On Wed, 2019-02-27 at 00:45 +0100, deloptes wrote: > Jim Popovitch wrote: > > > On Tue, 2019-02-26 at 20:31 +0100, deloptes wrote: > > > Jim Popovitch wrote: > > > > > > > What's up with dirmngr? If dirmngr is installed Evolution > > > > often takes ages to open signed emails. If dirmngr is not > > > > installed then (according to p.d.o/buster/dirmngr) "the parts > > > > of the GnuPG suite that try to interact with the network will > > > > fail" > > > > > > > > How can dirmngr be so tightly integrated but work so poorly > > > > querying services? /r > > > > > > why should it be dirmngrs fault? perhaps it is a kind of buster > > > or other issue. > > > > > > Try to find out where the waiting is coming from and post back. > > > For example waiting for keyserver to respond or similar or > > > waiting for something to time out. > > > > Glad you asked! > > > > dirmngr uses sks-keyservers.net which has at least one NS with > > issues: > > https://ednscomp.isc.org/ednscomp/0f65feeaa7 > > > > Hmm, I just wonder why you would need to run dirmngr all the time, or > each time you have to read encrypted mail. you should have imported > the keys locally.
I don't choose to run dirmngr all the time, something within Evolution or gpg-agent makes that choice, and there's no way for me to know who on the d-u@l.d.o is going to sign their emails therefore I can't pre- import their keys. > I even do not see any evidence that it is dirmngr that is blocking. > When I start the gpg client and search for a key I see dirmngr is > started > > $ while true; do ps -A | grep dir; sleep 1; done > > > But more to the point, It's not an easy program to debug.... > > > > Following man page, I created ~/.gnupg/dirmngr.conf and populated > > it > > with: > > verbose > > debug-level expert > > keyserver na.pool.sks-keyservers.net > > disable-ipv6 > > disable-ldap > > log-file ~/dirmngr.log > > allow-ocsp > > > > interesting but on my end I use pool.sks-keyservers.net and there > were no issues - well how often you download or upload a key to the > server? I hardly ever upload, but reading this list results in 2 or 3 key downloads every few hours. > If I search for a key it takes like 3sec - and yes I think it goes > via dirmngr - but sorry no time to bother setting up a config. > > The config I find here is the default > cat ~/.gnupg/dirmngr.conf > > ###+++--- GPGConf ---+++### > disable-ldap > debug-level basic > log-file socket:///home/pizza/.gnupg/log-socket > ###+++--- GPGConf ---+++### Thu 06 Dec 2018 01:45:13 AM CET > # GPGConf edited this configuration file. > # It will disable options before this marked block, but it will > # never change anything below these lines. Interesting. My 2 Stretch systems did not have that file by default, I had to create it. > > and then I fired up Evolution and opened emails with gpg sigs, but > > still no data in the file ~/dirmngr.log. :-( > > > > What I suspect the problem to be, and what is alluded to on the > > sks-keyservers status page, is that there is a big > > inconsistency/availability with their servers (they have more off- > > pool servers listed than in-pool). Obviously it's a freebie so > > complaints seem childish, but it is an important service.. just > > like pool.ntp.org (which ironically Debian has taken responsibility > > for at least sanitizing that with debian.pool.ntp.org) > > > > -Jim P. > > Some time ago keyservers got consolidated - so now we have > pool.sks-keyservers.net. I am not sure if you are taking this with > prejudices - might be only your setup. :-) I do run a clean, simple, tighten-down, secure setup. One of those things is a DNSSEC validating recursor.... which I now see that dnsviz reports DNSSEC errors in... wait for it... sks-keyservers.net <sigh> http://dnsviz.net/d/pool.sks-keyservers.net/dnssec/ Now, imagine if pool.ntp.org had those DNSSEC problems and the impact it would have on the world. > I know dirmngr is somehow coupled with gpg, but never bothered to > look into that as it was always working properly. > The keyserver is not configured in ~/.gnupg/dirmngr.conf but in > ~/.gnupg/gpg.conf > > Show your ~/.gnupg/gpg.conf (or at least the relevant parts) ~$ cat .gnupg/gpa.conf default-key 3F1C1EF2E6019EAC646CE45227155EB4C45A2705 keyserver hkp://na.pool.sks-keyservers.net advanced-ui -Jim P.