[Bug 1625848] Re: gnupg2 appears to ignore http_proxy, fails to retrieve keys

Dimitri John Ledkov launchpad at surgut.co.uk
Wed Sep 21 01:20:57 UTC 2016 

Upstream decides to ignore http_proxy by default, unless a config option
is set.

I shall update the dirmngr.conf skeleton to include "honor-http-proxy"
by default.

Existing users will be stuck being confused =(

Automatically, this can be adjusted with:

echo honor-http-proxy:0:1 | gpgconf --change-options dirmngr honor-http-
proxy

this is a real pity for users on http_proxy networks, I used to suffer
on such a network, and it was not nice.

** Bug watch added: bugs.gnupg.org/gnupg/ #1285
   http://bugs.gnupg.org/gnupg/issue1285

** Also affects: gnupg2 via
   http://bugs.gnupg.org/gnupg/issue1285
   Importance: Unknown
       Status: Unknown

** Changed in: gnupg2 (Ubuntu)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1625848

Title:
  gnupg2 appears to ignore http_proxy, fails to retrieve keys

Status in GnuPG2:
  Unknown
Status in gnupg2 package in Ubuntu:
  In Progress

Bug description:
  As seen in the LXC autopkgtest results:
  http://autopkgtest.ubuntu.com/packages/lxc

  The source of those failures is that pool.sks-keyserver.net isn't
  allowed from within the autopkgtest environment. For that reason, LXC
  will switch to the http transport on port 80 when http_proxy is set in
  the environment.

  Under gpgv1, this was causing gpg to grab keys through the specified
  proxy as required in the autopkgtest environment and in a lot of
  corporate environments where internet access is only available through
  proxy.

  
  In gpgv2, it looks like dirmngr just entirely ignores any proxy variable and just attempts to fetch the key directly rather than through the proxy, leading to a failure.

  ### Xenial
  iptables -I OUTPUT -p tcp --dport 80 -j REJECT
  ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT

  root at xenial:~# gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0xBAEFF88C22F6E216
  gpg: requesting key 22F6E216 from hkp server p80.pool.sks-keyservers.net
  ?: p80.pool.sks-keyservers.net: Connection refused
  gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
  gpg: no valid OpenPGP data found.
  gpg: Total number processed: 0
  gpg: keyserver communications error: keyserver unreachable
  gpg: keyserver communications error: public key not found
  gpg: keyserver receive failed: public key not found

  root at xenial:~# http_proxy=http://sateda.srv.mtl.stgraber.net:3128 gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0xBAEFF88C22F6E216
  gpg: requesting key 22F6E216 from hkp server p80.pool.sks-keyservers.net
  gpg: key 22F6E216: "LXC pre-built images <lxc-devel at lists.linuxcontainers.org>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1

  
  ### Yakkety
  root at yakkety:~# iptables -I OUTPUT -p tcp --dport 80 -j REJECT
  root at yakkety:~# ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT

  root at yakkety:~# gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0xBAEFF88C22F6E216
  gpg: keyserver receive failed: Connection refused

  root at yakkety:~# http_proxy=http://sateda.srv.mtl.stgraber.net:3128 gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0xBAEFF88C22F6E216
  gpg: keyserver receive failed: Connection refused

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg2/+bug/1625848/+subscriptions

More information about the foundations-bugs mailing list