dirmngr vs. tor gateways

o. o at immerda.ch
Wed Feb 28 16:34:45 CET 2018

On 02/28/2018 08:03 AM, Werner Koch wrote:
> On Tue, 27 Feb 2018 20:42, o at immerda.ch said:
>> On 02/26/2018 09:23 AM, Werner Koch wrote:
>>> Dirmngr (actually Libassuan) always uses and
>>> checks whether Tor is running on one of the two standard ports
>> That might be a bit of a problematic assumption, given there is at least
>> one distribution, where this is never true. Especially, if there is no
>> workaround whatsoever.
> That complain comes a bit late ;-)  We have the integrated Tor support for
> more than 2 years.  Just wondering.

Well, I guess the problem is that most distributions did not make the
switch to gpg2. Whonix is based on debian 8.

>> The point is, that this does not work. dirmngr name resolution for
>> keyservers fails, if dirmngr connects through a whonix tor gateway. The
>> error message is:
> In this case you need to diable the integrated Tor support: --no-use-tor

that's what I tried.

> And you need top make sure that you have a full DNS resolver over Tor.
> Just looking up AAAA records is not sufficient to use the key server pools.

I don't think that such a resolver exists for tor at the moment. The
ticket seems to still be open [0].

>> That does not help. Due to the above problem, we can only specify
>> keyservers by ip. The ip is most likely not mentioned in the cert.
> Without proper DNS support PKIX does not work anyway.

ok, I guess I don't see the full picture. But it does work with gpg 1.x,
so it should be possible to at least have some fallback mechanism.


[0] https://trac.torproject.org/projects/tor/ticket/7829

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180228/02532365/attachment.sig>

More information about the Gnupg-devel mailing list