Web lists-archives.com

Re: dirmngr, can't live with it, can't live without it




On Wed, 2019-02-27 at 00:45 +0100, deloptes wrote:
> Jim Popovitch wrote:
> 
> > On Tue, 2019-02-26 at 20:31 +0100, deloptes wrote:
> > > Jim Popovitch wrote:
> > > 
> > > > What's up with dirmngr?  If dirmngr is installed Evolution
> > > > often takes ages to open signed emails.  If dirmngr is not
> > > > installed then (according to p.d.o/buster/dirmngr) "the parts
> > > > of the GnuPG suite that try to interact with the network will
> > > > fail"
> > > > 
> > > > How can dirmngr be so tightly integrated but work so poorly
> > > > querying services?  /r
> > > 
> > > why should it be dirmngrs fault? perhaps it is a kind of buster
> > > or other issue.
> > > 
> > > Try to find out where the waiting is coming from and post back.
> > > For example waiting for keyserver to respond or similar or
> > > waiting for something to time out.
> > 
> > Glad you asked!
> > 
> > dirmngr uses sks-keyservers.net which has at least one NS with
> > issues:
> > https://ednscomp.isc.org/ednscomp/0f65feeaa7
> > 
> 
> Hmm, I just wonder why you would need to run dirmngr all the time, or
> each time you have to read encrypted mail. you should have imported
> the keys locally.

I don't choose to run dirmngr all the time, something within Evolution
or gpg-agent makes that choice, and there's no way for me to know who
on the d-u@l.d.o is going to sign their emails therefore I can't pre-
import their keys.

> I even do not see any evidence that it is dirmngr that is blocking.
> When I start the gpg client and search for a key I see dirmngr is
> started
>
> $ while true; do ps -A | grep dir; sleep 1; done
> 
> > But more to the point, It's not an easy program to debug....
> > 
> > Following man page, I created ~/.gnupg/dirmngr.conf and populated
> > it
> > with:
> >   verbose
> >   debug-level expert
> >   keyserver na.pool.sks-keyservers.net
> >   disable-ipv6
> >   disable-ldap
> >   log-file ~/dirmngr.log
> >   allow-ocsp
> > 
> 
> interesting but on my end I use pool.sks-keyservers.net and there
> were no issues - well how often you download or upload a key to the
> server?

I hardly ever upload, but reading this list results in 2 or 3 key
downloads every few hours.

> If I search for a key it takes like 3sec - and yes I think it goes
> via dirmngr - but sorry no time to bother setting up a config.
> 
> The config I find here is the default
> cat ~/.gnupg/dirmngr.conf
> 
> ###+++--- GPGConf ---+++###
> disable-ldap
> debug-level basic
> log-file socket:///home/pizza/.gnupg/log-socket
> ###+++--- GPGConf ---+++### Thu 06 Dec 2018 01:45:13 AM CET
> # GPGConf edited this configuration file.
> # It will disable options before this marked block, but it will
> # never change anything below these lines.

Interesting.  My 2 Stretch systems did not have that file by default, I
had to create it.

> > and then I fired up Evolution and opened emails with gpg sigs, but
> > still no data in the file ~/dirmngr.log.  :-(
> > 
> > What I suspect the problem to be, and what is alluded to on the
> > sks-keyservers status page, is that there is a big
> > inconsistency/availability with their servers (they have more off-
> > pool servers listed than in-pool).  Obviously it's a freebie so
> > complaints seem childish, but it is an important service.. just
> > like pool.ntp.org (which ironically Debian has taken responsibility
> > for at least sanitizing that with debian.pool.ntp.org)
> > 
> > -Jim P.
> 
> Some time ago keyservers got consolidated - so now we have
> pool.sks-keyservers.net. I am not sure if you are taking this with
> prejudices - might be only your setup.

:-) I do run a clean, simple, tighten-down, secure setup.  One of those
things is a DNSSEC validating recursor.... which I now see that dnsviz
reports DNSSEC errors in... wait for it... sks-keyservers.net  <sigh>

http://dnsviz.net/d/pool.sks-keyservers.net/dnssec/

Now, imagine if pool.ntp.org had those DNSSEC problems and the impact
it would have on the world.

> I know dirmngr is somehow coupled with gpg, but never bothered to
> look into that as it was always working properly.
> The keyserver is not configured in ~/.gnupg/dirmngr.conf but in
> ~/.gnupg/gpg.conf
> 
> Show your ~/.gnupg/gpg.conf (or at least the relevant parts)

~$ cat .gnupg/gpa.conf 
default-key 3F1C1EF2E6019EAC646CE45227155EB4C45A2705
keyserver hkp://na.pool.sks-keyservers.net
advanced-ui


-Jim P.