I'm trying to follow the instructions here to install Tor from the official package repository: https://www.torproject.org/docs/debian.html.en On the steps to add the gpg signing key, it doesn't work. It seems something has changed with the keyserver at keys.gnupg.net: 1) http://keys.gnupg.net/pks/lookup returns a 404. 2) Trying to manually visit the root of the domain [http://keys.gnupg.net%5D(http://keys.gnupg.net/pks/lookup) in a browser results in a redirect to https://keys.gnupg.net/wiki/. Here SSL is broken due to a cert mismatch. The cert is for "uz.sns.it". I'm not sure what's going on. Is [keys.gnupg.net](http://keys.gnupg.net/pks/lookup) hacked, or something more mundane? Anyone know how to work around this? Is the signing key available from any other trusted keyservers?
Actually, the directions on https://www.torproject.org/docs/debian.html.en work okay. I was trying to automate things with Ansible, but the format changed at some point, from something like: apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 url=http://keys.gnupg.net/pks/lookup?op=get&search=A3C4F0F979CAA22CDBA8F512E... to: apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 keyserver=keys.gnupg.net The URL at /pks/lookup no longer exists, so I saw a 404. Using the newer format with just the hostname of the keyserver it works okay. Regarding http://keys.gnupg.net I still don't know why there is a SSL mismatch in the browser, or why you can no longer access the web UI, but it's not as broken as it looked.
Hi,
I figured out why one of those ansible lines works and the other doesn't if you're interested :)
On 10/07/17 22:58, tor wrote:
Actually, the directions on https://www.torproject.org/docs/debian.html.en work okay. I was trying to automate things with Ansible, but the format changed at some point, from something like:
apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 url=http://keys.gnupg.net/pks/lookup?op=get&search=A3C4F0F979CAA22CDBA8F512E...
... by explicitly setting the URL to http:// it'll try and use port 80 rather than the default HKP port of 11371.
It's like doing `gpg --recv-key <id> --keyserver keys.gnupg.net:80`
to:
apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 keyserver=keys.gnupg.net
The URL at /pks/lookup no longer exists, so I saw a 404. Using the newer format with just the hostname of the keyserver it works okay.
Regarding http://keys.gnupg.net I still don't know why there is a SSL mismatch in the browser, or why you can no longer access the web UI, but it's not as broken as it looked.
The problem is that the keyservers can do what they like on port 80 - to be included in the *default* pool they have to meet a set of criteria on the HKP port, 11371.
It's allowed, if totally confusing, for a keyserver to redirect port 80 traffic to an HTTPS domain with a mismatching cert. (Now I've realised mine does that I'm going to fix it: it should only try and redirect keyserver.paulfurley.com to HTTPS)
*Some* keyservers choose to behave "correctly" on port 80, and those keyservers end up in another pool called p80.pool.sks-keyservers.net.
keys.gnupg.net is an alias for pool.sks-keyservers.net, so the only guarantee for keys.gnupg.net is that you can use it over the default HKP port, e.g. `gpg --keyserver keys.gnupg.net ...`
Cheers, Paul
tor-relays@lists.torproject.org
-
Paul M Furley -
tor