GPG, curl, homebrew and why we don't have nice things

Regular listeners may have heard about some things involving overreaching mass surveillance, no? Well, no matter. GPG is fashionable, but I was using it before it was cool, back when it was PGP and I was using it on an Amiga 1200.

There’s been a lot of guides on doing the right thing with GPG, and few finer than the fine folk at RiseUp. Their guide on their wiki has lots of really good points, so go do them, but I spent today smacking my head against a wall with one of them.

Key Servers

The chunk on Consider making your default keyserver use a keyserver that provides HKPS transport is the subject of this haunting tale. Adding the lines:

# from
keyserver hkps://
keyserver-options ca-cert-file=/Users/bea/.gnupg/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url

Then, as a HomeBrew user, with openssl-osx-ca installed. Downloaded their certificate.

wget -O $HOME/.gnupg/sks-keyservers.netCA.pem -nv \
    --ca-certificate=/usr/local/etc/openssl/cert.pem \

So we’re good to go? Right…

$ gpg --search
gpg: searching for "" from hkps server gpgkeys: HTTP search error 60: SSL certificate problem: Invalid certificate chain
CAfile: /Users/bea/.gnupg/sks-keyservers.netCA.pem
CRLfile: none gpg: key "" not found on
keyserver gpg: keyserver internal error gpg: keyserver search failed: keyserver error

Wait what? Invalid cert chain? But that cert is taken straight from that site…

$ openssl s_client -CAfile ~/.gnupg/sks-keyservers.netCA.pem -verify 6 \
verify depth is 6
depth=0 C = NO, O = KF Webs, CN =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = NO, O = KF Webs, CN =
verify return:1

So what’s the tofu, Holmes? I had no idea. The TLS is good, but GPG is harshing one’s buzz. Who knows. So I did what any honourable person would do, and complained on IRC, at which point the ever wonderful and wise @jtimberman suggested it might be a curl problem.

$ gpg2 --verbose --keyserver-options=debug,verbose \
gpg: searching for "0x66CE4FE96F6BD3D7" from hkps server
gpgkeys: curl version = libcurl/7.30.0 SecureTransport zlib/1.2.5

Wait, libcurl 7.30.0… But homebrew says I’ve got:

$ brew info curl                                                                                                                                    1
curl: stable 7.34.0

So how does one fix this… Because that’s all you care about, really:

brew update && brew upgrade curl && brew link curl && brew uninstall gpg2 \
    && brew install gpg2 && brew unlink curl

Yup! YOLO all round. Update homebrew, upgrade curl, link curl so things will use its libraries, uninstall gpg2, reinstall gpg2, unlink curl.

and now I get:

$ gpg2 --verbose  --search
gpg: searching for "" from hkps server
      4096 bit RSA key 0xC415B141, created: 2012-10-06
(2) hkps://
      4096 bit RSA key 0x40F3D015, created: 2012-10-06
Keys 1-2 of 2 for "".  Enter number(s), N)ext, or Q)uit >