Tails

#2 Updated by intrigeri 2019-12-12 07:39:46

• related to Bug #12689: gpg --recv-key often hangs due to unreliable keyserver added

#3 Updated by intrigeri 2019-12-12 07:51:21

• Status changed from New to Confirmed
• Assignee set to sajolida

> From having a brief look at the code, it seems like we don’t update people’s configuration automatically.

Correct.

> It might be worth documenting how to check the keyserver in your configuration and change it manually if needed since this change has to do with the SKS pool becoming nasty, possibly leading to unusable keyrings in Tails, laptops overheating and crashing, etc. (it happened to me!)

> Shall I do that?

Yes, please. I realize that for you to do the “Document manual steps that persistence users may need to go through” step of the release notes checklist, you need input from developers. I’ll try to not forget to do this proactively next time!

> What should we tell people to update?
> I see in 88f9d972e1 and 3c68e5ff4c that this configuration is now in _{/.gnupg/dirmngr.conf. Might it also still be in}/.gnupg/gpg.conf?

Here’s what should be updated:

• In ~/.gnupg/dirmngr.conf, replace any pre-existing keyserver stanza with keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion.
• In ~/.gnupg/gpg.conf, remove any keyserver stanza.

> I see that Enigmail uses its own keyserver configuration. Does it also need to be updated manually? (I could test this myself when I do the upgrade.)

The default set of keyservers used by Enigmail in a fresh 4.1 is vks://keys.openpgp.org, hkps://hkps.pool.sks-keyservers.net, hkps://pgp.mit.edu.

But I don’t know if this automatically overrides prefs set by Torbirdy in a persistent ~/.thunderbird/ in an older Tails, so yeah, better test it yourself.

#4 Updated by sajolida 2019-12-12 17:02:58

• Status changed from Confirmed to Needs Validation
• Assignee changed from sajolida to cbrownstein
• Feature Branch set to doc/17298-migrate-keyserver

Thanks for the technical details!

Here is a branch, @cbrownstein please have a look.

I moved it to a dedicated page because it was quite long and made it easier to reference from other pages.

We should keep it around for some time and remove it for 5.0 or earlier.

@intrigeri: I wondered why we are using different keyservers in Enigmail than dirmngr.conf.

Currently, Enigmail offers hkps://hkps.pool.sks-keyservers.net and hkps://pgp.mit.edu as second choice options when search for keys. An uninformed user might try to search for a flooded key on SKS if they can’t find it in keys.opengpg.org and break their keyring in the attempt. I’ve heard dkg recommend against pgp.mit.edu also, but I don’t remember why.

I tried to use the same “hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion” in Enigmail and it works.

#6 Updated by cbrownstein 2019-12-13 17:06:21

• Assignee changed from cbrownstein to sajolida

Here’s a branch with my changes:

https://0xacab.org/cbrownstein/tails/commits/doc/17298-migrate-keyserver

Other than those changes, everything looks good!

#7 Updated by sajolida 2019-12-16 15:51:09

• Status changed from Needs Validation to Resolved
• Assignee deleted (sajolida)
• Target version set to Tails_4.2

Thanks for the prompt review. I merged it now.