[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo
From: Paul M Furley <paul@xxxxxxxxxxxxxx>
Date: Wed, 12 Jul 2017 09:07:15 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 12 Jul 2017 04:07:46 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=xu8zNRI1CyWQPcabQQ rmzaSHEnNRV7ee6Sr5Ax8TRus=; b=Zhfwog1Y7pmMEZzLr+v5dJ4pAsgVCXTwmJ qLDgSm+WsUqZ8ksgGMqXoSkCT58X08FO0v25f+TqbIw+aKgzkC2+W9sOzsIETKrk wM+9FlhhqRB8dDp6mR9LVv44brL9I+PJ4b97kTLYb8493wolNSbjsbPJYF/xJfFg qVUA3g2i1Ebqzg5Dp0AhrZk/sOGEjws3CQpsISH9nW3va8E9hSDV9Km5Aklydeen Zr1CTlyTC9G5d2m3h7HaLriexCwKq90sDkLHpGhozYQDsV1onDJaqV4IBawvoyAN q281bBY9035M460+nndqgJlM6jVp8YoorlZS43AHSct4y1umou+Q==
In-reply-to: <q-SF4zHM_d-Brg1u7zQbDOh3I8ZUkOSleTHN70xzbhMeQ3o07v0kEEZhanyuDbK4AhYK9qOlJbTr6oukHZDLocSH5Dkey0bN2x6y6mppPzA=@anondroid.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <KPpQt11UulliTVecWY1tzI3QGDQwIuSddMMrpv6WTHriRwXvflqKzV_6cAaBC9WpNu6oICIoJyY3R_7pAtcq0-5-n1dnZdp65JYPFbqLsdo=@anondroid.com> <q-SF4zHM_d-Brg1u7zQbDOh3I8ZUkOSleTHN70xzbhMeQ3o07v0kEEZhanyuDbK4AhYK9qOlJbTr6oukHZDLocSH5Dkey0bN2x6y6mppPzA=@anondroid.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1

Hi,

I figured out why one of those ansible lines works and the other doesn't
if you're interested :)

On 10/07/17 22:58, tor wrote:
> Actually, the directions on
> https://www.torproject.org/docs/debian.html.en work okay. I was trying
> to automate things with Ansible, but the format changed at some point,
> from something like:
> 
>   apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> url=http://keys.gnupg.net/pks/lookup?op=get&search=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89

... by explicitly setting the URL to http:// it'll try and use port 80
rather than the default HKP port of 11371.

It's like doing `gpg --recv-key <id> --keyserver keys.gnupg.net:80`

> 
> to:
> 
>   apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> keyserver=keys.gnupg.net
> 
> The URL at /pks/lookup no longer exists, so I saw a 404. Using the newer
> format with just the hostname of the keyserver it works okay.
> 
> Regarding http://keys.gnupg.net I still don't know why there is a SSL
> mismatch in the browser, or why you can no longer access the web UI, but
> it's not as broken as it looked.
> 
> 

The problem is that the keyservers can do what they like on port 80 - to
be included in the *default* pool they have to meet a set of criteria on
the HKP port, 11371.

It's allowed, if totally confusing, for a keyserver to redirect port 80
traffic to an HTTPS domain with a mismatching cert. (Now I've realised
mine does that I'm going to fix it: it should only try and redirect
keyserver.paulfurley.com to HTTPS)

*Some* keyservers choose to behave "correctly" on port 80, and those
keyservers end up in another pool called p80.pool.sks-keyservers.net.

keys.gnupg.net is an alias for pool.sks-keyservers.net, so the only
guarantee for keys.gnupg.net is that you can use it over the default HKP
port, e.g. `gpg --keyserver keys.gnupg.net ...`

Cheers,
Paul

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo
  - From: tor
- Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo
  - From: tor

Prev by Author: Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo
Next by Author: [tor-relays] Strange log in a middle relay "Gateway Time-out"
Previous by thread: Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo
Next by thread: Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo
Index(es):
- Author
- Thread