Project

General

Profile

Feature #17298

Document how to upgrade gnupg's config to the new key server

Added by sajolida 4 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
doc/17298-migrate-keyserver
Type of work:
End-user documentation
Blueprint:
Starter:
Affected tool:

Description

In 4.1 we switched to keys.openpgp.org as the default key server.

From having a brief look at the code, it seems like we don't update people's configuration automatically.

It might be worth documenting how to check the keyserver in your configuration and change it manually if needed since this change has to do with the SKS pool becoming nasty, possibly leading to unusable keyrings in Tails, laptops overheating and crashing, etc. (it happened to me!)

Shall I do that?

What should we tell people to update?

I see in 88f9d972e1 and 3c68e5ff4c that this configuration is now in ~/.gnupg/dirmngr.conf. Might it also still be in ~/.gnupg/gpg.conf?

I see that Enigmail uses its own keyserver configuration. Does it also need to be updated manually? (I could test this myself when I do the upgrade.)


Related issues

Related to Tails - Bug #12689: gpg --recv-key often hangs due to unreliable keyserver Resolved 06/13/2017

History

#1 Updated by sajolida 4 months ago

@intrigeri: Since you wrote dbfbfa7b11, what do you think?

#2 Updated by intrigeri 4 months ago

  • Related to Bug #12689: gpg --recv-key often hangs due to unreliable keyserver added

#3 Updated by intrigeri 4 months ago

  • Status changed from New to Confirmed
  • Assignee set to sajolida

From having a brief look at the code, it seems like we don't update people's configuration automatically.

Correct.

It might be worth documenting how to check the keyserver in your configuration and change it manually if needed since this change has to do with the SKS pool becoming nasty, possibly leading to unusable keyrings in Tails, laptops overheating and crashing, etc. (it happened to me!)

Shall I do that?

Yes, please. I realize that for you to do the "Document manual steps that persistence users may need to go through" step of the release notes checklist, you need input from developers. I'll try to not forget to do this proactively next time!

What should we tell people to update?
I see in 88f9d972e1 and 3c68e5ff4c that this configuration is now in ~/.gnupg/dirmngr.conf. Might it also still be in ~/.gnupg/gpg.conf?

Here's what should be updated:

  • In ~/.gnupg/dirmngr.conf, replace any pre-existing keyserver stanza with keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion.
  • In ~/.gnupg/gpg.conf, remove any keyserver stanza.

I see that Enigmail uses its own keyserver configuration. Does it also need to be updated manually? (I could test this myself when I do the upgrade.)

The default set of keyservers used by Enigmail in a fresh 4.1 is vks://keys.openpgp.org, hkps://hkps.pool.sks-keyservers.net, hkps://pgp.mit.edu.

But I don't know if this automatically overrides prefs set by Torbirdy in a persistent ~/.thunderbird/ in an older Tails, so yeah, better test it yourself.

#4 Updated by sajolida 4 months ago

  • Status changed from Confirmed to Needs Validation
  • Assignee changed from sajolida to cbrownstein
  • Feature Branch set to doc/17298-migrate-keyserver

Thanks for the technical details!

Here is a branch, @cbrownstein please have a look.

I moved it to a dedicated page because it was quite long and made it easier to reference from other pages.

We should keep it around for some time and remove it for 5.0 or earlier.

@intrigeri: I wondered why we are using different keyservers in Enigmail than dirmngr.conf.

Currently, Enigmail offers hkps://hkps.pool.sks-keyservers.net and hkps://pgp.mit.edu as second choice options when search for keys. An uninformed user might try to search for a flooded key on SKS if they can't find it in keys.opengpg.org and break their keyring in the attempt. I've heard dkg recommend against pgp.mit.edu also, but I don't remember why.

I tried to use the same "hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion" in Enigmail and it works.

#5 Updated by intrigeri 4 months ago

intrigeri: I wondered why we are using different keyservers in Enigmail than dirmngr.conf.

We used the default Enigmail settings because they work and it's one less thing to maintain.
But I did not take this into account:

Currently, Enigmail offers hkps://hkps.pool.sks-keyservers.net and hkps://pgp.mit.edu as second choice options when search for keys. An uninformed user might try to search for a flooded key on SKS if they can't find it in keys.opengpg.org and break their keyring in the attempt. I've heard dkg recommend against pgp.mit.edu also, but I don't remember why.

OK, this might be a sufficient reason to bother maintaining a custom Enigmail pref. Please file a ticket if you think the FT should put time into this :)

#6 Updated by cbrownstein 4 months ago

  • Assignee changed from cbrownstein to sajolida

Here's a branch with my changes:

https://0xacab.org/cbrownstein/tails/commits/doc/17298-migrate-keyserver

Other than those changes, everything looks good!

#7 Updated by sajolida 4 months ago

  • Status changed from Needs Validation to Resolved
  • Assignee deleted (sajolida)
  • Target version set to Tails_4.2

Thanks for the prompt review. I merged it now.

Also available in: Atom PDF