Ben’s mumbling

You can prove anything with facts.

GPG, Curl, Homebrew and Why We Don’t Have Nice Things

Regular listeners may have heard about some things involving overreaching mass surveillance, no? Well, no matter. GPG is fashionable, but I was using it before it was cool, back when it was PGP and I was using it on an Amiga 1200.

There’s been a lot of guides on doing the right thing with GPG, and few finer than the fine folk at RiseUp. Their guide on their wiki has lots of really good points, so go do them, but I spent today smacking my head against a wall with one of them.

Key Servers

The chunk on Consider making your default keyserver use a keyserver that provides HKPS transport is the subject of this haunting tale. Adding the lines:

1
2
3
4
# from https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/Users/ben/.gnupg/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url

Then, as a HomeBrew user, with openssl-osx-ca installed. Downloaded their certificate.

1
2
3
wget -O $HOME/.gnupg/sks-keyservers.netCA.pem -nv \
    --ca-certificate=/usr/local/etc/openssl/cert.pem \
    https://sks-keyservers.net/sks-keyservers.netCA.pem

So we’re good to go? Right…

1
2
3
4
5
6
$ gpg --search hkps.pool.sks-keyservers.net
gpg: searching for "hkps.pool.sks-keyservers.net" from hkps server
hkps.pool.sks-keyservers.net gpgkeys: HTTP search error 60: SSL certificate problem: Invalid certificate chain
CAfile: /Users/ben/.gnupg/sks-keyservers.netCA.pem
CRLfile: none gpg: key "hkps.pool.sks-keyservers.net" not found on
keyserver gpg: keyserver internal error gpg: keyserver search failed: keyserver error

Wait what? Invalid cert chain? But that cert is taken straight from that site…

1
2
3
4
5
6
7
8
9
10
$ openssl s_client -CAfile ~/.gnupg/sks-keyservers.netCA.pem -verify 6 \
        -connect sks-keyservers.net:443
verify depth is 6
CONNECTED(00000003)
depth=0 C = NO, O = KF Webs, CN = www.kfwebs.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = NO, O = KF Webs, CN = www.kfwebs.net
verify return:1
[snip...]

So what’s the tofu, Holmes? I had no idea. The TLS is good, but GPG is harshing one’s buzz. Who knows. So I did what any honourable person would do, and complained on IRC, at which point the ever wonderful and wise @jtimberman suggested it might be a curl problem.

1
2
3
4
$ gpg2 --verbose --keyserver-options=debug,verbose \
    --search hkps.pool.sks-keyservers.net
gpg: searching for "0x66CE4FE96F6BD3D7" from hkps server hkps.pool.sks-keyservers.net
gpgkeys: curl version = libcurl/7.30.0 SecureTransport zlib/1.2.5

Wait, libcurl 7.30.0… But homebrew says I’ve got:

1
2
$ brew info curl                                                                                                                                    1
curl: stable 7.34.0

So how does one fix this… Because that’s all you care about, really:

1
2
brew update && brew upgrade curl && brew link curl && brew uninstall gpg2 \
    && brew install gpg2 && brew unlink curl

Yup! YOLO all round. Update homebrew, upgrade curl, link curl so things will use its libraries, uninstall gpg2, reinstall gpg2, unlink curl.

and now I get:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ gpg2 --verbose  --search hkps.pool.sks-keyservers.net
gpg: searching for "hkps.pool.sks-keyservers.net" from hkps server hkps.pool.sks-keyservers.net
(1) https://keys2.kfwebs.net
    https://hkps.pool.sks-keyservers.net
      4096 bit RSA key 0xC415B141, created: 2012-10-06
(2) hkps://keys.kfwebs.net
    hkpms://keys.kfwebs.net
    https://keys.kfwebs.net
    hkps://hkps.pool.sks-keyservers.net
    hkpms://hkps.pool.sks-keyservers.net
    https://hkps.pool.sks-keyservers.net
      4096 bit RSA key 0x40F3D015, created: 2012-10-06
Keys 1-2 of 2 for "hkps.pool.sks-keyservers.net".  Enter number(s), N)ext, or Q)uit >

Wunderbar!

Comments