--search-keys: "gpg: error searching keyserver: No inquire callback in IPC"

Rainer Fiebig jrf at mailbox.org
Thu Jul 29 20:53:09 CEST 2021

Am 29.07.21 um 19:36 schrieb Andrew Gallagher:
> On 29/07/2021 17:52, Rainer Fiebig wrote:
>> ~> openssl x509 -text </etc/ssl/certs/DST_Root_CA_X3.pem | grep "Not
>> After"
>>              Not After : Sep 30 14:01:15 2021 GMT
> So the file exists, and appears to have the correct contents (the
> difference in checksum is probably whitespace or commentary, I wouldn't
> worry about it).
> I'm going to refer back to my earlier statement: "It looks like dirmngr
> isn't using the same set of CAs that curl is using".
Yes, that seems to be at the heart of the matter. Curl is built with
this ./configure switch:

and so it finds the correct certificate.

There's no such switch for gnupg. So I guess dirmngr looks in /etc/pki
for the certs? And maybe the DST_Root_CA_X3 (in "ca-bundle.crt) there is
different (outdated?) from the one in /etc/ssl/certs.

> If you built gnupg from its default configuration, it does not
> automatically look in /etc/ssl/certs for CA certificates. You may want
> to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so
> that dirmngr looks in the Mozilla certificate library.
The manpage for dirmngr says that the certificates in
/etc/gnupg/trusted-certs  are expected to be in .der or .crt  encoding.
Those in /etc/ssl are .pem, though.

I created a symlink /etc/gnupg/trusted-certs -> /etc/ssl/certs/ but gpg
--search-keys  still fails, probably due to the .pem encoding.

More information about the Gnupg-users mailing list