Probably not keyserver problem / not network issue / not user error.
Works for me on Debian. Keyservers
pgp.mit.edu don’t work for me on Debian.
gpg: keyserver receive failed: Server indicated a failure
August 11, 2018, 2:15am
gpg: keyserver receive failed: Server indicated a failure
Had the same error Qubes-R3.2 Debian-9 AppVM.
https://packages.debian.org/stretch/dirmngr and was able to download key.
gpg --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
Works for me.
Qubes builder gpg key fetching during build was recently disabled due to never ending gpg keyserver issues.
please upload your gpg key somewhere · Issue #82 · GrapheneOS/hardened_malloc · GitHub
No luck can try like 10 times and wait ages. If you “google” for just the fingerprint in quotes (to specific results) you find multiple people having this issue. Qubes just removed keyserver fetching for Qubes builds due to unreliability. I guess keyservers are death and won’t come back (due to GDPR).
June 25, 2019, 3:07am
A bug in
sks(?) is preventing gpg keys from downloading. This can prevent users from downloading Tor project key in
Tor Versioning. It looks like the gpg aspect of this was fixed?
Maybe find a alternate method of downloading Tor project key if
sks fails in Wiki instructions.
sudo apt-key adv --keyserver jirk5u4osbsr34t5.onion --recv-keys A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
Executing: /tmp/apt-key-gpghome.DvzZefKIG4/gpg.1.sh --keyserver jirk5u4osbsr34t5.onion --recv-keys A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: packet(13) too large
gpg: read_block: read error: Invalid packet
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
First 3 links relate to the issue. Micah Lee brought up something interesting (3rd link).
Other reports of Tor Project key download fails. No good solutions here.
I think we have to give up on gpg keyservers entirely.
I’ve recently created a wiki template
Template:Git clone verify - Whonix but it does not cover Qubes TemplateVMs yet, which are even more complicated due to lack of networking.
Installing Newer Tor Versions has instructions for Qubes, but it’s not a wiki template.
I wonder if we can have a generic wiki template (or one for git / one of archives) for gpg verification. Help welcome.
High-risk users should stop using the keyserver network immediately.
This file has been truncated.
# SKS Keyserver Network Under Attack
_This work is released under a [Creative Commons Attribution-NoDerivatives 4.0 International License](http://creativecommons.org/licenses/by-nd/4.0/)._
## Terminological Note
"OpenPGP" refers to the OpenPGP protocol, in much the same way that HTML refers to the protocol that specifies how to write a web page. "GnuPG", "SequoiaPGP", "OpenPGP.js", and others are implementations of the OpenPGP protocol in the same way that Mozilla Firefox, Google Chromium, and Microsoft Edge refer to software packages that process HTML data.
## Who am I?
Also on same subject:
see update → new, fixed keyserver - keys.openpgp.org
July 6, 2019, 9:56am
The first thing that needs to be resolved for the wiki is donwloading TPO keys. There keys are not available for donwload by
git clone(?) so maybe
scurl should be used?
Ticket created just now.
stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org
September 27, 2019, 10:39am
Wiki template created.
gpg key import
APT signing key import:
For those pages not updated yet (either because simply not done or since upstream does not provide gpg key download from web rather than keyserver):
Provide a `qubes-receive-key` command for GPG key import. · Issue #6730 · QubesOS/qubes-issues · GitHub
The problem you’re addressing (if any)
Importing a GPG key using gpg --recv-keys will fail (due to a bug in GPG) in an offline qube, such as a template qube, even if a HTTP proxy is used. Furthermore, GPG has substantial attack surface of its own, and exploitable bugs in its parsing of keys have occurred in the past.
Describe the solution you’d like
Provide a qubes-receive-key command that uses a disposable qube and/or the updates proxy to retrieve the key by fingerprint, and then sanitizes the key and ensures it actually has that fingerprint.
https://keys.openpgp.org/ is not part of the sks network and is supposedly functional, I gather we no longer have to worry about the retrieval of keys issue?
This test unfortunately doesn’t work though:
keys.openpgp.org --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: keyserver receive failed: No keyserver available
But the onion does!
zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: keybox ‘/home/user/.gnupg/pubring.kbx’ created
gpg: key 0xEE8CBC9E886DDD89: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
We should reference the onion then in relevant wiki instructions?
Good idea, if that works!
Key might not be uploaded to
keys.openpgp.org. It’s not automatic. Only owner of the e-mail address can upload the key. Depending on the context of the instructions (inside Whonix vs on the host, untorified) that might not work?
Preferably keyserver-less instructions would be better.
--keyserver now is already minimal as per
Search results for "keyserver" - Whonix or something that I am missing?
I might just reference that onion in those relevant locations for users that have problems with the clearnet version (10 or so pages).
Before adding a set of default keyservers I tested gpg key imports and it seems to be able to pull it from somewhere despite not having one defined in the settings. Any idea how it does this?
September 28, 2021, 10:34am
Not sure. gpg has a lot of stuff built-in…
Locate a key using DNS CERT, as specified in RFC-4398.
Locate a key using DNS PKA.
Locate a key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt.
Locate a key using the Web Key Directory protocol.
Using DNS Service Discovery, check the domain in question for any LDAP keyservers to use. If this fails, attempt to locate the key using the PGP Universal method of checking ‘ldap://keys.(thedomain)’.
Locate the key using the Active Directory (Windows only).
Locate a key using a keyserver.
How can I verify Tor Browser's signature? | Tor Project | Support uses:
–auto-key-locate nodefault,wkd --locate-keys email@example.com
September 28, 2021, 10:50am
Default GPG keyservers
You can have two out of three
of decentralisation, universality, and abuse-resistance. WKD is
decentralised and abuse-resistant but is not universal. keys.openpgp.org
is universal and abuse-resistant but highly centralised (and
functionally limited). Synchronising keyservers (SKS and Hockeypuck) are
decentralised and universal but abuse-prone.
So we have various options.
Picking the best technical solution if it had no traction (no actual users) (didn’t check) would also not be helpful for users.