Dirmngr now supports hkps

Werner Koch wk at gnupg.org
Tue May 6 16:33:00 CEST 2014 

Hi,

Kristian announced at gnupg-users that SKS 1.15 has been released. I
take this opportunity to tell that I pushed changes to GnuPG master
which gives us hpks again.  Those who follow master may want to test
these changes.  They require that GnuTLS 3.x is installed.

In master (i.e. GnuPG 2.1) the keyserver helper programs are gone and
have been replaced by the dirmngr daemon.  This has the advantage that
we can keep a state and for example detect non-answering servers from a
pool.  Dirmngr is started on the fly, thus there is not much
configuration required.  However, for TLS a basic configuration is
required in  ~/.gnupg/dirmngr.conf:

--8<---------------cut here---------------start------------->8---
verbose
debug 1024
hkp-cacert /home/foo/.gnupg/sks-keyservers.netCA.pem
--8<---------------cut here---------------end--------------->8---

"verbose" and "debug 1024" are not actually needed but are useful for
testing.  The given certificate is in the GIT repo and should work for
the servers in the hkps.pool.

Gpg's keyserver-option "check-cert" and "ca-cert-file" have no more
function.  Dirmngr's --hkp-cacert option(s) must be used instead.  The
actual keyserver to be used is still configured in gpg.conf so that
Dirmngr may use different keyservers depending on gpg's configuration.

Here is now you can use gpg-connect-agent for a quick test

  $ gpg-connect-agent --dirmngr 'keyserver hkps://sks.alpha-labs.net' 'ks_get 1e42b367' /bye
  OK
  S PROGRESS tick ? 0 0
  S SOURCE https://sks.alpha-labs.net:443
  D -----BEGIN PGP PUBLIC KEY BLOCK-----%0A
  D Version: SKS 1.1.4%0A
  D Comment: Hostname: sks.alpha-labs.net%0A
  D %0A
  D mQMqBEd5F8MRCACfArHCJFR6nkmxNiW+UE4PAW3bQla9JWFqCwu4VqLkPI/lHb5pxHff8Fzy%0A
  D 2O89BxD/6hXSDx2SlVmAGHOCJhShx1vfNGVYNsJn2oNK50in9kGvD0+mVACfy5MyPV8mtMcO%0A
[...]
  D -----END PGP PUBLIC KEY BLOCK-----%0D%0A
  OK

(note that the "D" lines are percent escaped).

That is basically the same what gpg does with the usual:

  $ gpg2 --keyserver hkps://sks.alpha-labs.net --recv-key 1e42b367
  gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
  gpg: It is only intended for test purposes and should NOT be
  gpg: used in a production environment or with production keys!
  gpg: key 1E42B367: "Werner Koch <wk at gnupg.org>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1
  
Other interesting stuff might be:

  $ gpg-connect-agent --dirmngr 
  > HELP keyserver
  # KEYSERVER [<options>] [<uri>|<host>]
  # Options are:
  #   --help
  #   --clear      Remove all configured keyservers
  #   --resolve    Resolve HKP host names and rotate
  #   --hosttable  Print table of known hosts and pools
  #   --dead       Mark <host> as dead
  #   --alive      Mark <host> as alive
  # 
  # If called without arguments list all configured keyserver URLs.
  # If called with an URI add this as keyserver.  Note that keyservers
  # are configured on a per-session base.  A default keyserver may already be
  # present, thus the "--clear" option must be used to get full control.
  # If "--clear" and an URI are used together the clear command is
  # obviously executed first.  A RESET command does not change the list
  # of configured keyservers.
  OK
  > keyserver --hosttable
  S # hosttable (idx, ipv4, ipv6, dead, name, time):
  S #   0 4     sks.alpha-labs.net
  OK
  > keyserver hkps://hkps.pool.sks-keyservers.net
  OK
  > keyserver --resolve --hosttable
  S PROGRESS tick ? 0 0
  S PROGRESS tick ? 0 0
  S PROGRESS tick ? 0 0
  S # https://services.spodhuis.org:443
  S # hosttable (idx, ipv4, ipv6, dead, name, time):
  S #   0 4     sks.alpha-labs.net
  S #   1       hkps.pool.sks-keyservers.net
  S #   .   --> 5 8 9 2 7 6 4 10 3 11* 12
  S #   2 4     alita.karotte.org
  S #   3 4     pax.skoopsmedia.net
  S #   4 4     mimir.alderwick.co.uk
  S #   5 4     216.66.15.2
  S #   6 4     dainn.alderwick.co.uk
  S #   7 4     astrath.net
  S #   8 4     79.143.214.216
  S #   9 4     89-68-150-88.dynamic.chello.pl
  S #  10 4     mx1.adeti.org
  S #  11 4     services.spodhuis.org
  S #  12   6   sks.spodhuis.org
  OK

Note that the --resolve option does not only resolve the pool but also
switches to a new server from the alive servers.  A host is marked dead
after 3 tries and resurrected after 3 hours (unless manually marked
dead).


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list