages. So can anybody point me to an idiot's guide to what's supposed to happen and how to make it so?
the shortest possible version: you are trying to fetch the key from a keyserver that is broken / dead, or you don't have a keyserver listed in ~/.gnupg/gpg.conf
edit the file ~/.gnupg/gpg.conf and find the line that starts with the keyword "keyserver", and make sure you list one that works. Then gpg --recv-keys should work as expected.
I have this in my gpg.conf: keyserver hkp://pool.sks-keyservers.net
keyserver option should be put in ~/.gunpg/dirmngr.conf now. Also, considering recent news[0], it should be keyserver hkps://keys.openpgp.org [0]: <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 28 Jul 2019 03:05:03 +0200 Oleksii Vilchanskyi <oleksii.vilchanskyi@gmail.com> wrote:
On 7/27/19 11:44 PM, Mathias Homann wrote:
Am Samstag, 27. Juli 2019, 22:36:00 CEST schrieb Dave Howorth:
Searching hasn't provided me with any enlightenment and the man page doesn't list or explain the error messages. So can anybody point me to an idiot's guide to what's supposed to happen and how to make it so?
the shortest possible version: you are trying to fetch the key from a keyserver that is broken / dead, or you don't have a keyserver listed in ~/.gnupg/gpg.conf
edit the file ~/.gnupg/gpg.conf and find the line that starts with the keyword "keyserver", and make sure you list one that works. Then gpg --recv-keys should work as expected.
I have this in my gpg.conf: keyserver hkp://pool.sks-keyservers.net
keyserver option should be put in ~/.gunpg/dirmngr.conf now.
Also, considering recent news[0], it should be keyserver hkps://keys.openpgp.org
[0]: <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>
Thanks, yes I remember seeing that news about key poisoning. So I've commented out the default keyserver line in gpg.conf and created a dirmngr.conf with just that line in it. It has changed what happens; now I see: $ /usr/bin/gpg2 --batch --no-tty --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 and Claws still says the key is not available -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/28/19 12:26 PM, Dave Howorth wrote:
On Sun, 28 Jul 2019 03:05:03 +0200 Oleksii Vilchanskyi <oleksii.vilchanskyi@gmail.com> wrote:
On 7/27/19 11:44 PM, Mathias Homann wrote:
Am Samstag, 27. Juli 2019, 22:36:00 CEST schrieb Dave Howorth:
Searching hasn't provided me with any enlightenment and the man page doesn't list or explain the error messages. So can anybody point me to an idiot's guide to what's supposed to happen and how to make it so?
the shortest possible version: you are trying to fetch the key from a keyserver that is broken / dead, or you don't have a keyserver listed in ~/.gnupg/gpg.conf
edit the file ~/.gnupg/gpg.conf and find the line that starts with the keyword "keyserver", and make sure you list one that works. Then gpg --recv-keys should work as expected.
I have this in my gpg.conf: keyserver hkp://pool.sks-keyservers.net
keyserver option should be put in ~/.gunpg/dirmngr.conf now.
Also, considering recent news[0], it should be keyserver hkps://keys.openpgp.org
[0]: <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>
Thanks, yes I remember seeing that news about key poisoning. So I've commented out the default keyserver line in gpg.conf and created a dirmngr.conf with just that line in it. It has changed what happens; now I see:
$ /usr/bin/gpg2 --batch --no-tty --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1
and Claws still says the key is not available
In my case:
% gpg -v --recv-keys B533181C6D8D47D5 gpg: data source: https://keys.openpgp.org:443 Notice the data source ^ gpg: pub dsa1024/0xB533181C6D8D47D5 2004-03-22 gpg: key 0xB533181C6D8D47D5: no user ID gpg: Total number processed: 1
You might also see in there
gpg: no running Dirmngr - starting '/usr/bin/dirmngr' gpg: waiting for the dirmngr to come up ... (5s) gpg: connection to dirmngr established
My configuration:
% gpg --version gpg (GnuPG) 2.2.17 libgcrypt 1.8.4 % grep -ve "^#" ~/.gnupg/gpg-agent.conf enable-ssh-support pinentry-program /usr/bin/pinentry-qt default-cache-ttl 60 max-cache-ttl 120
% grep -ve "^#" ~/.gnupg/gpg.conf personal-cipher-preferences AES256 AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 charset utf-8 fixed-list-mode no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint with-key-origin require-cross-certification no-symkey-cache throw-keyids use-agent
% grep -ve "^#" ~/.gnupg/dirmngr.conf> keyserver hkps://keys.openpgp.org verbose log-file /home/user/gnupg.log
If you won't figure it out after this message, you should probably ask gnupg mailing lists. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/07/2019 12.26, Dave Howorth wrote:
On Sun, 28 Jul 2019 03:05:03 +0200 Oleksii Vilchanskyi <> wrote:
Thanks, yes I remember seeing that news about key poisoning. So I've commented out the default keyserver line in gpg.conf and created a dirmngr.conf with just that line in it. It has changed what happens; now I see:
$ /usr/bin/gpg2 --batch --no-tty --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1
and Claws still says the key is not available
I'll try with a new user. cer-g@Telcontar:~> l /usr/bin/gpg lrwxrwxrwx 1 root root 4 Jan 7 2019 /usr/bin/gpg -> gpg2* cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~> File .gnupg/dirmngr.conf saved cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: lookup_hashtable failed: Unknown system error gpg: trustdb: searching trust record failed: Unknown system error gpg: Error: The trustdb is corrupted. gpg: You may try to re-create the trustdb using the commands: gpg: cd ~/.gnupg gpg: gpg --export-ownertrust > otrust.tmp gpg: rm trustdb.gpg gpg: gpg --import-ownertrust < otrust.tmp gpg: If that does not work, please consult the manual cer-g@Telcontar:~> l .gnupg/trustdb.gpg -rw------- 1 cer-g cer 40 Sep 28 2014 .gnupg/trustdb.gpg cer-g@Telcontar:~> cer-g@Telcontar:~> rm .gnupg/trustdb.gpg cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: "Carlos E. R. (cer) <robin.listas@telefonica.net>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 cer-g@Telcontar:~> It works fine here. But I use a slightly different command. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On Sun, 28 Jul 2019 16:36:29 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 28/07/2019 12.26, Dave Howorth wrote:
On Sun, 28 Jul 2019 03:05:03 +0200 Oleksii Vilchanskyi <> wrote:
Thanks, yes I remember seeing that news about key poisoning. So I've commented out the default keyserver line in gpg.conf and created a dirmngr.conf with just that line in it. It has changed what happens; now I see:
$ /usr/bin/gpg2 --batch --no-tty --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1
and Claws still says the key is not available
I'll try with a new user.
cer-g@Telcontar:~> l /usr/bin/gpg lrwxrwxrwx 1 root root 4 Jan 7 2019 /usr/bin/gpg -> gpg2* cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~>
File .gnupg/dirmngr.conf saved cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: lookup_hashtable failed: Unknown system error gpg: trustdb: searching trust record failed: Unknown system error gpg: Error: The trustdb is corrupted. gpg: You may try to re-create the trustdb using the commands: gpg: cd ~/.gnupg gpg: gpg --export-ownertrust > otrust.tmp gpg: rm trustdb.gpg gpg: gpg --import-ownertrust < otrust.tmp gpg: If that does not work, please consult the manual cer-g@Telcontar:~> l .gnupg/trustdb.gpg -rw------- 1 cer-g cer 40 Sep 28 2014 .gnupg/trustdb.gpg cer-g@Telcontar:~> cer-g@Telcontar:~> rm .gnupg/trustdb.gpg cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: "Carlos E. R. (cer) <robin.listas@telefonica.net>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 cer-g@Telcontar:~>
It works fine here. But I use a slightly different command.
Sorry, I've no idea what you did above. Why does it say 'File .gnupg/dirmngr.conf saved' in the middle of nowhere for example? and why do I get different output when I run: $ gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 It all seems far too complicated. IIRC my original request was to be pointed to an idiot's guide. Since it appears there isn't one, I'll just give up and trust you are who you appear to be :) Thanks for your time Carlos, Oleksii and Mathias. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/07/2019 17.05, Dave Howorth wrote:
On Sun, 28 Jul 2019 16:36:29 +0200 "Carlos E. R." <> wrote:
I'll try with a new user.
cer-g@Telcontar:~> l /usr/bin/gpg lrwxrwxrwx 1 root root 4 Jan 7 2019 /usr/bin/gpg -> gpg2* cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~>
File .gnupg/dirmngr.conf saved cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: lookup_hashtable failed: Unknown system error gpg: trustdb: searching trust record failed: Unknown system error gpg: Error: The trustdb is corrupted. gpg: You may try to re-create the trustdb using the commands: gpg: cd ~/.gnupg gpg: gpg --export-ownertrust > otrust.tmp gpg: rm trustdb.gpg gpg: gpg --import-ownertrust < otrust.tmp gpg: If that does not work, please consult the manual cer-g@Telcontar:~> l .gnupg/trustdb.gpg -rw------- 1 cer-g cer 40 Sep 28 2014 .gnupg/trustdb.gpg cer-g@Telcontar:~> cer-g@Telcontar:~> rm .gnupg/trustdb.gpg cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: "Carlos E. R. (cer) <robin.listas@telefonica.net>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 cer-g@Telcontar:~>
It works fine here. But I use a slightly different command.
Sorry, I've no idea what you did above. Why does it say 'File .gnupg/dirmngr.conf saved' in the middle of nowhere for example?
Oh, that's the last line of the editor, where I wrote that file and verified the configuration. Sorry it confused you.
and why do I get different output when I run:
$ gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1
I don't know what "no user ID" means. I don't get that here, even on a new user. It might mean that you do not have your own key, but I don't see why that would be a problem: after all, my new user doesn't have it and has no problem importing public keys. You could try creating a new user, and repeat the command there. If it works there, then your configuration has some problem.
It all seems far too complicated. IIRC my original request was to be pointed to an idiot's guide. Since it appears there isn't one, I'll just give up and trust you are who you appear to be :)
Oh, there is a howto. It is the official one. Google "gpg howto", found: <https://gnupg.org/documentation/howtos.html> Actually, several. :-D
Thanks for your time Carlos, Oleksii and Mathias.
Glad to :-) It should "just work" for you, but there must be some problem on your system we don't know about, what it is. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 7/28/19 5:45 PM, Carlos E. R. wrote:
On 28/07/2019 17.05, Dave Howorth wrote:
On Sun, 28 Jul 2019 16:36:29 +0200 "Carlos E. R." <> wrote:
I'll try with a new user.
cer-g@Telcontar:~> l /usr/bin/gpg lrwxrwxrwx 1 root root 4 Jan 7 2019 /usr/bin/gpg -> gpg2* cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~>
File .gnupg/dirmngr.conf saved cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: lookup_hashtable failed: Unknown system error gpg: trustdb: searching trust record failed: Unknown system error gpg: Error: The trustdb is corrupted. gpg: You may try to re-create the trustdb using the commands: gpg: cd ~/.gnupg gpg: gpg --export-ownertrust > otrust.tmp gpg: rm trustdb.gpg gpg: gpg --import-ownertrust < otrust.tmp gpg: If that does not work, please consult the manual cer-g@Telcontar:~> l .gnupg/trustdb.gpg -rw------- 1 cer-g cer 40 Sep 28 2014 .gnupg/trustdb.gpg cer-g@Telcontar:~> cer-g@Telcontar:~> rm .gnupg/trustdb.gpg cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: "Carlos E. R. (cer) <robin.listas@telefonica.net>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 cer-g@Telcontar:~>
It works fine here. But I use a slightly different command.
Sorry, I've no idea what you did above. Why does it say 'File .gnupg/dirmngr.conf saved' in the middle of nowhere for example?
Oh, that's the last line of the editor, where I wrote that file and verified the configuration. Sorry it confused you.
and why do I get different output when I run:
$ gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1
I don't know what "no user ID" means. I don't get that here, even on a new user.
It might mean that you do not have your own key, but I don't see why that would be a problem: after all, my new user doesn't have it and has no problem importing public keys.
I had your key already imported, so I somehow missed that the operation failed. I must have not imported any key since the issue that required changing the keyserver. It looks like the problem comes from gnupg itself[0] and requires a patch to be merged for keyservers like keys.openpgp.org. Open-source being open-source, it can happen tomorrow or in 10 years, so right now you should probably use --keyserver keys.gnupg.net for retrieving keys that you know are not poisoned. Not sure how to check it in beforehand. Setting keyserver back (to keys.gnupg.net) in config is a bad idea, because that makes you one gpg --refresh-keys from a disaster. But apparently gpg has 'other tasks in master that are more important'. [0]: <https://dev.gnupg.org/T4393>
You could try creating a new user, and repeat the command there. If it works there, then your configuration has some problem.
It all seems far too complicated. IIRC my original request was to be pointed to an idiot's guide. Since it appears there isn't one, I'll just give up and trust you are who you appear to be :)
@Dave: Start with Archwiki[0]. Also see "see also" section. If you want to set it up once and so that everything "just works", I suggest buying a Yubikey and following this[1] excellent guide to create a smartcard out of it. Including SSH, everything will work seamlessly and you would only need to remember the Yubikey PIN (with all other passwords stored in a password manager). I recommend KeepassXC as a password manager: it supports advanced features such as OTP (and so does Yubikey). You can also use Yubikey to login into your PC, etc. It is a very capable device for its money. [0] <https://wiki.archlinux.org/index.php/GnuPG> [1] <https://github.com/drduh/YubiKey-Guide>
Oh, there is a howto. It is the official one. Google "gpg howto", found:
<https://gnupg.org/documentation/howtos.html>
Actually, several. :-D
Thanks for your time Carlos, Oleksii and Mathias.
Glad to :-)
It should "just work" for you, but there must be some problem on your system we don't know about, what it is.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/07/2019 19.09, Oleksii Vilchanskyi wrote:
On 7/28/19 5:45 PM, Carlos E. R. wrote:
On 28/07/2019 17.05, Dave Howorth wrote:
On Sun, 28 Jul 2019 16:36:29 +0200 "Carlos E. R." <> wrote:
I'll try with a new user.
cer-g@Telcontar:~> l /usr/bin/gpg lrwxrwxrwx 1 root root 4 Jan 7 2019 /usr/bin/gpg -> gpg2* cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~>
File .gnupg/dirmngr.conf saved cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: lookup_hashtable failed: Unknown system error gpg: trustdb: searching trust record failed: Unknown system error gpg: Error: The trustdb is corrupted. gpg: You may try to re-create the trustdb using the commands: gpg: cd ~/.gnupg gpg: gpg --export-ownertrust > otrust.tmp gpg: rm trustdb.gpg gpg: gpg --import-ownertrust < otrust.tmp gpg: If that does not work, please consult the manual cer-g@Telcontar:~> l .gnupg/trustdb.gpg -rw------- 1 cer-g cer 40 Sep 28 2014 .gnupg/trustdb.gpg cer-g@Telcontar:~> cer-g@Telcontar:~> rm .gnupg/trustdb.gpg cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: "Carlos E. R. (cer) <robin.listas@telefonica.net>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 cer-g@Telcontar:~>
It works fine here. But I use a slightly different command.
Sorry, I've no idea what you did above. Why does it say 'File .gnupg/dirmngr.conf saved' in the middle of nowhere for example?
Oh, that's the last line of the editor, where I wrote that file and verified the configuration. Sorry it confused you.
and why do I get different output when I run:
$ gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1
I don't know what "no user ID" means. I don't get that here, even on a new user.
It might mean that you do not have your own key, but I don't see why that would be a problem: after all, my new user doesn't have it and has no problem importing public keys.
I had your key already imported, so I somehow missed that the operation failed. I must have not imported any key since the issue that required changing the keyserver.
It did not fail here. I tried the operation under a new user that has no key imported and no key of his own defined. cer-g@Telcontar:~> cat .gnupg/dirmngr.conf keyserver hkps://keys.openpgp.org cer-g@Telcontar:~> gpg.conf is the default one, has the line: keyserver hkp://keys.gnupg.net so it was probably retrieved from there. If I remove that line (and delete pubring.kbx and trustdb.gpg in order to try again), then it fails, same error as Dave gets: cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~> If I add that line it works again: cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created gpg: key B533181C6D8D47D5: public key "Carlos E. R. (cer) <robin.listas@...>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 cer-g@Telcontar:~> So it is that new server (hkps://keys.openpgp.org) which fails.
It looks like the problem comes from gnupg itself[0] and requires a patch to be merged for keyservers like keys.openpgp.org. Open-source being open-source, it can happen tomorrow or in 10 years, so right now you should probably use --keyserver keys.gnupg.net for retrieving keys that you know are not poisoned. Not sure how to check it in beforehand. Setting keyserver back (to keys.gnupg.net) in config is a bad idea, because that makes you one gpg --refresh-keys from a disaster. But apparently gpg has 'other tasks in master that are more important'.
-- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
28.07.2019 21:31, Carlos E. R. пишет:
cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~>
Sounds like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665 Care to open openSUSE bug? It is apparently fixed in gpg.
If I add that line it works again:
cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created gpg: key B533181C6D8D47D5: public key "Carlos E. R. (cer) <robin.listas@...>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 cer-g@Telcontar:~>
So it is that new server (hkps://keys.openpgp.org) which fails.
On 28/07/2019 20.38, Andrei Borzenkov wrote:
28.07.2019 21:31, Carlos E. R. пишет:
cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~>
Sounds like
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665
Care to open openSUSE bug? It is apparently fixed in gpg.
I get that error when the active keyserver is hkps://keys.openpgp.org, but not when it is hkp://keys.gnupg.net, it seems. I can do more testing to see if it is that, or using dirmngr.conf. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 28/07/2019 20.53, Carlos E. R. wrote:
On 28/07/2019 20.38, Andrei Borzenkov wrote:
28.07.2019 21:31, Carlos E. R. пишет:
cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~>
Sounds like
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665
Care to open openSUSE bug? It is apparently fixed in gpg.
I get that error when the active keyserver is hkps://keys.openpgp.org, but not when it is hkp://keys.gnupg.net, it seems.
I can do more testing to see if it is that, or using dirmngr.conf.
cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~> cat .gnupg/dirmngr.conf keyserver hkp://keys.gnupg.net keyserver hkps://keys.openpgp.org cer-g@Telcontar:~> mc .gnupg/ cer-g@Telcontar:~> gpg --list-keys gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~> cat .gnupg/dirmngr.conf keyserver hkps://keys.openpgp.org keyserver hkp://keys.gnupg.net cer-g@Telcontar:~> With no dirmngr.conf and gpg.conf containing: keyserver hkp://keys.gnupg.net #keyserver http://http-keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net keyserver hkps://keys.openpgp.org it does not work. With: keyserver hkps://keys.openpgp.org keyserver hkp://keys.gnupg.net #keyserver http://http-keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net It works. Conclussion: 1) this server "hkps://keys.openpgp.org" does not work, at least on Leap 15.0 2) file .gnupg/dirmngr.conf does not work. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 7/28/19 9:28 PM, Carlos E. R. wrote:
On 28/07/2019 20.53, Carlos E. R. wrote:
On 28/07/2019 20.38, Andrei Borzenkov wrote:
28.07.2019 21:31, Carlos E. R. пишет:
cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~>
Sounds like
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665
Care to open openSUSE bug? It is apparently fixed in gpg.
I get that error when the active keyserver is hkps://keys.openpgp.org, but not when it is hkp://keys.gnupg.net, it seems.
I can do more testing to see if it is that, or using dirmngr.conf.
cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~> cat .gnupg/dirmngr.conf keyserver hkp://keys.gnupg.net keyserver hkps://keys.openpgp.org cer-g@Telcontar:~> mc .gnupg/
cer-g@Telcontar:~> gpg --list-keys gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~> cat .gnupg/dirmngr.conf keyserver hkps://keys.openpgp.org keyserver hkp://keys.gnupg.net cer-g@Telcontar:~>
With no dirmngr.conf and gpg.conf containing:
keyserver hkp://keys.gnupg.net #keyserver http://http-keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net
keyserver hkps://keys.openpgp.org
it does not work. With:
keyserver hkps://keys.openpgp.org
keyserver hkp://keys.gnupg.net #keyserver http://http-keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net
It works.
'keyserver' should be specified in dirmngr.conf, and only once. To override, use --keyserver <keyserver>. It's that simple. You are over[thinking/testing] the problem.
Conclussion:
1) this server "hkps://keys.openpgp.org" does not work, at least on Leap 15.0
...which I wrote 4 thread messages before, and linked to the upstream merge request that fixes it.
2) file .gnupg/dirmngr.conf does not work.
That simply is not true. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/07/2019 22.05, Oleksii Vilchanskyi wrote:
On 7/28/19 9:28 PM, Carlos E. R. wrote:
On 28/07/2019 20.53, Carlos E. R. wrote:
On 28/07/2019 20.38, Andrei Borzenkov wrote:
28.07.2019 21:31, Carlos E. R. пишет:
I can do more testing to see if it is that, or using dirmngr.conf.
cer-g@Telcontar:~> gpg --list-keys cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~> cat .gnupg/dirmngr.conf keyserver hkp://keys.gnupg.net keyserver hkps://keys.openpgp.org cer-g@Telcontar:~> mc .gnupg/
cer-g@Telcontar:~> gpg --list-keys gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created cer-g@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~> cat .gnupg/dirmngr.conf keyserver hkps://keys.openpgp.org keyserver hkp://keys.gnupg.net cer-g@Telcontar:~>
With no dirmngr.conf and gpg.conf containing:
keyserver hkp://keys.gnupg.net #keyserver http://http-keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net
keyserver hkps://keys.openpgp.org
it does not work. With:
keyserver hkps://keys.openpgp.org
keyserver hkp://keys.gnupg.net #keyserver http://http-keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net
It works.
'keyserver' should be specified in dirmngr.conf, and only once.
What is the advantage of that file, if it only allows one entry?
To override, use --keyserver <keyserver>. It's that simple. You are over[thinking/testing] the problem.
Using a switch on the command is not workable, if I want enigmail to work.
Conclussion:
1) this server "hkps://keys.openpgp.org" does not work, at least on Leap 15.0
...which I wrote 4 thread messages before, and linked to the upstream merge request that fixes it.
2) file .gnupg/dirmngr.conf does not work.
That simply is not true.
Well, any entry I write there fails: cer-g@Telcontar:~/.gnupg> gpg --list-keys gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created cer-g@Telcontar:~/.gnupg> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~/.gnupg> cat dirmngr.conf keyserver hkps://keys.openpgp.org cer-g@Telcontar:~/.gnupg> cer-g@Telcontar:~/.gnupg> gpg --list-keys gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created cer-g@Telcontar:~/.gnupg> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: no user ID gpg: Total number processed: 1 cer-g@Telcontar:~/.gnupg> cat dirmngr.conf keyserver hkp://keys.gnupg.net cer-g@Telcontar:~/.gnupg> Whereas on gpg.conf they work. At least one of the servers: cer-g@Telcontar:~/.gnupg> cat /etc/sysconfig/SuSEfirewall2 | egrep -v "^[[:space:]]*$|^#" | grep keyserver cer-g@Telcontar:~/.gnupg> cat gpg.conf | egrep -v "^[[:space:]]*$|^#" | grep keyserver keyserver hkp://keys.gnupg.net cer-g@Telcontar:~/.gnupg> cat dirmngr.conf #keyserver hkp://keys.gnupg.net cer-g@Telcontar:~/.gnupg> gpg --list-keys gpg: keybox '/home/cer-g/.gnupg/pubring.kbx' created gpg: /home/cer-g/.gnupg/trustdb.gpg: trustdb created cer-g@Telcontar:~/.gnupg> gpg --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 27 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: public key "Carlos E. R. (cer) <robin.listas@...>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 cer-g@Telcontar:~/.gnupg> For all the tests, I delete pubring.kbx and trustdb.gpg, then use "gpg --list-keys" to initialize them. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 27/07/2019 22.36, Dave Howorth wrote:
I know some people on here sign their messages and I understand why at least some of them do it. What I don't understand is how to make use of those signatures.
Taking just one recent signed message as an example, I tried to check the signature on one of Carlos' recent messages. When I clicked on the icon to verify it my MUA (Claws) said:
Key 0xB533181C6D8D47D5 not available to verify this signature
and when I look at a more detailed explanation, it says:
Importing key ID B533181C6D8D47D5:
This key couldn't be imported to your keyring. Key servers are sometimes slow. You can try to import it manually with the command:
"/usr/bin/gpg2" --batch --no-tty --recv-keys B533181C6D8D47D5
When I try to run that command (and I have no idea why it quotes the command - what's that all about?):
$ "/usr/bin/gpg2" --batch --no-tty --recv-keys B533181C6D8D47D5 gpg: keyserver receive failed: Cannot assign requested address
Searching hasn't provided me with any enlightenment and the man page doesn't list or explain the error messages. So can anybody point me to an idiot's guide to what's supposed to happen and how to make it so?
You are doing it correctly, it is not your fault :-) The reason why I sign most messages is because there were one or two cases of some person(s) impersonating posters on the mail lists. I was one of the impersonated. That was long ago, but if it happens again at any point, it is too late then to start using keys. So by default I sign. When I don't is because I'm using some test installation that doesn't have the keys. I have no idea why the quotes either, that's some type of obscure mistake, IMHO. The error given by gpg is obscure to me, too. The command I have in my notes is simply "gpg --recv-keys ID" so let's try it now and here: cer@Telcontar:~> gpg --recv-keys B533181C6D8D47D5 gpg: keyserver option 'verbose' is unknown gpg: key B533181C6D8D47D5: 9 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: "Carlos E. R. (cer) <robin.listas@....>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 cer@Telcontar:~> So it works here. I think. Exact same result using gpg2. The configuration is in the file "~/.gnupg/gpg.conf I have for long observed the note about "keyserver option 'verbose' is unknown", so I'll take the chance too seek it, and yes, I have this line: keyserver-options verbose so I'll comment it out. Checking the man page, I see: verbose This option has no more function since GnuPG 2.1. Use the dirmngr configuration options instead. Notice that man gpg loads gpg2 page instead. One option you should look at in your config is what upstream server you are using: it is possible that it is not responding. Currently I have: keyserver hkp://pgp.mit.edu If you have several defined, it uses the last one. I have used several in the past, looking at the file: keyserver hkp://keys.gnupg.net #keyserver http://http-keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net #keyserver hkp://wwwkeys.eu.pgp.net #keyserver hkp://www.rediris.es # Does not go. And it tries IPv6 #keyserver ldap://pgp.rediris.es #keyserver hkp://wwwkeys.eu.pgp.net # Does not resolve. keyserver hkp://pgp.mit.edu # blackhole.pca.dfn.de # Uses the last one. Now the command runs nicer: cer@Telcontar:~> gpg2 --recv-keys B533181C6D8D47D5 gpg: key B533181C6D8D47D5: 9 signatures not checked due to missing keys gpg: key B533181C6D8D47D5: "Carlos E. R. (cer) <robin.listas@....>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 cer@Telcontar:~> All that said, a week or two ago they noticed an attack on the PGP system. I posted about it here. Seek it: Date: Tue, 2 Jul 2019 13:53:51 +0200 From: "Carlos E. R." <robin.listas@....> To: oS-en <opensuse@opensuse.org> Message-ID: <cb48ef8a-084d-24ec-4f78-2c74bc72da0a@telefonica.net> Subject: There is an ongoing attack on PGP that could affect us. I don't know the current news on this, but if unsolved it can hamper the downloading of keys. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
participants (5)
-
Andrei Borzenkov -
Carlos E. R. -
Dave Howorth -
Mathias Homann -
Oleksii Vilchanskyi