[tor-relays] keys.gnupg.net broken; can't add Debian Tor repo
Paul M Furley
paul at paulfurley.com
Wed Jul 12 08:07:15 UTC 2017
Hi,
I figured out why one of those ansible lines works and the other doesn't
if you're interested :)
On 10/07/17 22:58, tor wrote:
> Actually, the directions on
> https://www.torproject.org/docs/debian.html.en work okay. I was trying
> to automate things with Ansible, but the format changed at some point,
> from something like:
>
> apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> url=http://keys.gnupg.net/pks/lookup?op=get&search=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
... by explicitly setting the URL to http:// it'll try and use port 80
rather than the default HKP port of 11371.
It's like doing `gpg --recv-key <id> --keyserver keys.gnupg.net:80`
>
> to:
>
> apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> keyserver=keys.gnupg.net
>
> The URL at /pks/lookup no longer exists, so I saw a 404. Using the newer
> format with just the hostname of the keyserver it works okay.
>
> Regarding http://keys.gnupg.net I still don't know why there is a SSL
> mismatch in the browser, or why you can no longer access the web UI, but
> it's not as broken as it looked.
>
>
The problem is that the keyservers can do what they like on port 80 - to
be included in the *default* pool they have to meet a set of criteria on
the HKP port, 11371.
It's allowed, if totally confusing, for a keyserver to redirect port 80
traffic to an HTTPS domain with a mismatching cert. (Now I've realised
mine does that I'm going to fix it: it should only try and redirect
keyserver.paulfurley.com to HTTPS)
*Some* keyservers choose to behave "correctly" on port 80, and those
keyservers end up in another pool called p80.pool.sks-keyservers.net.
keys.gnupg.net is an alias for pool.sks-keyservers.net, so the only
guarantee for keys.gnupg.net is that you can use it over the default HKP
port, e.g. `gpg --keyserver keys.gnupg.net ...`
Cheers,
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170712/b41f79ed/attachment.sig>
More information about the tor-relays
mailing list