I have a script on a few installations that fetches public keys,this particular line just started failing: gpg --keyid-format=0xlong --keyserver hkps://pgp.mit.edu --recv '0xDE9452CE46F42094907F108B44D1C0F82525FE49' Debug output https://paste.pound-python.org/show/dawF6zGBtlP8BdyQLzhH/ I asked in detail about this in the #gnupg irc channel, we isolated the problem to be a missing CA cert. Debug output https://paste.pound-python.org/show/dRlhScF8lxU5lJJLrkfU/ when testing with gnutls-cli and openssl s_client, the certificate is correctly validated,leading me to believe dirmngr and gpg are using their own CA store? My question is where is this CA store ? and how can I add the addtrust CA? why is mit.edu's certificate not trusted? Test output using gnutls-cli and openssl: https://paste.pound-python.org/show/Y8XHilFFBBD3siGP7AI2/ At this point I resorted to testing normal HKP server of the most widely used pool of pgp key servers (SKS): # gpg --debug 1024 --keyid-format=0xlong --keyserver hkp://pool.sks-keyserves.net --recv '0xDE9452CE46F42094907F108B44D1C0F82525FE49' gpg: reading options from '/root/.gnupg/gpg.conf' gpg: enabled debug flags: ipc gpg: DBG: chan_3 <- # Home: /root/.gnupg gpg: DBG: chan_3 <- # Config: /root/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.1.15 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.1.15 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KEYSERVER --clear hkp://pool.sks-keyserves.net gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KS_GET -- 0xDE9452CE46F42094907F108B44D1C0F82525FE49 gpg: DBG: chan_3 <- ERR 167772346 No keyserver available <Dirmngr> gpg: keyserver receive failed: No keyserver available gpg: DBG: chan_3 -> BYE gpg: secmem usage: 0/65536 bytes in 0 blocks Both HKP and HKPS servers with sks and pgp.mit.edu work just fine on older installations. what broke?? I depend on automated scripts to verify tarballs for my systems to continue running, please help! Following is general system information of the affected system. # emerge --info Portage 2.3.0 (python 2.7.10-final-0, hardened/linux/amd64, gcc-4.8.5, glibc-2.22-r4, 4.4.8-grsec x86_64) ================================================================= System uname: Linux-4.4.8-grsec-x86_64-Intel-R-_Core-TM-_i5-2500K_CPU_@_3.30GHz-with-gentoo-2.2 KiB Mem: 24554816 total, 4715652 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Sun, 23 Oct 2016 14:30:01 +0000 sh bash 4.3_p48 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 app-shells/bash: 4.3_p48::gentoo dev-lang/perl: 5.22.2::gentoo dev-lang/python: 2.7.10-r1::gentoo, 3.3.5-r1::gentoo, 3.4.3-r1::gentoo dev-util/cmake: 3.5.2-r1::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.21.7::gentoo sys-apps/sandbox: 2.10-r1::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.8.5::gentoo, 4.9.3::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers) sys-libs/glibc: 2.22-r4::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/tomoyo/conf /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1 -Wl,--as-needed" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri gdbm hardened iconv ipv6 justify mmx mmxext modules multilib ncurses nls nptl openmp oss pam pax_kernel pcre pie readline seccomp session sse sse2 ssl ssp tcpd unicode urandom uuid xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON # equery f gnupg && equery l gnupg * Searching for gnupg ... * Contents of app-crypt/gnupg-2.1.15: /etc /etc/env.d /etc/env.d/30gnupg /usr /usr/bin /usr/bin/dirmngr /usr/bin/dirmngr-client /usr/bin/gpg -> gpg2 /usr/bin/gpg-agent /usr/bin/gpg-connect-agent /usr/bin/gpg2 /usr/bin/gpgconf /usr/bin/gpgparsemail /usr/bin/gpgscm /usr/bin/gpgsm /usr/bin/gpgtar /usr/bin/gpgv -> gpgv2 /usr/bin/gpgv2 /usr/bin/kbxutil /usr/bin/symcryptrun /usr/bin/watchgnupg /usr/libexec /usr/libexec/gpg-check-pattern /usr/libexec/gpg-preset-passphrase /usr/libexec/gpg-protect-tool /usr/sbin /usr/sbin/addgnupghome /usr/sbin/applygnupgdefaults /usr/share /usr/share/doc /usr/share/doc/gnupg-2.1.15 /usr/share/doc/gnupg-2.1.15/AUTHORS.bz2 /usr/share/doc/gnupg-2.1.15/ChangeLog.bz2 /usr/share/doc/gnupg-2.1.15/DETAILS.bz2 /usr/share/doc/gnupg-2.1.15/FAQ.bz2 /usr/share/doc/gnupg-2.1.15/HACKING.bz2 /usr/share/doc/gnupg-2.1.15/KEYSERVER.bz2 /usr/share/doc/gnupg-2.1.15/NEWS.bz2 /usr/share/doc/gnupg-2.1.15/OpenPGP.bz2 /usr/share/doc/gnupg-2.1.15/README.GIT.bz2 /usr/share/doc/gnupg-2.1.15/README.bz2 /usr/share/doc/gnupg-2.1.15/THANKS.bz2 /usr/share/doc/gnupg-2.1.15/TODO.bz2 /usr/share/doc/gnupg-2.1.15/TRANSLATE.bz2 /usr/share/doc/gnupg-2.1.15/VERSION /usr/share/doc/gnupg-2.1.15/examples /usr/share/doc/gnupg-2.1.15/help.be.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.ca.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.cs.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.da.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.de.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.el.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.eo.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.es.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.et.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.fi.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.fr.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.gl.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.hu.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.id.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.it.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.ja.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.nb.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.pl.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.pt.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.pt_BR.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.ro.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.ru.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.sk.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.sv.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.tr.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.zh_CN.txt.bz2 /usr/share/doc/gnupg-2.1.15/help.zh_TW.txt.bz2 /usr/share/gnupg /usr/share/gnupg/dirmngr-conf.skel /usr/share/gnupg/distsigkey.gpg /usr/share/gnupg/gpg-conf.skel /usr/share/gnupg/help.be.txt /usr/share/gnupg/help.ca.txt /usr/share/gnupg/help.cs.txt /usr/share/gnupg/help.da.txt /usr/share/gnupg/help.de.txt /usr/share/gnupg/help.el.txt /usr/share/gnupg/help.eo.txt /usr/share/gnupg/help.es.txt /usr/share/gnupg/help.et.txt /usr/share/gnupg/help.fi.txt /usr/share/gnupg/help.fr.txt /usr/share/gnupg/help.gl.txt /usr/share/gnupg/help.hu.txt /usr/share/gnupg/help.id.txt /usr/share/gnupg/help.it.txt /usr/share/gnupg/help.ja.txt /usr/share/gnupg/help.nb.txt /usr/share/gnupg/help.pl.txt /usr/share/gnupg/help.pt.txt /usr/share/gnupg/help.pt_BR.txt /usr/share/gnupg/help.ro.txt /usr/share/gnupg/help.ru.txt /usr/share/gnupg/help.sk.txt /usr/share/gnupg/help.sv.txt /usr/share/gnupg/help.tr.txt /usr/share/gnupg/help.txt /usr/share/gnupg/help.zh_CN.txt /usr/share/gnupg/help.zh_TW.txt /usr/share/gnupg/sks-keyservers.netCA.pem /usr/share/info /usr/share/info/gnupg.info-1.bz2 /usr/share/info/gnupg.info-2.bz2 /usr/share/info/gnupg.info.bz2 /usr/share/locale /usr/share/locale/ca /usr/share/locale/ca/LC_MESSAGES /usr/share/locale/ca/LC_MESSAGES/gnupg2.mo /usr/share/locale/cs /usr/share/locale/cs/LC_MESSAGES /usr/share/locale/cs/LC_MESSAGES/gnupg2.mo /usr/share/locale/da /usr/share/locale/da/LC_MESSAGES /usr/share/locale/da/LC_MESSAGES/gnupg2.mo /usr/share/locale/de /usr/share/locale/de/LC_MESSAGES /usr/share/locale/de/LC_MESSAGES/gnupg2.mo /usr/share/locale/el /usr/share/locale/el/LC_MESSAGES /usr/share/locale/el/LC_MESSAGES/gnupg2.mo /usr/share/locale/en@boldquot /usr/share/locale/en@boldquot/LC_MESSAGES /usr/share/locale/en@boldquot/LC_MESSAGES/gnupg2.mo /usr/share/locale/en@quot /usr/share/locale/en@quot/LC_MESSAGES /usr/share/locale/en@quot/LC_MESSAGES/gnupg2.mo /usr/share/locale/eo /usr/share/locale/eo/LC_MESSAGES /usr/share/locale/eo/LC_MESSAGES/gnupg2.mo /usr/share/locale/es /usr/share/locale/es/LC_MESSAGES /usr/share/locale/es/LC_MESSAGES/gnupg2.mo /usr/share/locale/et /usr/share/locale/et/LC_MESSAGES /usr/share/locale/et/LC_MESSAGES/gnupg2.mo /usr/share/locale/fi /usr/share/locale/fi/LC_MESSAGES /usr/share/locale/fi/LC_MESSAGES/gnupg2.mo /usr/share/locale/fr /usr/share/locale/fr/LC_MESSAGES /usr/share/locale/fr/LC_MESSAGES/gnupg2.mo /usr/share/locale/gl /usr/share/locale/gl/LC_MESSAGES /usr/share/locale/gl/LC_MESSAGES/gnupg2.mo /usr/share/locale/hu /usr/share/locale/hu/LC_MESSAGES /usr/share/locale/hu/LC_MESSAGES/gnupg2.mo /usr/share/locale/id /usr/share/locale/id/LC_MESSAGES /usr/share/locale/id/LC_MESSAGES/gnupg2.mo /usr/share/locale/it /usr/share/locale/it/LC_MESSAGES /usr/share/locale/it/LC_MESSAGES/gnupg2.mo /usr/share/locale/ja /usr/share/locale/ja/LC_MESSAGES /usr/share/locale/ja/LC_MESSAGES/gnupg2.mo /usr/share/locale/nb /usr/share/locale/nb/LC_MESSAGES /usr/share/locale/nb/LC_MESSAGES/gnupg2.mo /usr/share/locale/pl /usr/share/locale/pl/LC_MESSAGES /usr/share/locale/pl/LC_MESSAGES/gnupg2.mo /usr/share/locale/pt /usr/share/locale/pt/LC_MESSAGES /usr/share/locale/pt/LC_MESSAGES/gnupg2.mo /usr/share/locale/ro /usr/share/locale/ro/LC_MESSAGES /usr/share/locale/ro/LC_MESSAGES/gnupg2.mo /usr/share/locale/ru /usr/share/locale/ru/LC_MESSAGES /usr/share/locale/ru/LC_MESSAGES/gnupg2.mo /usr/share/locale/sk /usr/share/locale/sk/LC_MESSAGES /usr/share/locale/sk/LC_MESSAGES/gnupg2.mo /usr/share/locale/sv /usr/share/locale/sv/LC_MESSAGES /usr/share/locale/sv/LC_MESSAGES/gnupg2.mo /usr/share/locale/tr /usr/share/locale/tr/LC_MESSAGES /usr/share/locale/tr/LC_MESSAGES/gnupg2.mo /usr/share/locale/uk /usr/share/locale/uk/LC_MESSAGES /usr/share/locale/uk/LC_MESSAGES/gnupg2.mo /usr/share/locale/zh_CN /usr/share/locale/zh_CN/LC_MESSAGES /usr/share/locale/zh_CN/LC_MESSAGES/gnupg2.mo /usr/share/locale/zh_TW /usr/share/locale/zh_TW/LC_MESSAGES /usr/share/locale/zh_TW/LC_MESSAGES/gnupg2.mo /usr/share/man /usr/share/man/man1 /usr/share/man/man1/dirmngr-client.1.bz2 /usr/share/man/man1/gpg-agent.1.bz2 /usr/share/man/man1/gpg-connect-agent.1.bz2 /usr/share/man/man1/gpg-preset-passphrase.1.bz2 /usr/share/man/man1/gpg.1 /usr/share/man/man1/gpg2.1.bz2 /usr/share/man/man1/gpgconf.1.bz2 /usr/share/man/man1/gpgparsemail.1.bz2 /usr/share/man/man1/gpgsm.1.bz2 /usr/share/man/man1/gpgv.1 /usr/share/man/man1/gpgv2.1.bz2 /usr/share/man/man1/scdaemon.1.bz2 /usr/share/man/man1/symcryptrun.1.bz2 /usr/share/man/man1/watchgnupg.1.bz2 /usr/share/man/man7 /usr/share/man/man7/gnupg.7.bz2 /usr/share/man/man8 /usr/share/man/man8/addgnupghome.8.bz2 /usr/share/man/man8/applygnupgdefaults.8.bz2 /usr/share/man/man8/dirmngr.8.bz2 * Searching for gnupg ... [IP-] [ ] app-crypt/gnupg-2.1.15:0 Reproducible: Always Steps to Reproduce: 1.gpg --keyid-format=0xlong --keyserver hkps://pgp.mit.edu --recv '0xDE9452CE46F42094907F108B44D1C0F82525FE49' Actual Results: https://paste.pound-python.org/show/dawF6zGBtlP8BdyQLzhH/ Expected Results: $ gpg --keyid-format=0xlong --keyserver hkps://pgp.mit.edu --recv '0xDE9452CE46F42094907F108B44D1C0F82525FE49' gpg: requesting key 0x44D1C0F82525FE49 from hkps server pgp.mit.edu gpg: key 0x44D1C0F82525FE49: "Bradley Spengler (spender) <spender@grsecurity.net>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 ash@Cerulean ~/ansible/qemuprov- In the report above.
As I told you on IRC in #gnupg this is expected behavior. The CA Cartel Root PKIX is unsafe and is only used for KS_FETCH[0]. Specify root CA using hkp-cacert in dirmngr.conf References: [0] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c3aeda82b8d00b87a5af72b4075c487c10dfdf6b
In case anyone else stumble onto this bug, for completeness, the cert store can be included by ln -s /etc/ssl/certs/ca-certificates.crt $HOME/.gnupg/allcerts.pem and doing a hkp-cacert /home/<user>/.gnupg/allcerts.pem in dirmngr.conf then do a gpgconf --reload dirmngr
ok, I don't really care if you consider this invalid but for anyone else that might stumble into this, just use --fetch if you expect gpg to use your system's certificate store (like a normal application) # gpg --keyid-format=0xlong --fetch 'https://pgp.mit.edu/pks/lookup?op=get&search=0xDE9452CE46F42094907F108B44D1C0F82525FE49' gpg: requesting key from 'https://pgp.mit.edu/pks/lookup?op=get&search=0xDE9452CE46F42094907F108B44D1C0F82525FE49' gpg: key 0x44D1C0F82525FE49: "Bradley Spengler (spender) <spender@grsecurity.net>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 As you can see that works. I don't know anything about "CA cartels" , gpg was working a certain way and it changed in a way that broke a bunch of stuff. only documentation was in a git commit and source code comment. I implore anyone in charge of gnupg to please alert users of the discrepancy between --recv and --fetch when --recv/--keyserver is used and it fails to fetch due to TLS cert verification. Thank you.
Added a use flag to 2.1.15-r1 in case anyone wants to deviate from upstream: commit fe22cb8017a704994d88377896fbd0dd3b3c3ced Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Thu Oct 27 20:32:23 2016 +0200 app-crypt/gnupg: Add use flag system-cert-store System cert store is not used by default in GnuPG 2.1 for hkps:// requests to keyservers. Adding a use flag system-cert-store that changes this behavior, matching upstream behavior for KS_FETCH. Gentoo-Bug: 597934 Package-Manager: portage-2.3.2