[blfs-support] --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"

Sun Aug 1 03:51:18 CEST 2021

On Sat, 2021-07-31 at 22:16 +0200, Rainer Fiebig wrote:
> Am 31.07.21 um 21:00 schrieb Xi Ruoyao:
> > On Sat, 2021-07-31 at 19:56 +0200, Rainer Fiebig wrote:
> > > Am 31.07.21 um 17:40 schrieb Werner Koch:
> > > > On Thu, 29 Jul 2021 18:36, Andrew Gallagher said:
> > > > 
> > > > > If you built gnupg from its default configuration, it does not
> > > > > automatically look in /etc/ssl/certs for CA certificates. You
> > > > > may
> > > > > want
> > > > 
> > > > On Unix and unless gnupg was build with --with-default-trust-
> > > > store-
> > > > file
> > > > the following collections of certificates are used for TLS:
> > > > 
> > > >     { "/etc/ssl/ca-bundle.pem" },
> > > >     { "/etc/ssl/certs/ca-certificates.crt" },
> > > >     { "/etc/pki/tls/cert.pem" },
> > > >     { "/usr/local/share/certs/ca-root-nss.crt" },
> > > >     { "/etc/ssl/cert.pem" }
> > > > 
> > 
> > Hi Werner,
> > 
> > Our "recommended" configuration in BLFS is: gnutls is built with
> > p11-kit
> > and --with-default-trust-store-pkcs11="pkcs11:", and gnupg is built
> > with
> > gnutls.  So gnupg "should" use certificates from p11-kit trust store
> > I
> > think?  And it works for me.
> > 
> > I saw your discussion with "curl".  In BLFS curl uses OpenSSL
> > instead of
> > GnuTLS, so they actually have different trust stores.  GnuTLS (using
> > p11-kit) uses /etc/pki/anchors, OpenSSL uses /etc/ssl/certs.
> > 
> > I remember once an unclean shutdown caused a similar issue on my
> > system
> > (/etc/pki/anchors is disrupted, and every program using GnuTLS just
> > started to distrust every certificate).
> > 
> > Hi Rainer,
> > 
> > Try "gnutls-cli keys.openpgp.org".  If it does not get into "Simple
> > Client Mode" as expected, it means p11-kit trust store may be
> > disrupted.
> > Try "make-ca -f -g" to rebuild it.
> > 
> > And check if your p11-kit was built with
> > -Dtrust_paths=/etc/pki/anchors as the BLFS book says.  If not sure,
> > rebuild it.  (I can also remember once I've mistyped the path, this
> > also
> > caused every program using GnuTLS started to distrust every
> > certificate.)
> > 
> OK, issued "make-ca -f -g" and re-built gnupg *without* path_to_file.
> But the result then was again
> 
> ~> gpg --search-keys E3FF2839C048B25C084DEBE9B26995E310250568
> gpg: error searching keyserver: No inquire callback in IPC
> 
> So the only way to get this reliably working on my system seems to be
> building gnupg *with* path_to_file.

So gnutls-cli works but gpg (which should uses GnuTLS) does not?  I'm
now puzzled as I can't reproduce it on my system at all.

As a last resort: which GPG version did you installed?  And was GnuTLS
installed when you built it?
-- 
Xi Ruoyao <xry111 at mengyan1223.wang>
School of Aerospace Science and Technology, Xidian University