[Pkg-privacy-maintainers] Bug#898085: gnupg: gpg --search-keys and parcimonie don't work: Tor misconfigured/keyserver EPERM

Sun Jul 8 11:11:14 BST 2018

Hi,

I've tested this in a clean Stretch VM.

I've added these lines to ~/.gnupg/dirmngr.conf in order to get more
info:

verbose
debug 1024

And what I see when searching for my key is:

Jul 08 05:57:22 debian systemd[1022]: Started GnuPG network certificate management daemon.
Jul 08 05:57:22 debian dirmngr[2574]: dirmngr[2574]: enabled debug flags: ipc
Jul 08 05:57:22 debian dirmngr[2574]: dirmngr[2574]: error opening '/home/toto/.gnupg/dirmngr_ldapservers.conf': No such file or directory
Jul 08 05:57:22 debian dirmngr[2574]: permanently loaded certificates: 0
Jul 08 05:57:22 debian dirmngr[2574]:     runtime cached certificates: 0
Jul 08 05:57:22 debian dirmngr[2574]: handler for fd 5 started
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> # Home: /home/toto/.gnupg
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> # Config: /home/toto/.gnupg/dirmngr.conf
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> OK Dirmngr 2.1.18 at your service
Jul 08 05:57:22 debian dirmngr[2574]: connection from process 2573 (1000:1000)
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 <- GETINFO version
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> D 2.1.18
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 -> OK
Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 <- KS_SEARCH -- intrigeri at debian.org
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a01:4a0:59:1000:223:9eff:fe00:100f]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2600:1f16:41e:bd0a::73:6b73]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '216.66.15.2'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '192.146.137.11'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '68.187.0.77'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.53.138'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '37.191.226.104'
Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '18.191.65.131'
Jul 08 05:57:24 debian dirmngr[2574]: can't connect to '2001:bc8:4700:2300::10:f15': Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: error connecting to 'https://[2001:bc8:4700:2300::10:f15]:443': Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: (Tor configuration problem)
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> S WARNING tor_config_problem 0 Please check that the "SocksPort" flag "IPv6Traffic" is set in torrc
Jul 08 05:57:24 debian dirmngr[2574]: command 'KS_SEARCH' failed: Permission denied
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> ERR 167804929 Permission denied <Dirmngr>
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 <- BYE
Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> OK closing connection
Jul 08 05:57:24 debian dirmngr[2574]: handler for fd 5 terminated

So indeed, the default GnuPG configuration in Stretch cannot work out
of the box once "use-tor" is enabled. One needs to:

 - either specify a keyserver whose hostname won't resolve to IPv6, like:

     echo 'keyserver hkp://jirk5u4osbsr34t5.onion' \
          >> ~/.gnupg/dirmngr.conf

 - or edit /etc/tor/torrc to enable the "IPv6Traffic" flag for the
   "SocksPort" that's used by dirmngr, i.e. something along the lines
   of:

     echo 'SocksPort 9050 IPv6Traffic' | sudo tee -a /etc/tor/torrc && \
     sudo systemctl restart tor at default

Can you please confirm that one of those fixes the problem
you're facing?

I'm sure I've noticed this problem before and we've discussed it
already, either with dkg or weasel, and I hope it's well tracked
somewhere. I'll check and will then adjust BTS metadata accordingly.

Cheers,
-- 
intrigeri