Regular listeners may have heard about some things involving overreaching mass surveillance, no? Well, no matter. GPG is fashionable, but I was using it before it was cool, back when it was PGP and I was using it on an Amiga 1200.
There’s been a lot of guides on doing the right thing with GPG, and few finer than the fine folk at RiseUp. Their guide on their wiki has lots of really good points, so go do them, but I spent today smacking my head against a wall with one of them.
The chunk on Consider making your default keyserver use a keyserver that provides HKPS transport is the subject of this haunting tale. Adding the lines:
# from https://we.riseup.net/riseuplabs+paow/openpgp-best-practices keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/Users/bea/.gnupg/sks-keyservers.netCA.pem keyserver-options no-honor-keyserver-url
Then, as a HomeBrew user, with openssl-osx-ca installed. Downloaded their certificate.
wget -O $HOME/.gnupg/sks-keyservers.netCA.pem -nv \ --ca-certificate=/usr/local/etc/openssl/cert.pem \ https://sks-keyservers.net/sks-keyservers.netCA.pem
So we’re good to go? Right…
$ gpg --search hkps.pool.sks-keyservers.net gpg: searching for "hkps.pool.sks-keyservers.net" from hkps server hkps.pool.sks-keyservers.net gpgkeys: HTTP search error 60: SSL certificate problem: Invalid certificate chain CAfile: /Users/bea/.gnupg/sks-keyservers.netCA.pem CRLfile: none gpg: key "hkps.pool.sks-keyservers.net" not found on keyserver gpg: keyserver internal error gpg: keyserver search failed: keyserver error
Wait what? Invalid cert chain? But that cert is taken straight from that site…
$ openssl s_client -CAfile ~/.gnupg/sks-keyservers.netCA.pem -verify 6 \ -connect sks-keyservers.net:443 verify depth is 6 CONNECTED(00000003) depth=0 C = NO, O = KF Webs, CN = www.kfwebs.net verify error:num=18:self signed certificate verify return:1 depth=0 C = NO, O = KF Webs, CN = www.kfwebs.net verify return:1 [snip...]
So what’s the tofu, Holmes? I had no idea. The TLS is good, but GPG is harshing one’s buzz. Who knows. So I did what any honourable person would do, and complained on IRC, at which point the ever wonderful and wise @jtimberman suggested it might be a curl problem.
$ gpg2 --verbose --keyserver-options=debug,verbose \ --search hkps.pool.sks-keyservers.net gpg: searching for "0x66CE4FE96F6BD3D7" from hkps server hkps.pool.sks-keyservers.net gpgkeys: curl version = libcurl/7.30.0 SecureTransport zlib/1.2.5
Wait, libcurl 7.30.0… But homebrew says I’ve got:
$ brew info curl 1 curl: stable 7.34.0
So how does one fix this… Because that’s all you care about, really:
brew update && brew upgrade curl && brew link curl && brew uninstall gpg2 \ && brew install gpg2 && brew unlink curl
Yup! YOLO all round. Update homebrew, upgrade curl, link curl so things will use its libraries, uninstall gpg2, reinstall gpg2, unlink curl.
and now I get:
$ gpg2 --verbose --search hkps.pool.sks-keyservers.net gpg: searching for "hkps.pool.sks-keyservers.net" from hkps server hkps.pool.sks-keyservers.net (1) https://keys2.kfwebs.net https://hkps.pool.sks-keyservers.net 4096 bit RSA key 0xC415B141, created: 2012-10-06 (2) hkps://keys.kfwebs.net hkpms://keys.kfwebs.net https://keys.kfwebs.net hkps://hkps.pool.sks-keyservers.net hkpms://hkps.pool.sks-keyservers.net https://hkps.pool.sks-keyservers.net 4096 bit RSA key 0x40F3D015, created: 2012-10-06 Keys 1-2 of 2 for "hkps.pool.sks-keyservers.net". Enter number(s), N)ext, or Q)uit >