Local solutions: SKS Keyserver Network Under Attack
mirimir at riseup.net
Thu Jul 4 08:34:21 CEST 2019
On 07/03/2019 10:19 PM, Mirimir wrote:
> Moved by Roland's requests, I've broken Enigmail in a fresh VM. And I'd
> appreciate some advice about how to fix it.
> I installed Thunderbird and Enigmail in a Debian 9.5 x64 VM with Gnome.
> Using Enigmail Key Management, I tried to get rjh's 1DCBDC01B44427C7
> from pool.sks-keyservers.net, but that just timed out.
> So I downloaded it via HTTPS. And it was ~60MB. I tried importing from
> the downloaded file, but that went nowhere. With 100% CPU.
> So I got it from https://keybase.io/rjh and imported from clipboard in
> Enigmail Key Management. That worked just fine. So then I tried
> refreshing keys in Enigmail, leaving pool.sks-keyservers.net as the
> default keyserver. And that failed, complaining about no dirmngr. Then I
> tried refreshing keys with gpg in terminal, and got the same error about
> no dirmngr.
> Then I deleted rjh's key, and got my own from Keybase, and imported it.
> But when I tried refreshing keys, I got the same error about no dirmngr.
> So gpg must still work, because I can import and delete keys via
> Enigmail. But something seems borked about dirmngr. I guess that I'll
> try purging and reinstalling. Or is there a better fix?
Damn. Somehow dirmngr didn't get installed with Thunderbird and
Enigmail. How embarrassing. So now Enigmail does refresh my key.
But after importing rjh's key, refreshing in Enigmail fails:
| Downloading of keys failed
| gpg: keyserver receive failed: No data
I also tried in terminal:
| user at debian:~$ gpg --refresh-keys
| gpg: refreshing 2 keys from hkps://hkps.pool.sks-keyservers.net
| gpg: key ...: 22 signatures not checked due to missing keys
| gpg: key ...: "mirimir <mirimir at riseup.net>" not changed
| gpg: Total number processed: 1
| gpg: unchanged: 1
Then I disabled rjh's key, and found that my key still refreshed
quickly. Using hkps.pool.sks-keyservers.net.
So that's good news, yes? Trying to refresh rjh's key failed, but it
failed quickly, and the attempt apparently didn't break anything.
> And yes, I should have tested everything first with a clean key, before
> messing with rjh's key. Is it likely that I borked dirmngr during the
> intital attempt to get it from pool.sks-keyservers.net?
More information about the Gnupg-users