Re: dirmngr, can't live with it, can't live without it
Jim Popovitch wrote:
> On Tue, 2019-02-26 at 20:31 +0100, deloptes wrote:
>> Jim Popovitch wrote:
>>
>> > What's up with dirmngr? If dirmngr is installed Evolution often
>> > takes
>> > ages to open signed emails. If dirmngr is not installed then
>> > (according
>> > to p.d.o/buster/dirmngr) "the parts of the GnuPG suite that try to
>> > interact with the network will fail"
>> >
>> > How can dirmngr be so tightly integrated but work so poorly
>> > querying
>> > services? /r
>>
>> why should it be dirmngrs fault? perhaps it is a kind of buster or
>> other issue.
>>
>> Try to find out where the waiting is coming from and post back. For
>> example waiting for keyserver to respond or similar or waiting for
>> something to time out.
>
> Glad you asked!
>
> dirmngr uses sks-keyservers.net which has at least one NS with issues:
> https://ednscomp.isc.org/ednscomp/0f65feeaa7
>
Hmm, I just wonder why you would need to run dirmngr all the time, or each
time you have to read encrypted mail. you should have imported the keys
locally.
I even do not see any evidence that it is dirmngr that is blocking.
When I start the gpg client and search for a key I see dirmngr is started
$ while true; do ps -A | grep dir; sleep 1; done
> But more to the point, It's not an easy program to debug....
>
> Following man page, I created ~/.gnupg/dirmngr.conf and populated it
> with:
> verbose
> debug-level expert
> keyserver na.pool.sks-keyservers.net
> disable-ipv6
> disable-ldap
> log-file ~/dirmngr.log
> allow-ocsp
>
interesting but on my end I use pool.sks-keyservers.net and there were no
issues - well how often you download or upload a key to the server?
If I search for a key it takes like 3sec - and yes I think it goes via
dirmngr - but sorry no time to bother setting up a config.
The config I find here is the default
cat ~/.gnupg/dirmngr.conf
###+++--- GPGConf ---+++###
disable-ldap
debug-level basic
log-file socket:///home/pizza/.gnupg/log-socket
###+++--- GPGConf ---+++### Thu 06 Dec 2018 01:45:13 AM CET
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
> and then I fired up Evolution and opened emails with gpg sigs, but
> still no data in the file ~/dirmngr.log. :-(
>
> What I suspect the problem to be, and what is alluded to on the
> sks-keyservers status page, is that there is a big
> inconsistency/availability with their servers (they have more off-pool
> servers listed than in-pool). Obviously it's a freebie so complaints seem
> childish, but it is an important service.. just like pool.ntp.org (which
> ironically Debian has taken responsibility for at least sanitizing that
> with debian.pool.ntp.org)
>
> -Jim P.
Some time ago keyservers got consolidated - so now we have
pool.sks-keyservers.net. I am not sure if you are taking this with
prejudices - might be only your setup.
I know dirmngr is somehow coupled with gpg, but never bothered to look into
that as it was always working properly.
The keyserver is not configured in ~/.gnupg/dirmngr.conf but in
~/.gnupg/gpg.conf
Show your ~/.gnupg/gpg.conf (or at least the relevant parts)
regards
Reply to: