[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo



Hi,

I figured out why one of those ansible lines works and the other doesn't
if you're interested :)

On 10/07/17 22:58, tor wrote:
> Actually, the directions on
> https://www.torproject.org/docs/debian.html.en work okay. I was trying
> to automate things with Ansible, but the format changed at some point,
> from something like:
> 
>   apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> url=http://keys.gnupg.net/pks/lookup?op=get&search=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89

... by explicitly setting the URL to http:// it'll try and use port 80
rather than the default HKP port of 11371.

It's like doing `gpg --recv-key <id> --keyserver keys.gnupg.net:80`

> 
> to:
> 
>   apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> keyserver=keys.gnupg.net
> 
> The URL at /pks/lookup no longer exists, so I saw a 404. Using the newer
> format with just the hostname of the keyserver it works okay.
> 
> Regarding http://keys.gnupg.net I still don't know why there is a SSL
> mismatch in the browser, or why you can no longer access the web UI, but
> it's not as broken as it looked.
> 
> 

The problem is that the keyservers can do what they like on port 80 - to
be included in the *default* pool they have to meet a set of criteria on
the HKP port, 11371.

It's allowed, if totally confusing, for a keyserver to redirect port 80
traffic to an HTTPS domain with a mismatching cert. (Now I've realised
mine does that I'm going to fix it: it should only try and redirect
keyserver.paulfurley.com to HTTPS)

*Some* keyservers choose to behave "correctly" on port 80, and those
keyservers end up in another pool called p80.pool.sks-keyservers.net.

keys.gnupg.net is an alias for pool.sks-keyservers.net, so the only
guarantee for keys.gnupg.net is that you can use it over the default HKP
port, e.g. `gpg --keyserver keys.gnupg.net ...`

Cheers,
Paul

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays