Re: Re: Re: gpg auto-locate-key selects expired/revoked key

2022-06-19 Thread Jan Eden via Gnupg-users 
On 2022-06-09 12:52, Jan Eden via Gnupg-users wrote:
> On 2022-06-09 10:40, Werner Koch wrote:
> > On Thu,  9 Jun 2022 08:11, Jan Eden said:
> > 
> > > Now I corrected the mistake, and all is well.
> > 
> > I don't think this is your mistake.  We need to do something about it.
> > Tracked at https://dev.gnupg.org/T6023
> > 
> > BTW, to ignore local keys and update from WKD (or whatever has been
> > configured) you can use --locate-external-key which is available since
> > 2.2.17.
> 
> Thank you (both for the task and the suggestion)!

Following up on this issue: I now use the command suggested at
https://wiki.gnupg.org/WKDHosting with a filter for the revoked key's
fingerprint:

gpg --list-options show-only-fpr-mbox -k '@eden.one' | grep -v 
 | gpg-wks-client -v --directory 
/var/www/html/site/.well-known/openpgpkey --install-key

As I have only a single key to exclude, this is a viable solution for
me.

- Jan


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: Re: gpg auto-locate-key selects expired/revoked key

2022-06-09 Thread Jan Eden via Gnupg-users 
On 2022-06-09 22:13, Jan Eden via Gnupg-users wrote:
> 
> On 2022-06-09 21:40, Ingo Klöcker wrote:
> > On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote:
> > > I just looked at what Kleopatra has it set for and it has it set for
> > > hkp://keys.gnupg.net as well. I'm guessing that is no longer the best
> > > choice?
> > 
> > Kleopatra 3.1.21.220401 uses whatever `gpgconf --list-options dirmngr` 
> > returns 
> > as value for `keyserver`. So it depends on the version of GnuPG you are 
> > using. 
> > The default returned by gpgconf 2.3.6 is hkps://keyserver.ubuntu.com.
> > 
> > As Andrew wrote, hkp://keys.gnupg.net is mapped internally by dirmngr to 
> > the 
> > default keyserver. For a short while, hkp://keys.gnupg.net was mapped to 
> > hkp://pgp.surf.nl while hkps://keys.gnupg.net was mapped to
> > hkps://keyserver.ubuntu.com. Since 2.3.5 all URLs with domain name 
> > keys.gnupg.net are mapped to hkps://keyserver.ubuntu.com. The latest 2.2 
> > version still uses hkp://pgp.surf.nl for non-TLS keys.gnupg.net URLs.
> > 
> > Conclusion: For GnuPG 2.3.5 and later hkp://keys.gnupg.net is as good as 
> > not 
> > setting a keyserver or as setting it to hkps://keyserver.ubuntu.com. If you 
> > are using a recent GnuPG 2.2, then hkp://keys.gnupg.net is not a good 
> > choice. 
> > It's much better not to set a keyserver at all and go with the default. 
> > Even 
> > for GnuPG 2.3.5 not setting keyserver is the way to go unless you really 
> > want 
> > to use a specific keyserver.
> 
> That's interesting, because I had configured hkp://keys.gnupg.net in
> gpg.conf (deprecated, I know) with GnuPG 2.3.4 and was not able to
> refresh Andrew's keys. Only after changing the keyserver option to
> hkp://keys.openpgp.org, I received the updated keys.
> 
> `gpgconf --list-options dirmngr` returns hkps://keyserver.ubuntu.com,
> though.

Sorry, the output of gpgconf referred to a changed configuration. This
is what happens for me with GnuPG 2.3.4:

value for `keyserver` in gpg.conf → keyserver used with `--refresh-key`
hkp://keys.gnupg.net → hkp://pgp.surf.nl
hkp://keys.openpgp.org → hkp://keys.openpgp.org
[empty] → hkps://keyserver.ubuntu.com

- Jan


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: gpg auto-locate-key selects expired/revoked key

2022-06-09 Thread Jan Eden via Gnupg-users 

On 2022-06-09 21:40, Ingo Klöcker wrote:
> On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote:
> > I just looked at what Kleopatra has it set for and it has it set for
> > hkp://keys.gnupg.net as well. I'm guessing that is no longer the best
> > choice?
> 
> Kleopatra 3.1.21.220401 uses whatever `gpgconf --list-options dirmngr` 
> returns 
> as value for `keyserver`. So it depends on the version of GnuPG you are 
> using. 
> The default returned by gpgconf 2.3.6 is hkps://keyserver.ubuntu.com.
> 
> As Andrew wrote, hkp://keys.gnupg.net is mapped internally by dirmngr to the 
> default keyserver. For a short while, hkp://keys.gnupg.net was mapped to 
> hkp://pgp.surf.nl while hkps://keys.gnupg.net was mapped to
> hkps://keyserver.ubuntu.com. Since 2.3.5 all URLs with domain name 
> keys.gnupg.net are mapped to hkps://keyserver.ubuntu.com. The latest 2.2 
> version still uses hkp://pgp.surf.nl for non-TLS keys.gnupg.net URLs.
> 
> Conclusion: For GnuPG 2.3.5 and later hkp://keys.gnupg.net is as good as not 
> setting a keyserver or as setting it to hkps://keyserver.ubuntu.com. If you 
> are using a recent GnuPG 2.2, then hkp://keys.gnupg.net is not a good choice. 
> It's much better not to set a keyserver at all and go with the default. Even 
> for GnuPG 2.3.5 not setting keyserver is the way to go unless you really want 
> to use a specific keyserver.

That's interesting, because I had configured hkp://keys.gnupg.net in
gpg.conf (deprecated, I know) with GnuPG 2.3.4 and was not able to
refresh Andrew's keys. Only after changing the keyserver option to
hkp://keys.openpgp.org, I received the updated keys.

`gpgconf --list-options dirmngr` returns hkps://keyserver.ubuntu.com,
though.

- Jan


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: gpg auto-locate-key selects expired/revoked key

2022-06-09 Thread Jan Eden via Gnupg-users 
On 2022-06-09 12:08, Andrew Gallagher wrote:
> On 09/06/2022 11:50, Jan Eden wrote:
> > jan ~ % gpg --refresh-key 0xFB73E21AF1163937
> > gpg: refreshing 1 key from hkp://pgp.surf.nl
> > gpg: key FB73E21AF1163937: "Andrew Gallagher " not 
> > changed
> > gpg: Total number processed: 1
> > gpg:  unchanged: 1
> 
> You're using the pgp.surf.nl keyserver, but it has been broken for some
> time (it's currently lagging by about 360 thousand keys). pgp.surf.nl
> was configured by default in some previous releases of gnupg but has
> since been replaced.
> 
> You should edit dirmngr.conf and change your default keyserver to e.g.
> keys.openpgp.org or keyserver.ubuntu.com (other keyservers are
> available, see https://spider.pgpkeys.eu).
> 
> Example:
> 
> ```
> % more ~/.gnupg/dirmngr.conf
> keyserver hkps://pgpkeys.eu
> ```

I had configured hkp://keys.gnupg.net in gpg.conf (no separate
dirmngr.conf). Switching to keys.openpgp.org had the desired effect:

jan ~ % gpg --refresh-key 0xFB73E21AF1163937
gpg: refreshing 1 key from hkp://keys.openpgp.org
gpg: key FB73E21AF1163937: "Andrew Gallagher " 8 new 
signatures
gpg: Total number processed: 1
gpg: new signatures: 8

Thanks,
Jan


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: gpg auto-locate-key selects expired/revoked key

2022-06-09 Thread Jan Eden via Gnupg-users 
On 2022-06-09 10:40, Werner Koch wrote:
> On Thu,  9 Jun 2022 08:11, Jan Eden said:
> 
> > Now I corrected the mistake, and all is well.
> 
> I don't think this is your mistake.  We need to do something about it.
> Tracked at https://dev.gnupg.org/T6023
> 
> BTW, to ignore local keys and update from WKD (or whatever has been
> configured) you can use --locate-external-key which is available since
> 2.2.17.

Thank you (both for the task and the suggestion)!

Best,
Jan


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: gpg auto-locate-key selects expired/revoked key

2022-06-09 Thread Jan Eden via Gnupg-users 

On 2022-06-09 11:37, Andrew Gallagher wrote:
> On 09/06/2022 07:11, Jan Eden wrote:
> > PS. The key used to sign your message seems to be expired.
> 
> That could be because you already had my key in your keyring and it
> wasn't recently (i.e. in the last 18 months) refreshed. What does it say
> if you incant the following?
> 
> ```
> gpg --refresh-key 0xFB73E21AF1163937
> ```

jan ~ % gpg --refresh-key 0xFB73E21AF1163937
gpg: refreshing 1 key from hkp://pgp.surf.nl
gpg: key FB73E21AF1163937: "Andrew Gallagher " not changed
gpg: Total number processed: 1
gpg:  unchanged: 1

- Jan


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: gpg auto-locate-key selects expired/revoked key

2022-06-09 Thread Jan Eden via Gnupg-users 

On 2022-06-08 22:51, Andrew Gallagher via Gnupg-users wrote:
> On 8 Jun 2022, at 07:46, Jan Eden via Gnupg-users  
> wrote:
> > 
> > - Which WKD server hosts my expired/revoked key such that it takes 
> > precedence
> >  over my own WKD server at domain.com ?
> > - Why does gpg select an expired/revoked key over a valid key?
> 
> I suspect the issue is that your WKD is serving both keys (as you can see 
> from the output of the metacode checker) but GnuPG expects just one key to be 
> served, and so is consuming the first (which is the expired one) and ignoring 
> the second. Try replacing the file on the WKD server with one that contains 
> just the current key?

Thanks for the hint! I followed the instructions at
https://shibumi.dev/posts/how-to-setup-your-own-wkd-server/, and
unintentionally exported all keys for the address (gpg --no-armor
--export $uid) instead of specifying the key id.

Now I corrected the mistake, and all is well.

- Jan

PS. The key used to sign your message seems to be expired.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users