dirmngr vs. tor gateways
o at immerda.ch
Sat Feb 24 16:04:57 CET 2018
I ran into an issue with with dirmngr and tor. It seems to me, that
dirmngr assumes, that the tor daemon is run locally. But, you can also
run tor as a gateway (see ).
When I try to use dirmngr (gpg 2.2.5) in such a setting with
gpg --keyserver hkp://pool.sks-keyservers.net --search-keys xyz
I get either (with "use-tor"):
dirmngr[7424.6] (it seems Tor is not running)
dirmngr[7424.6] command 'KS_SEARCH' failed: Connection refused
or (without "use-tor"):
dirmngr[7432.6] command 'KS_SEARCH' failed: Server indicated a
failure <Unspecified source>
This is not a network issue. I verified on the same machine, that the
distro gpg 1.4 works, whereas gpg 2.2.4 has the same issue.
I managed to get it to work exactly once, with "use-tor" and
"nameserver <tor-gw-ip>" (the 500 error is expected, since I actually
did search for "xyz"):
dirmngr[7543.6] resolve_dns_addr for '220.127.116.11':
'pgp.h-ix.net' [already known]
dirmngr[7543.6] error accessing
options=mr&search=xyz': http status 500
dirmngr[7543.6] command 'KS_SEARCH' failed: No data
But that seems extremely brittle, it only worked once. When I try to
reproduce now, it fails again with "it seems Tor is not running".
I am not exactly sure how dirmngr is supposed to work with tor (and why
it needs special handling of tor). So, if you need additional diagnosis,
please let me know what I should try.
The only way I got it to work reliably, was without "use-tor" and a
keyserver specified by ip address, e.g.:
gpg --keyserver hkp://18.104.22.168 --search-keys xyz
Unfortunately, with this workaround it's neither possible to use hkps
(due to cert name mismatch), nor to use .onion keyservers (see
OnionAddrRange in "man torsocks.conf" to understand why).
In short, there seems to be no good workaround.
We should expect a larger group of people to get hit by this problem as
soon as a recent enough version of gpg hits the whonix distribution.
PS: if I specify "use-tor" and then supply an ip, I get:
dirmngr[7857.6] resolve_dns_addr failed while checking
'22.214.171.124': Connection refused
dirmngr[7857.6] can't connect to '126.96.36.199': no IP address
dirmngr[7857.6] error connecting to 'http://188.8.131.52:11371':
dirmngr[7857.6] marking host '184.108.40.206' as dead
dirmngr[7857.6] host '220.127.116.11' marked as dead
but that is probably a different bug.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel