Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Migrating from GnuPG 1 to 2

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
theltalpha
Posts: 23
Joined: 2014-03-31 05:23
Location: Vienna, Austria

Migrating from GnuPG 1 to 2

#1 Post by theltalpha »

Hallo!

With the upgrade from Debian Jessie to Stretch also GnuPG 1 was upgraded to GnuPG 2. There are some issues now which I don't know how to solve them. I used to follow Riseup's OpenPGP best practices (https://riseup.net/ru/security/message- ... -practices) until now for use with GPG1, but some things seem to work differently now on GPG2.

When trying to search for a key, gpg gives me the following warning message:

Code: Select all

gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf
O. K., so I replaced ca-cert-file by hkp-cacert (in the gpg.conf, not in the dirmngr.conf, by the way, which contains, besides some comment lines, only the option 'use-tor'), but then GPG complains about not knowing the keyserver option 'hkp-cert'. So I removed it completely.

Problem is, if I search for keys I receive the following error messages:

Code: Select all

gpg: error searching keyserver: Kein Name (meaning 'No name')
gpg: keyserver search failed: Kein Name
And maybe there some other traps too which I yet have to find. So what can I do to make GPG2 make work as GPG1 did in Jessie?

julm
Posts: 2
Joined: 2016-06-26 17:43

Re: Migrating from GnuPG 1 to 2

#2 Post by julm »

theltalpha wrote:Hallo!

With the upgrade from Debian Jessie to Stretch also GnuPG 1 was upgraded to GnuPG 2. There are some issues now which I don't know how to solve them. I used to follow Riseup's OpenPGP best practices (https://riseup.net/ru/security/message- ... -practices) until now for use with GPG1, but some things seem to work differently now on GPG2.

When trying to search for a key, gpg gives me the following warning message:

Code: Select all

gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf
O. K., so I replaced ca-cert-file by hkp-cacert (in the gpg.conf, not in the dirmngr.conf, by the way, which contains, besides some comment lines, only the option 'use-tor'), but then GPG complains about not knowing the keyserver option 'hkp-cert'. So I removed it completely.
Beware that the option is "hkp-cacert", not "hkp-cert".

So, you could remove your "keyserver" and "keyserver-options ca-cert-file=…" lines from ~/.gnupg/gpg.conf.
Then create/edit ~/.gnupg/dirmngr.conf and put something like this in it:

Code: Select all

hkp-cacert ~/.gnupg/mfpl.pem
keyserver hkps://keys.mayfirst.org
where in this example ~/.gnupg/mfpl.pem contains the May First/People Link X.509 Certificate Authority.
Which you can get/refresh with:

Code: Select all

curl >~/.gnupg/mfpl.pem https://support.mayfirst.org/raw-attachment/wiki/faq/security/mfpl-certificate-authority/mfpl.crt
Beware the ".pem" extension, keeping ".crt" will fail with "gpg: error searching keyserver: Server indicated a failure".

Then force a restart of dirmngr:

Code: Select all

gpgconf --kill dirmngr
theltalpha wrote: Problem is, if I search for keys I receive the following error messages:

Code: Select all

gpg: error searching keyserver: Kein Name (meaning 'No name')
gpg: keyserver search failed: Kein Name
And maybe there some other traps too which I yet have to find. So what can I do to make GPG2 make work as GPG1 did in Jessie?
Maybe it is because your ~/.gnupg/gpg.conf contains something like that (here to use privoxy):

Code: Select all

keyserver-options http-proxy=http://localhost:8118/
and you are using gpg 2.1.18, which has this bug: https://dev.gnupg.org/T2977 "dirmngr 2.1.18 fails if keyserver's IP is defined in /etc/hosts"

More infos about the migration here: https://gnupg.org/faq/whats-new-in-2.1.html

Hope this helps.

Post Reply