Download of public keys
sivmu at web.de
sivmu at web.de
Fri Feb 17 13:37:06 CET 2017
Some time ago I asked about the unencrypted download of public keys.
The answer was that the current gnupg does use https by default to fetch the keys.
I found the time to retest this on a new setup and found that gnupg 2.1.18 still uses http connections to fetch the keys.
I uses a newly installes arch linux setup with basically nothing but the base linux tools and downloaded a public key whil sniffing on the network.
All requests, first to keys.gnupg.net and tehn to some other keyservers were in plaintext.
The default dirmngr.conf file provided by arch, which seems to use gnupg 2.1.18 without changes, contains the followging lines:
# If exactly two keyservers are configured and only one is a Tor hidden
# service, Dirmngr selects the keyserver to use depending on whether
# Tor is locally running or not (on a per session base).
keyserver hkp://jirk5u4osbsr34t5.onion
keyserver hkp://keys.gnupg.net
This would explain why no encryption is used.
Is there something I missed or is this unintended?
More information about the Gnupg-users
mailing list