Re: ?: keys.gnupg.net: Host not found

[Yuri Kanivetsky]

>
> Just a thought, but have you tried one of the geographical pools
> ({eu,na,oc}.pool.sks-keyservers.net) instead of the general one? that
> should result in better network response time and routing.
>

I just tried pool.sks-keyservers.net, and with this domain it works (in VM):

$ gpg2 --keyserver hkp://keys.gnupg.net --recv-key
409B6B1796C275462A1703113804BB82D39DC0E3
gpg: keyserver receive failed: No keyserver available

$ gpg2 --keyserver hkp://pool.sks-keyservers.net --recv-key
409B6B1796C275462A1703113804BB82D39DC0E3
gpg: key D39DC0E3: "Michal Papis (RVM signing) " not
changed
gpg: Total number processed: 1
gpg:  unchanged: 1

$ gpg2 --keyserver hkp://keys.gnupg.net --recv-key
409B6B1796C275462A1703113804BB82D39DC0E3
gpg: keyserver receive failed: No keyserver available

What could this possibly mean...


> > ### 154.127.60.51 gpg: keyserver receive failed: No keyserver
> > available
>
> This works for me at least
>
> > ### 178.33.187.175 gpg: keyserver receive failed: No keyserver
> > available ### 206.176.170.195
>
> This works for me as well
>

I can again confirm that those IPs doesn't work for me, but ping (on host
machine):

 $ ping -c 1 154.127.60.51
PING 154.127.60.51 (154.127.60.51) 56(84) bytes of data.
64 bytes from 154.127.60.51: icmp_seq=1 ttl=44 time=213 ms

--- 154.127.60.51 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 213.158/213.158/213.158/0.000 ms

$ gpg --keyserver hkp://154.127.60.51 --recv-key
409B6B1796C275462A1703113804BB82D39DC0E3
gpg: keyserver receive failed: No keyserver available

$ ping -c 1 154.127.60.51
PING 154.127.60.51 (154.127.60.51) 56(84) bytes of data.
64 bytes from 154.127.60.51: icmp_seq=1 ttl=44 time=213 ms

--- 154.127.60.51 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 213.103/213.103/213.103/0.000 ms

Regards,
Yuri
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cv25519 subkeys not sent in recv-keys or shown in search-keys

[Kristian Fiskerstrand]

On 10/10/2015 01:50 AM, Scott M wrote:
> Using gpg2-2.1.8 with libgcrypt-1.7.0-beta262, I did the
> following:
> 

...

> 
> However, when I search-keys for the hexid of the encrypt subkey, it
> returns the master public key, so the server knows about the
> subkey. Then why doesn't it send to me when I --recv-keys ? For
> that matter, 
> http://keys2.kfwebs.net/pks/lookup?op=vindex=0x9300DF68

You should get it if you append =off to the get query, i.e.
https://sks-keyservers.net/pks/lookup?op=get=0x9300DF68=off

(that is using the same server cluster)


> does output my keys, but does not show the very key that was 
> searched for!
> 
> Is it possible the server supports ed25519, but not cv25519? Are
> there any keyservers known to support both these key types? It
> seems that almost all do not, even keys2.kfwebs.net (got this one
> from #gnupg).
> 

That is very possible, as there is not yet an ID except for
http://www.ietf.org/internet-drafts/draft-koch-eddsa-for-openpgp-01.txt for
curve25519 related keys

-- 

Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Veni vidi visa
I came, I saw, I bought



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.1.9 released

[Werner Koch]

Hello!

The GnuPG Project is pleased to announce the availability of a new
release of GnuPG modern: Version 2.1.9.

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  Since version 2 GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different branches of GnuPG are actively maintained:

- GnuPG "modern" (2.1) is the latest development with a lot of new
  features.  This announcement is about this branch.

- GnuPG "stable" (2.0) is the current stable version for general use.
  This is what most users are currently using.

- GnuPG "classic" (1.4) is the old standalone version which is most
  suitable for older or embedded platforms.

You may not install "modern" (2.1) and "stable" (2.0) at the same
time.  However, it is possible to install "classic" (1.4) along with
any of the other versions.


Noteworthy changes in version 2.1.9
===

 * gpg: Allow fetching keys via OpenPGP DANE (--auto-key-locate).  New
   option --print-dane-records.

 * gpg: Fix for a problem with PGP-2 keys in a keyring.

 * gpg: Fail with an error instead of a warning if a modern cipher
   algorithm is used without a MDC.

 * agent: New option --pinentry-invisible-char.

 * agent: Always do a RSA signature verification after creation.

 * agent: Fix a regression in ssh-add-ing Ed25519 keys.

 * agent: Fix ssh fingerprint computation for nistp384 and EdDSA.

 * agent: Fix crash during passprase entry on some platforms.

 * scd: Change timeout to fix problems with some 2.1 cards.

 * dirmngr: Displayed name is now Key Acquirer.

 * dirmngr: Add option --keyserver.  Deprecate that option for gpg.
   Install a dirmngr.conf file from a skeleton for new installations.

A detailed description of the changes found in the 2.1 branch can be
found at .

Please be aware that there are still known bugs which we are working on.
Check https://bugs.gnupg.org, https://wiki.gnupg.org, and the mailing
list archives for known problems and workarounds.


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.1.9 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found
at .  Note that GnuPG is not available
at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.9.tar.bz2  (4810k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.9.tar.bz2.sig

or here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.9.tar.bz2  (4810k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.9.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
basic Pinentry tool is available here:

 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.9_20151009.exe  (2580k)
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.9_20151009.exe.sig

or here

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.9_20151009.exe  (2580k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.9_20151009.exe.sig

Note that some feature are not yet working in the Windows version.  The
source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.1.9.tar.bz2 you would use this command:

 gpg --verify gnupg-2.1.9.tar.bz2.sig gnupg-2.1.9.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See below for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" 

Re: ?: keys.gnupg.net: Host not found

[Yuri Kanivetsky]

>
> It is a pool. keys.gnupg.net is just an alias for the SKS server
> pool[1], IIRC. I host a server in this pool and it is set to drop all
> IPv4 ICMP packets, so will not respond to a ping even though the server
> is online. It will respond to ICMPv6 pings however.



> I am also NOT able to reproduce this error on XUbuntu 14.04 x64:


Okay, let us do this the other way around. That's what I'm getting on host
machine:

$ dig +noall +answer keys.gnupg.net | awk '$4 == "A" { print $5 }' |
while IFS= read -r; do echo "### $REPLY"; gpg --keyserver "hkp://$REPLY"
--recv-key 409B6B1796C275462A1703113804BB82D39DC0E3; done
### 62.210.74.32
gpg: keyserver receive failed: No keyserver available
### 78.157.209.9
gpg: key D39DC0E3: "Michal Papis (RVM signing) " not
changed
gpg: Total number processed: 1
gpg:  unchanged: 1
### 132.248.241.99
gpg: key D39DC0E3: "Michal Papis (RVM signing) " not
changed
gpg: Total number processed: 1
gpg:  unchanged: 1
### 154.127.60.51
gpg: keyserver receive failed: No keyserver available
### 176.9.100.87
gpg: keyserver receive failed: No data
### 178.33.187.175
gpg: keyserver receive failed: No keyserver available
### 206.176.170.195
gpg: key D39DC0E3: "Michal Papis (RVM signing) " not
changed
gpg: Total number processed: 1
gpg:  unchanged: 1
### 209.135.211.141
gpg: key D39DC0E3: "Michal Papis (RVM signing) " not
changed
gpg: Total number processed: 1
gpg:  unchanged: 1
### 212.71.252.8
gpg: keyserver receive failed: No keyserver available
### 5.9.143.170
gpg: key D39DC0E3: "Michal Papis (RVM signing) " not
changed
gpg: Total number processed: 1
gpg:  unchanged: 1


> Inclusion in the pool is voluntary, so there aren't any "official"
> servers, so to speak, but there are criteria for being included in the
> main pool. [...] As far as uptime, if the server did not
> respond during the last check of the pool, it will not be included. So,
> in rare cases, there may be one or two servers in the pool that are not
> currently responding, but did so during the last check of the pool. If
> they do not respond at the next check, they are removed from the main pool.


Correct me if I'm wrong. Anybody can add a machine to a pool on condition
that it meets some specific criteria.

Speaking of official servers, I meant this. There's also
keyserver.ubuntu.com, keyring.debian.org. Surely there's no official
servers among those in the keys.gnupg.net pool. I meant, is keys.gnupg.net pool
an official source of keys? Can you recommend where to submit a key?



> both of these are using curl-shim, what happens if you try the full
> curl version (how to do that is distro-specific, iirc debian et al
> have a separate gnupg-curl package)?
>

After installing gnupg-curl:

 $ gpg --version
gpg (GnuPG) 1.4.18
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ gpg --keyserver-options verbose,debug --keyserver hkp://keys.gnupg.net
--recv-key 409B6B1796C275462A1703113804BB82D39DC0E3
gpg: requesting key D39DC0E3 from hkp server keys.gnupg.net
gpgkeys: curl version = libcurl/7.38.0 GnuTLS/3.3.8 zlib/1.2.8
libidn/1.28 librtmp/2.3
* Hostname was NOT found in DNS cache
* Could not resolve host: keys.gnupg.net
* Closing connection 0
gpgkeys: HTTP fetch error 6: Could not resolve host: keys.gnupg.net
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Tell me, if you need output of `gnupg-2.0.29` as well.

What are the known schematas listed for:
> $ echo "KEYSERVER --help" | gpg-connect-agent --dirmngr
>

$ echo "KEYSERVER --help" | gpg-connect-agent --dirmngr
gpg-connect-agent: no running Dirmngr - starting
'/usr/local/bin/dirmngr'
gpg-connect-agent: waiting for the dirmngr to come up ... (5s)
gpg-connect-agent: connection to the dirmngr established
S # Known schemata:
S #   hkp
S #   http
S #   finger
S #   kdns
S # (Use an URL for engine specific help.)
OK


How was this 2.1 version built?
>

`./configure && make && sudo make install` in the previous email, and
`./configure CFLAGS='-g -O0' CXXFLAGS='-g -O0' && make && sudo make
install` in this one.

AFAICS, it's the dirmngr who does the request. Can I reproduce it 

Re: [Announce] GnuPG 2.1.9 released

[K. Raven]

Hi,

> Noteworthy changes in version 2.1.9 
> ===

> * dirmngr: Add option --keyserver.  Deprecate that option for gpg. 
> Install a dirmngr.conf file from a skeleton for new installations.

man dirmngr

--keyserver name

The scheme is the type of keyserver: "hkp" for the HTTP (or compatible)
keyservers, "ldap" for  the  LDAP keyservers,  or  "mailto"  for the
Graff email keyserver.

"hkps" (as in dirmngr-conf.skel)?

After the keyserver name, optional keyserver configuration options may
be provided. These are the  same as the global --keyserver-options from
below (where? in man gpg2?), but apply only to this particular keyserver.

keyserver hkps://hkps.pool.sks-keyservers.net option1 option2 or
keyserver hkps://hkps.pool.sks-keyservers.net option1,option2

in dirmngr.conf:

2015-10-10 14:04:46 dirmngr[18334.1] command 'KS_SEARCH' failed:
Syntaxfehler im URI
2015-10-10 14:04:46 dirmngr[18334.1] DBG: chan_1 -> ERR 167772206
Syntaxfehler im URI 

What is the right syntax? No example found in dirmngr-conf.skel.

Only with "keyserver hkps://hkps.pool.sks-keyservers.net" and
"keyserver-options" in gpg.conf, it works.

-- 
Ciao
Kai

http://kairaven.de/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ?: keys.gnupg.net: Host not found

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 10/10/2015 12:09 PM, Yuri Kanivetsky wrote:
> It is a pool. keys.gnupg.net  is just an 
> alias for the SKS server pool[1], IIRC. I host a server in this
> pool and it is set to drop all IPv4 ICMP packets, so will not
> respond to a ping even though the server is online. It will respond
> to ICMPv6 pings however.
> 
> 
> 
> I am also NOT able to reproduce this error on XUbuntu 14.04 x64:
> 
> 
> Okay, let us do this the other way around. That's what I'm getting
> on host machine:

Just a thought, but have you tried one of the geographical pools
({eu,na,oc}.pool.sks-keyservers.net) instead of the general one? that
should result in better network response time and routing.

> ### 154.127.60.51 gpg: keyserver receive failed: No keyserver
> available

This works for me at least

> ### 176.9.100.87 gpg: keyserver receive failed: No data

This keyserver is wrongly configured, as it doesn't respond on all
traffic on port 11371 but filters it based on Host header (the server
operator is BCCed to this email), so it currently does work using the
pool.sks-keyserver.net but not keys.gnupg.net

> ### 178.33.187.175 gpg: keyserver receive failed: No keyserver
> available ### 206.176.170.195

This works for me as well


> is keys.gnupg.net  pool an official source
> of keys? Can you recommend where to submit a key?
> 

There is no "official source", nor any requirement to publish keys on
a keyserver, either private nor public. It is often convenient to do
so, though (but the existence of a key on a keyserver is no indication
of validity of the key, so this will always have to be verified out of
band).

> 
> How was this 2.1 version built?
> 
> 
> `./configure && make && sudo make install` in the previous email,
> and `./configure CFLAGS='-g -O0' CXXFLAGS='-g -O0' && make && sudo
> make install` in this one.
> 
> AFAICS, it's the dirmngr who does the request. Can I reproduce it
> with dirmngr alone, not involving gpg binary?

$ dirmngr
...
OK Dirmngr 2.1.9 at your service
KEYSERVER --clear hkp://pool.sks-keyservers.net
OK
KS_GET 409B6B1796C275462A1703113804BB82D39DC0E3
...
BYE

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Vincit qui se vincit
He who conquers conquers self
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWGRQdAAoJECULev7WN52FV9MH/1cGzU30oPeQ2hJpNsG7on3v
yv+wsxVNnvvkhU+QAs6v2FBPZgnVkJvsykffLT7iET7xx2kOo4bxsl8zEjDF/n62
3gusVmPP2x1qCt44eXGVoB0un06QBPhCgJGu8jcN8Emtjdn93MftXkgA5fhmtiGF
waTt3PdYmdyFMaMzikSU/sfMpU29j51FbcPyzi4LQK/mjRLb9Ft09QC/DiJfe+gg
+k8aZgUDcYtU49eifxOJHfpPCRUfDMY5bvK+ZvgbmS3Pra3Yej9vByR1NRLsqJwk
+jdPbIug/enHo7pKy2T6VhnKduO/jPo0eMVouMZ2yV7s23rWVKt8jT+sxxvC5qw=
=cxUx
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users