gpg --refresh with large keyrings and hkps in 2.1.1

Guilhem Moulin guilhem at
Mon Apr 20 11:17:31 CEST 2015

On Thu, 16 Apr 2015 at 08:49:50 +1000, Ben McGinnes wrote:
> On 16/04/2015 7:17 am, Daniel Kahn Gillmor wrote:
>> Tor circuits to a particular endpoint are likely to be stable over the
>> period of time it would take to fetch the whole keyring.
> In a country with a decent Internet connection, sure.  Over here in
> Australia, however, you can be pretty sure that you'll hit the ten
> minute window more than once.

Doesn't gpg use a single connection for the whole --refresh-keys?  AFIK
the 10min windows (‘MaxCircuitDirtiness’ in the torrc) is only relevant
for new connections; I doubt tor client kills existing TCP connections
when updating circuits.

To force a circuit update each 10min, you could refresh your keyring one
key at a time.  Or use a tool like parcimonie [0], or simply use the
gnupg-curl module with a different SOCKS5 username/password for each key
(assuming the ‘IsolateSOCKSAuth’ flag is set in your torrc, which is the

    gpg --http-proxy=socks5h://$FPR:$RANDOM@ --recv-key $FPR

Unfortunately this is broken with 2.1, because dirmngr currently doesn't
honor --http-proxy  (Issue1786).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: </pipermail/attachments/20150420/1ff00d3e/attachment-0001.sig>

More information about the Gnupg-devel mailing list