Re: dirmngr, can't live with it, can't live without it

[Jim Popovitch <jim@k4vqc.com>]

On Wed, 2019-02-27 at 08:03 +-0100, deloptes wrote:
+AD4 by all the time I mean each time Evolution opens a signed mail. I use
+AD4 Trinity Desktop and there - I only see that signature could not be
+AD4 verified.

Ah, i see.  For me (Stretch/Cinnamon) dirmngr is started when Evolution
encounters the first sig, and dirmngr remains running until system
shutdown.

+AD4 BTW if you are advanced Linux user as it seems to be ... you may try
+AD4 Trinity - saves a lot of troubles - but depends what you expect from it.

Thanks, I'll certainly look into that more.  On a related note I highly
recommend Cinnamon for it's clean looks and ease of use. :-)

+AD4 +AD4 +AD4 I even do not see any evidence that it is dirmngr that is blocking.
+AD4 +AD4 +AD4 When I start the gpg client and search for a key I see dirmngr is
+AD4 +AD4 +AD4 started
+AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 +ACQ while true+ADs do ps -A +AHw grep dir+ADs sleep 1+ADs done
+AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 +AD4 But more to the point, It's not an easy program to debug....
+AD4 +AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 +AD4 Following man page, I created +AH4-/.gnupg/dirmngr.conf and populated
+AD4 +AD4 +AD4 +AD4 it
+AD4 +AD4 +AD4 +AD4 with:
+AD4 +AD4 +AD4 +AD4 verbose
+AD4 +AD4 +AD4 +AD4 debug-level expert
+AD4 +AD4 +AD4 +AD4 keyserver na.pool.sks-keyservers.net
+AD4 +AD4 +AD4 +AD4 disable-ipv6
+AD4 +AD4 +AD4 +AD4 disable-ldap
+AD4 +AD4 +AD4 +AD4 log-file +AH4-/dirmngr.log
+AD4 +AD4 +AD4 +AD4 allow-ocsp
+AD4 +AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 interesting but on my end I use pool.sks-keyservers.net and there
+AD4 +AD4 +AD4 were no issues - well how often you download or upload a key to the
+AD4 +AD4 +AD4 server?
+AD4 +AD4 
+AD4 +AD4 I hardly ever upload, but reading this list results in 2 or 3 key
+AD4 +AD4 downloads every few hours.
+AD4 +AD4 
+AD4 
+AD4 So it might be a configuration to automatically search and download keys not
+AD4 present - what if you configure to manually do so (this might be in
+AD4 Evolution or at system level for the user)

I can't find anywhere in .gnupg/+ACo or Evolution config where that would
be setup. :-(

+AD4 +AD4 +AD4 If I search for a key it takes like 3sec - and yes I think it goes
+AD4 +AD4 +AD4 via dirmngr - but sorry no time to bother setting up a config.
+AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 The config I find here is the default
+AD4 +AD4 +AD4 cat +AH4-/.gnupg/dirmngr.conf
+AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 +ACMAIwAjACsAKwAr---- GPGConf ---+-+-+-+ACMAIwAj
+AD4 +AD4 +AD4 disable-ldap
+AD4 +AD4 +AD4 debug-level basic
+AD4 +AD4 +AD4 log-file socket:///home/pizza/.gnupg/log-socket
+AD4 +AD4 +AD4 +ACMAIwAjACsAKwAr---- GPGConf ---+-+-+-+ACMAIwAj Thu 06 Dec 2018 01:45:13 AM CET
+AD4 +AD4 +AD4 +ACM GPGConf edited this configuration file.
+AD4 +AD4 +AD4 +ACM It will disable options before this marked block, but it will
+AD4 +AD4 +AD4 +ACM never change anything below these lines.
+AD4 +AD4 
+AD4 +AD4 Interesting.  My 2 Stretch systems did not have that file by default, I
+AD4 +AD4 had to create it.
+AD4 +AD4 
+AD4 
+AD4 Yes it is created by the Trinity Kgpg app AFAIR.
+AD4 
+AD4 +AD4 +AD4 +AD4 and then I fired up Evolution and opened emails with gpg sigs, but
+AD4 +AD4 +AD4 +AD4 still no data in the file +AH4-/dirmngr.log.+AKAAoA:-(
+AD4 +AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 +AD4 What I suspect the problem to be, and what is alluded to on the
+AD4 +AD4 +AD4 +AD4 sks-keyservers status page, is that there is a big
+AD4 +AD4 +AD4 +AD4 inconsistency/availability with their servers (they have more off-
+AD4 +AD4 +AD4 +AD4 pool servers listed than in-pool).+AKAAoA-Obviously it's a freebie so
+AD4 +AD4 +AD4 +AD4 complaints seem childish, but it is an important service.. just
+AD4 +AD4 +AD4 +AD4 like pool.ntp.org (which ironically Debian has taken responsibility
+AD4 +AD4 +AD4 +AD4 for at least sanitizing that with debian.pool.ntp.org)
+AD4 +AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 +AD4 -Jim P.
+AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 Some time ago keyservers got consolidated - so now we have
+AD4 +AD4 +AD4 pool.sks-keyservers.net. I am not sure if you are taking this with
+AD4 +AD4 +AD4 prejudices - might be only your setup.
+AD4 +AD4 
+AD4 +AD4 :-) I do run a clean, simple, tighten-down, secure setup.  One of those
+AD4 +AD4 things is a DNSSEC validating recursor.... which I now see that dnsviz
+AD4 +AD4 reports DNSSEC errors in... wait for it...+AKA-sks-keyservers.net  +ADw-sigh+AD4
+AD4 +AD4 
+AD4 +AD4 http://dnsviz.net/d/pool.sks-keyservers.net/dnssec/
+AD4 +AD4 
+AD4 +AD4 Now, imagine if pool.ntp.org had those DNSSEC problems and the impact
+AD4 +AD4 it would have on the world.
+AD4 +AD4 
+AD4 
+AD4 I am sure not only sks-keyservers.net reports back, but I agree this might
+AD4 be part of the issue you report.
+AD4 
+AD4 +AD4 +AD4 I know dirmngr is somehow coupled with gpg, but never bothered to
+AD4 +AD4 +AD4 look into that as it was always working properly.
+AD4 +AD4 +AD4 The keyserver is not configured in +AH4-/.gnupg/dirmngr.conf but in
+AD4 +AD4 +AD4 +AH4-/.gnupg/gpg.conf
+AD4 +AD4 +AD4 
+AD4 +AD4 +AD4 Show your +AH4-/.gnupg/gpg.conf (or at least the relevant parts)
+AD4 +AD4 
+AD4 +AD4 +AH4AJA cat .gnupg/gpa.conf
+AD4 +AD4 default-key 3F1C1EF2E6019EAC646CE45227155EB4C45A2705
+AD4 +AD4 keyserver hkp://na.pool.sks-keyservers.net
+AD4 +AD4 advanced-ui
+AD4 +AD4 
+AD4 
+AD4 I don't have the protocol (hkp) - but the point was to remove the keyserver
+AD4 from dirmngr.conf - not sure if it is right for your DE though.

Thanks for that, testing that now+ACE

-Jim P.