Migrating from GnuPG 1 to 2

If none of the more specific forums is the right place to ask

Migrating from GnuPG 1 to 2

Postby theltalpha » 2017-07-28 10:05

Hallo!

With the upgrade from Debian Jessie to Stretch also GnuPG 1 was upgraded to GnuPG 2. There are some issues now which I don't know how to solve them. I used to follow Riseup's OpenPGP best practices (https://riseup.net/ru/security/message-security/openpgp/best-practices) until now for use with GPG1, but some things seem to work differently now on GPG2.

When trying to search for a key, gpg gives me the following warning message:
Code: Select all
gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf

O. K., so I replaced ca-cert-file by hkp-cacert (in the gpg.conf, not in the dirmngr.conf, by the way, which contains, besides some comment lines, only the option 'use-tor'), but then GPG complains about not knowing the keyserver option 'hkp-cert'. So I removed it completely.

Problem is, if I search for keys I receive the following error messages:
Code: Select all
gpg: error searching keyserver: Kein Name (meaning 'No name')
gpg: keyserver search failed: Kein Name

And maybe there some other traps too which I yet have to find. So what can I do to make GPG2 make work as GPG1 did in Jessie?
theltalpha
 
Posts: 18
Joined: 2014-03-31 05:23
Location: Vienna, Austria

Re: Migrating from GnuPG 1 to 2

Postby julm » 2017-08-17 20:47

theltalpha wrote:Hallo!

With the upgrade from Debian Jessie to Stretch also GnuPG 1 was upgraded to GnuPG 2. There are some issues now which I don't know how to solve them. I used to follow Riseup's OpenPGP best practices (https://riseup.net/ru/security/message-security/openpgp/best-practices) until now for use with GPG1, but some things seem to work differently now on GPG2.

When trying to search for a key, gpg gives me the following warning message:
Code: Select all
gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf

O. K., so I replaced ca-cert-file by hkp-cacert (in the gpg.conf, not in the dirmngr.conf, by the way, which contains, besides some comment lines, only the option 'use-tor'), but then GPG complains about not knowing the keyserver option 'hkp-cert'. So I removed it completely.

Beware that the option is "hkp-cacert", not "hkp-cert".

So, you could remove your "keyserver" and "keyserver-options ca-cert-file=…" lines from ~/.gnupg/gpg.conf.
Then create/edit ~/.gnupg/dirmngr.conf and put something like this in it:
Code: Select all
hkp-cacert ~/.gnupg/mfpl.pem
keyserver hkps://keys.mayfirst.org

where in this example ~/.gnupg/mfpl.pem contains the May First/People Link X.509 Certificate Authority.
Which you can get/refresh with:
Code: Select all
curl >~/.gnupg/mfpl.pem https://support.mayfirst.org/raw-attachment/wiki/faq/security/mfpl-certificate-authority/mfpl.crt

Beware the ".pem" extension, keeping ".crt" will fail with "gpg: error searching keyserver: Server indicated a failure".

Then force a restart of dirmngr:
Code: Select all
gpgconf --kill dirmngr


theltalpha wrote:Problem is, if I search for keys I receive the following error messages:
Code: Select all
gpg: error searching keyserver: Kein Name (meaning 'No name')
gpg: keyserver search failed: Kein Name

And maybe there some other traps too which I yet have to find. So what can I do to make GPG2 make work as GPG1 did in Jessie?

Maybe it is because your ~/.gnupg/gpg.conf contains something like that (here to use privoxy):
Code: Select all
keyserver-options http-proxy=http://localhost:8118/

and you are using gpg 2.1.18, which has this bug: https://dev.gnupg.org/T2977 "dirmngr 2.1.18 fails if keyserver's IP is defined in /etc/hosts"

More infos about the migration here: https://gnupg.org/faq/whats-new-in-2.1.html

Hope this helps.
julm
 
Posts: 2
Joined: 2016-06-26 17:43


Return to General Questions

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable