[pkg-gnupg-maint] Bug#927336: after buster upgrade (2.1.18-8~deb9u3 -> 2.2.12-1) --search-keys stops working due to dirmngr/keyserver/tor problem: add NEWS?

Thu Apr 18 08:09:20 BST 2019

Package: gnupg
Version: 2.2.12-1
Severity: normal

Hello,

TLDR; please tell the user how to migrate from jessie to buster.

after upgrading from jessie to buster, `gpg --search-keys` stopped
working with:

    $ gpg --search-keys 1397BC53640DB551
    gpg: WARNUNG: Tor is not running
    gpg: error searching keyserver: Verbindungsaufbau abgelehnt
    gpg: Suche auf dem Schlüsselserver fehlgeschlagen: Verbindungsaufbau abgelehnt

which with `LC_ALL=C` set should read as:

    $ gpg --search-keys 1397BC53640DB551
    gpg: WARNING: Tor is not running
    gpg: error searching keyserver: Connection refused
    gpg: keyserver search failed: Connection refused

Based on the above warning I guessed the problem would be that `tor` is
not running. Since there's already *way* too much bloat in the form of
unasked for daemons running on my Debian system, I have tor disabled.

After searching the web and reading man pages I concluded that creating
a new config file `.gnupg/dirmngr.conf` with the content:

    no-use-tor

should fix the problem. It did so a bit, but not completely.
(unfortunately I seem to have lost the output/error of `gpg`). The
next thing I had to do was to delete the line

    keyserver keyserver.ubuntu.com

from `~/.gnupg/gpg.conf` and insert it into `.gnupg/dirmngr.conf`. That
still did not do the trick. The URL had also to be adapted. So in the
end:

    $ cat ~/.gnupg/dirmngr.conf
    no-use-tor
    keyserver hkp://keyserver.ubuntu.com

This seemed to work.

It also seems relevant to note, that dirmngr is yet another daemon
constantly running, binding system resources for very low user benefit
(I must be using `gpg --search-keys` or `gpg --recv-keys` about twice
a year). Since dirmngr won't detect a config file change, it needs to
be killed. It's reaction to a SIGTERM or SIGHUP seems to be erratic.
It just as often terminates as it does not. So it needs to be SIGKILLed
to pick up the new config, which makes the whole proces even more
burdensome.

Now finding all these took me about half an hour (and I'm not sure
whether they're correct and/or relevant). Please decide on a mechanism
to let the user know how to migrate his GPG setup into a working
condition again. I think the NEWS file would be the ideal place, however
maybe a note in the Release Notes would also be possible.

?

In case the above findings are correct, i.e.

1. add `no-use-tor` to `.gnupg/dirmngr.conf` if you do not intend to
   have the `tor` deamon running
2. migrate your `keyserver` setting from `.gnupg/gpg.conf` to
   `.gnupg/dirmngr.conf` 
3. adapt the keyserver URL to `hpk://`
4. `killall -9 dirmngr` to pick up the new config

then I can provide the respective NEWS patch.

Thanks,
*t

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnupg depends on:
ii  dirmngr         2.2.12-1
ii  gnupg-l10n      2.2.12-1
ii  gnupg-utils     2.2.12-1
ii  gpg             2.2.12-1
ii  gpg-agent       2.2.12-1
ii  gpg-wks-client  2.2.12-1
ii  gpg-wks-server  2.2.12-1
ii  gpgsm           2.2.12-1
ii  gpgv            2.2.12-1

gnupg recommends no packages.

Versions of packages gnupg suggests:
pn  parcimonie  <none>
pn  xloadimage  <none>

-- no debconf information