dirmngr vs. tor gateways

o. o at immerda.ch
Sat Feb 24 16:04:57 CET 2018


Hi all,

I ran into an issue with with dirmngr and tor. It seems to me, that
dirmngr assumes, that the tor daemon is run locally. But, you can also
run tor as a gateway (see [0][1][2]).

When I try to use dirmngr (gpg 2.2.5) in such a setting with

    gpg --keyserver hkp://pool.sks-keyservers.net --search-keys xyz

I get either (with "use-tor"):

    dirmngr[7424.6] (it seems Tor is not running)
    dirmngr[7424.6] command 'KS_SEARCH' failed: Connection refused

or (without "use-tor"):

    dirmngr[7432.6] command 'KS_SEARCH' failed: Server indicated a
                    failure <Unspecified source>

This is not a network issue. I verified on the same machine, that the
distro gpg 1.4 works, whereas gpg 2.2.4 has the same issue.

I managed to get it to work exactly once, with "use-tor" and
"nameserver <tor-gw-ip>" (the 500 error is expected, since I actually
did search for "xyz"):

    dirmngr[7543.6] resolve_dns_addr for '144.76.144.117':
                    'pgp.h-ix.net' [already known]
    dirmngr[7543.6] error accessing
                    'http://144.76.144.117:11371/pks/lookup?op=index&
                     options=mr&search=xyz': http status 500
    dirmngr[7543.6] command 'KS_SEARCH' failed: No data

But that seems extremely brittle, it only worked once. When I try to
reproduce now, it fails again with "it seems Tor is not running".

I am not exactly sure how dirmngr is supposed to work with tor (and why
it needs special handling of tor). So, if you need additional diagnosis,
please let me know what I should try.

The only way I got it to work reliably, was without "use-tor" and a
keyserver specified by ip address, e.g.:

    gpg --keyserver hkp://176.9.51.79 --search-keys xyz

Unfortunately, with this workaround it's neither possible to use hkps
(due to cert name mismatch), nor to use .onion keyservers (see
OnionAddrRange in "man torsocks.conf" to understand why).

In short, there seems to be no good workaround.

We should expect a larger group of people to get hit by this problem as
soon as a recent enough version of gpg hits the whonix distribution.

Best,

o.


[0] https://www.torproject.org/docs/faq.html.en#ServerClient
[1] https://www.whonix.org/wiki/Qubes
[2] https://learn.adafruit.com/onion-pi/overview


PS: if I specify "use-tor" and then supply an ip, I get:

    dirmngr[7857.6] resolve_dns_addr failed while checking
                    '176.9.51.79': Connection refused
    dirmngr[7857.6] can't connect to '176.9.51.79': no IP address
                    for host
    dirmngr[7857.6] error connecting to 'http://176.9.51.79:11371':
                    Unknown host
    dirmngr[7857.6] marking host '176.9.51.79' as dead
    dirmngr[7857.6] host '176.9.51.79' marked as dead

but that is probably a different bug.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180224/e3b4f37a/attachment-0001.sig>


More information about the Gnupg-devel mailing list