Portage is not refreshing the gpg keys from keyserver. I have the http_proxy env var set to my current proxy server. In my ~/.gnupg/gpg.conf I have this line: keyserver-options http-proxy="http://proxy-server.mydomain.com:911" but when I do a sync, I have this output: INFO:root:Refreshing keys from keyserver... ERROR:root:OpenPGP keyring refresh failed: gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net gpg: keyserver refresh failed: Connection timed out If I look at the processes running during the key refresh step, I see: root 4000 /usr/bin/python2.7 /usr/lib/python-exec/python2.7/gemato verify -s /usr/portage -K /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg root 4006 gpg-agent --homedir /tmp/tmpj8hA7p --use-standard-socket --daemon root 4012 gpg2 --batch --refresh-keys And in that homedir, there is a gpg.conf file but it lacks the keyserver-options parameter. As a workaround, I added the keyserver-options statement in /usr/lib/python2.7/site-packages/gemato/openpgp.py after line 119 Reproducible: Always Steps to Reproduce: 1. set http_proxy 2. add keyserver-options statement to ~/.gnupg/gpg.conf 3. emerge --sync Actual Results: INFO:root:Refreshing keys from keyserver... ERROR:root:OpenPGP keyring refresh failed: gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net gpg: keyserver refresh failed: Connection timed ou Expected Results: INFO:root:Refreshing keys from keyserver... INFO:root:Keys refreshed. INFO:root:Manifest timestamp: 2018-03-04 19:38:27 UTC INFO:root:Valid OpenPGP signature found: INFO:root:- primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D INFO:root:- subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 INFO:root:- timestamp: 2018-03-04 19:38:27 UTC INFO:root:Verifying /usr/portage... INFO:root:/usr/portage verified in 14.63 seconds
Created attachment 522450 [details] emerge --info
app-portage/gemato-12.0 behaves the same
Have you tried setting the customary http_proxy in environment? I have no clue if GnuPG respects that or requires setting everything manually.
Yes, the http_proxy environment variable is always set (also in make.conf) otherwise, I cannot get on the internet. dirmngr's man page says there is a --honor-http-proxy parameter which makes it follow the http_proxy env var. If no such parameter is used then dirmngr will ignore the proxy settings.
Thanks. So the remaining question is: if gpg doesn't use proxy by default, should gemato override that or should we require users to enable it via /etc.
The user sets the proxy through the environment variable http_proxy and she expects it to be followed. app-crypt/gnupg, on the other hand, does not want to play nice and must be told to follow the environment settings. wget honours http_proxy and rsync honours RSYNC_PROXY, therefore it is not even necessary to set your proxy in make.conf, unless you want to use a different proxy just for portage business. app-portage/gemato should always write "--honor-http-proxy" in gpg.conf while now it writes only "trust-model always"
That's my thought as well. Want to take credit and submit a PR, or should I just add it?
(against gemato)
Thanks, but I have no clue about how to do that. You do that, please. Just mention my name and I am fine
Now in git. I'll wrap up a release once CI finishes.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fbd2e498a58d3f513c1c02cfad18782d6f230d1 commit 0fbd2e498a58d3f513c1c02cfad18782d6f230d1 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-03-16 13:14:57 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-03-16 13:31:53 +0000 app-portage/gemato: Bump to 12.1 Bump to new 12.1 version. Includes mostly a fix to respect http_proxy. Closes: https://bugs.gentoo.org/649642 app-portage/gemato/Manifest | 1 + app-portage/gemato/gemato-12.1.ebuild | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+)
*** Bug 659746 has been marked as a duplicate of this bug. ***
