dirmngr vs. tor gateways
o.
o at immerda.ch
Wed Feb 28 16:34:45 CET 2018
On 02/28/2018 08:03 AM, Werner Koch wrote:
> On Tue, 27 Feb 2018 20:42, o at immerda.ch said:
>> On 02/26/2018 09:23 AM, Werner Koch wrote:
>>> Dirmngr (actually Libassuan) always uses 127.0.0.1 and
>>> checks whether Tor is running on one of the two standard ports
>>
>> That might be a bit of a problematic assumption, given there is at least
>> one distribution, where this is never true. Especially, if there is no
>> workaround whatsoever.
>
> That complain comes a bit late ;-) We have the integrated Tor support for
> more than 2 years. Just wondering.
Well, I guess the problem is that most distributions did not make the
switch to gpg2. Whonix is based on debian 8.
>> The point is, that this does not work. dirmngr name resolution for
>> keyservers fails, if dirmngr connects through a whonix tor gateway. The
>> error message is:
>
> In this case you need to diable the integrated Tor support: --no-use-tor
that's what I tried.
> And you need top make sure that you have a full DNS resolver over Tor.
> Just looking up AAAA records is not sufficient to use the key server pools.
I don't think that such a resolver exists for tor at the moment. The
ticket seems to still be open [0].
>> That does not help. Due to the above problem, we can only specify
>> keyservers by ip. The ip is most likely not mentioned in the cert.
>
> Without proper DNS support PKIX does not work anyway.
ok, I guess I don't see the full picture. But it does work with gpg 1.x,
so it should be possible to at least have some fallback mechanism.
Best,
o.
[0] https://trac.torproject.org/projects/tor/ticket/7829
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180228/02532365/attachment.sig>
More information about the Gnupg-devel
mailing list