Web lists-archives.com

Re: dirmngr, can't live with it, can't live without it




On Tue, 2019-02-26 at 20:31 +0100, deloptes wrote:
> Jim Popovitch wrote:
> 
> > What's up with dirmngr?  If dirmngr is installed Evolution often
> > takes
> > ages to open signed emails.  If dirmngr is not installed then
> > (according
> > to p.d.o/buster/dirmngr) "the parts of the GnuPG suite that try to
> > interact with the network will fail"
> > 
> > How can dirmngr be so tightly integrated but work so poorly
> > querying
> > services?  /r
> 
> why should it be dirmngrs fault? perhaps it is a kind of buster or
> other issue.
> 
> Try to find out where the waiting is coming from and post back. For
> example waiting for keyserver to respond or similar or waiting for
> something to time out.

Glad you asked!

dirmngr uses sks-keyservers.net which has at least one NS with issues:
https://ednscomp.isc.org/ednscomp/0f65feeaa7

But more to the point, It's not an easy program to debug....

Following man page, I created ~/.gnupg/dirmngr.conf and populated it
with:
  verbose
  debug-level expert
  keyserver na.pool.sks-keyservers.net
  disable-ipv6
  disable-ldap
  log-file ~/dirmngr.log
  allow-ocsp

and then I fired up Evolution and opened emails with gpg sigs, but
still no data in the file ~/dirmngr.log.  :-(

What I suspect the problem to be, and what is alluded to on the sks-keyservers status page, is that there is a big inconsistency/availability with their servers (they have more off-pool servers listed than in-pool).  Obviously it's a freebie so complaints seem childish, but it is an important service.. just like pool.ntp.org (which ironically Debian has taken responsibility for at least sanitizing that with debian.pool.ntp.org)

-Jim P.