A question about WKD

Stefan Claas stefan.claas at posteo.de
Thu Dec 27 16:01:52 CET 2018 

On Thu, 27 Dec 2018 10:35:22 +0100, Alessandro Vesely wrote:
> On Wed 26/Dec/2018 22:59:19 +0100 Stefan Claas wrote:
> >   
> >> You seem to have already solved that:  
> > 
> > May i ask you what version of GnuPG you are using and what OS?  
> 
> Sure:
> ale at pcale:~/tmp$ uname -a
> Linux pcale 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
> ale at pcale:~/tmp$ 
> ale at pcale:~/tmp$ gpg2 --version
> gpg (GnuPG) 2.1.18
> libgcrypt 1.7.6-beta
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Home: /home/ale/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>         CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2

Thanks!

> I see no SRV record from here, and I don't need one since 300baud.de resolves correctly.

host -t srv _openpgpkey._tcp.300baud.de
_openpgpkey._tcp.300baud.de has SRV record 10 100 443 300baud.de.

> > I then tried again with the macOS version, which is 2.2.12 and it
> > did not worked again. :-(  
> 
> 
> Couldn't that be something with your CA bundle?  What do you get if you try and download your keys with curl, e.g.:
> curl -o /dev/null -v https://300baud.de/.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33
> ?

Mmhh, good question... when downloading it says 
CAfile: /Users/sac/anaconda2/ssl/cacert.pem CApath: none, but i can download without a problem:

curl -o /dev/null -v https://300baud.de/.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 167.99.129.126...
* TCP_NODELAY set
* Connected to 300baud.de (167.99.129.126) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Users/sac/anaconda2/ssl/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0* TLSv1.2 (IN), TLS handshake, Server
hello (2): { [113 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5662 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL; CN=300baud.de
*  start date: Dec 23 00:00:00 2018 GMT
*  expire date: Dec 23 23:59:59 2019 GMT
*  subjectAltName: host "300baud.de" matched cert's "300baud.de"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
} [5 bytes data]
> GET /.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33 HTTP/1.1
> Host: 300baud.de
> User-Agent: curl/7.62.0
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Thu, 27 Dec 2018 14:47:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Tue, 25 Dec 2018 17:27:21 GMT
< ETag: "1f4-57ddc06a6a77b"
< Accept-Ranges: bytes
< Content-Length: 500
< Content-Language: de
< 
{ [5 bytes data]
100   500  100   500    0     0    396      0  0:00:01  0:00:01 --:--:--   396
* Connection #0 to host 300baud.de left intact

As a test i also created a blank .gnupg folder and tried to encrypt but it still
say not trusted. I run out of ideas now and i will contact Patrick Brunschwig
and wait what he says, because he is the maintainer of the SourceForge
binary.

Regards
Stefan

More information about the Gnupg-users mailing list