Bug #15415

Unreliable key server operations

Added by sajolida 2018-03-14 16:49:54 . Updated 2018-03-16 16:55:17 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Deliverable for:


I’ve been experiencing this for a while without being sure it was a bug. Today I’m convinced it is one:

I tried to fetch a public key and it failed:

amnesia@amnesia:~$ gpg --search-keys floriana@accessnow.org
gpg: WARNING: Tor is not properly configured
gpg: error searching keyserver: Permission denied
gpg: keyserver search failed: Permission denied

Then unplugged my Ethernet cable and plugged it back.

Then tried to fetch the same key again and it worked:

amnesia@amnesia:~$ gpg --search-keys floriana@accessnow.org
gpg: data source: http://jirk5u4osbsr34t5.onion:11371
(1)     Floriana Pagano <floriana@accessnow.org>
          4096 bit RSA key 0xB4B65273C21574E0, created: 2017-04-21, expires: 2022-04-20
Keys 1-1 of 1 for "floriana@accessnow.org".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 0xB4B65273C21574E0: public key "Floriana Pagano <floriana@accessnow.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:  20  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  20  signed:  36  trust: 20-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2018-04-11
gpg: Total number processed: 1
gpg:               imported: 1

It seems like some keyservers don’t like Tor. Maybe we could configure one that always works?


Related issues

Related to Tails - Bug #14770: "Fetching OpenPGP keys" scenarios are fragile: communication failure with keyserver Resolved 2017-10-04


#1 Updated by sajolida 2018-03-14 16:50:10

  • related to Bug #14770: "Fetching OpenPGP keys" scenarios are fragile: communication failure with keyserver added

#2 Updated by sajolida 2018-03-14 16:50:11

Maybe that’s related to Bug #14770

#3 Updated by intrigeri 2018-03-16 08:01:54

  • Assignee set to sajolida
  • QA Check set to Info Needed

Could you please share the content of your ~/.gnupg/dirmngr.conf?

The default one is:

keyserver hkp://jirk5u4osbsr34t5.onion

… which uses an Onion Service so “some keyservers don’t like Tor” does not apply.

#4 Updated by sajolida 2018-03-16 16:55:17

  • Status changed from Confirmed to Resolved
  • Assignee deleted (sajolida)

Before reporting my bug I checked the diff between my gpg.conf and /etc/skel/.gnupg/gpg.conf and the only difference is ‘default-key’.

But indeed, I didn’t have /etc/skel/.gnupg/dirmngr.conf in my ~/.gnupg, probably because I created my persistence before it was added (3c68e5ff4c - 2017-01-31).

So I copied this dirmngr.conf to my ~/.gnupg and can probably close this ticket now.

It might still be useful for other people :)