Web lists-archives.com

Re: dirmngr, can't live with it, can't live without it




Jim Popovitch wrote:

> On Wed, 2019-02-27 at 00:45 +0100, deloptes wrote:
>> Jim Popovitch wrote:
>> 
>> > On Tue, 2019-02-26 at 20:31 +0100, deloptes wrote:
>> > > Jim Popovitch wrote:
>> > > 
>> > > > What's up with dirmngr?  If dirmngr is installed Evolution
>> > > > often takes ages to open signed emails.  If dirmngr is not
>> > > > installed then (according to p.d.o/buster/dirmngr) "the parts
>> > > > of the GnuPG suite that try to interact with the network will
>> > > > fail"
>> > > > 
>> > > > How can dirmngr be so tightly integrated but work so poorly
>> > > > querying services?  /r
>> > > 
>> > > why should it be dirmngrs fault? perhaps it is a kind of buster
>> > > or other issue.
>> > > 
>> > > Try to find out where the waiting is coming from and post back.
>> > > For example waiting for keyserver to respond or similar or
>> > > waiting for something to time out.
>> > 
>> > Glad you asked!
>> > 
>> > dirmngr uses sks-keyservers.net which has at least one NS with
>> > issues:
>> > https://ednscomp.isc.org/ednscomp/0f65feeaa7
>> > 
>> 
>> Hmm, I just wonder why you would need to run dirmngr all the time, or
>> each time you have to read encrypted mail. you should have imported
>> the keys locally.
> 
> I don't choose to run dirmngr all the time, something within Evolution
> or gpg-agent makes that choice, and there's no way for me to know who
> on the d-u@l.d.o is going to sign their emails therefore I can't pre-
> import their keys.
> 

by all the time I mean each time Evolution opens a signed mail. I use
Trinity Desktop and there - I only see that signature could not be
verified.
BTW if you are advanced Linux user as it seems to be ... you may try
Trinity - saves a lot of troubles - but depends what you expect from it.

>> I even do not see any evidence that it is dirmngr that is blocking.
>> When I start the gpg client and search for a key I see dirmngr is
>> started
>>
>> $ while true; do ps -A | grep dir; sleep 1; done
>> 
>> > But more to the point, It's not an easy program to debug....
>> > 
>> > Following man page, I created ~/.gnupg/dirmngr.conf and populated
>> > it
>> > with:
>> > verbose
>> > debug-level expert
>> > keyserver na.pool.sks-keyservers.net
>> > disable-ipv6
>> > disable-ldap
>> > log-file ~/dirmngr.log
>> > allow-ocsp
>> > 
>> 
>> interesting but on my end I use pool.sks-keyservers.net and there
>> were no issues - well how often you download or upload a key to the
>> server?
> 
> I hardly ever upload, but reading this list results in 2 or 3 key
> downloads every few hours.
> 

So it might be a configuration to automatically search and download keys not
present - what if you configure to manually do so (this might be in
Evolution or at system level for the user)

>> If I search for a key it takes like 3sec - and yes I think it goes
>> via dirmngr - but sorry no time to bother setting up a config.
>> 
>> The config I find here is the default
>> cat ~/.gnupg/dirmngr.conf
>> 
>> ###+++--- GPGConf ---+++###
>> disable-ldap
>> debug-level basic
>> log-file socket:///home/pizza/.gnupg/log-socket
>> ###+++--- GPGConf ---+++### Thu 06 Dec 2018 01:45:13 AM CET
>> # GPGConf edited this configuration file.
>> # It will disable options before this marked block, but it will
>> # never change anything below these lines.
> 
> Interesting.  My 2 Stretch systems did not have that file by default, I
> had to create it.
> 

Yes it is created by the Trinity Kgpg app AFAIR.

>> > and then I fired up Evolution and opened emails with gpg sigs, but
>> > still no data in the file ~/dirmngr.log.  :-(
>> > 
>> > What I suspect the problem to be, and what is alluded to on the
>> > sks-keyservers status page, is that there is a big
>> > inconsistency/availability with their servers (they have more off-
>> > pool servers listed than in-pool).  Obviously it's a freebie so
>> > complaints seem childish, but it is an important service.. just
>> > like pool.ntp.org (which ironically Debian has taken responsibility
>> > for at least sanitizing that with debian.pool.ntp.org)
>> > 
>> > -Jim P.
>> 
>> Some time ago keyservers got consolidated - so now we have
>> pool.sks-keyservers.net. I am not sure if you are taking this with
>> prejudices - might be only your setup.
> 
> :-) I do run a clean, simple, tighten-down, secure setup.  One of those
> things is a DNSSEC validating recursor.... which I now see that dnsviz
> reports DNSSEC errors in... wait for it... sks-keyservers.net  <sigh>
> 
> http://dnsviz.net/d/pool.sks-keyservers.net/dnssec/
> 
> Now, imagine if pool.ntp.org had those DNSSEC problems and the impact
> it would have on the world.
> 

I am sure not only sks-keyservers.net reports back, but I agree this might
be part of the issue you report.

>> I know dirmngr is somehow coupled with gpg, but never bothered to
>> look into that as it was always working properly.
>> The keyserver is not configured in ~/.gnupg/dirmngr.conf but in
>> ~/.gnupg/gpg.conf
>> 
>> Show your ~/.gnupg/gpg.conf (or at least the relevant parts)
> 
> ~$ cat .gnupg/gpa.conf
> default-key 3F1C1EF2E6019EAC646CE45227155EB4C45A2705
> keyserver hkp://na.pool.sks-keyservers.net
> advanced-ui
> 

I don't have the protocol (hkp) - but the point was to remove the keyserver
from dirmngr.conf - not sure if it is right for your DE though.

regards