[Gpg4win-users-en] gpg4win 3.1.16 with updated GnuPG 2.2.32: No public key found despite having refreshed the keys

Andrew Gallagher andrewg at andrewg.com
Wed Dec 22 19:11:53 CET 2021

On 22/12/2021 13:25, Bernhard Reiter wrote:
> Am Mittwoch 22 Dezember 2021 12:17:45 schrieb Stella Ashburne:
>> May I conclude that gpg4win is unable to cope with the scenario that you
>> described? In any case, Debian 11 is able to refresh Tor's sub-keys without
>> having to use WKD.
> That is only half of the story.
> Debian decided to use a central pubkey server by default,
> in this case it is an advantage, but it has other drawbacks,
> which is Gpg4win has decided against this default.
> Most people think that WKD is a preferred solution to get public keys,
> as it carries a bit of trust, which pubkeyservers do not.
> Debian may also have done something else, I'm not sure why it worked for your
> there.

I checked on keys.openpgp.org and the torproject key in question is 
served in RFC-compliant fashion, and without any poison sigs. This would 
explain why Debian's gnupg (which uses keys.openpgp.org by default) 
works out of the box.

>> It's not just keys.openpgp.org. I have tried at least six public keyservers
>> without success.

keyserver.ubuntu.com is serving the poisoned key, however due to the 
anti-poison mechanisms of the modern synchronising network, this had not 
propagated (in any form) to other keyservers.

I have submitted a clean version of the torproject key (as taken from 
keys.openpgp.org) to the keyserver network, so it should be available 
(if not now, then shortly) from the other working keyservers. The side 
effect is that this has removed any genuine third-party sigs, but I 
think this is preferable to not serving the key at all.

> After the breakdown of the old SKS keyserver network, a new one is just
> building up and does not yet have the old functionality.
> (The main reason is that a new software has to be developed.)

The only tested method for synchronising keyservers to protect against 
poison keys is to block those keys entirely. This is a blunt instrument 
but it ensures that the keyservers remain available to serve other keys. 
More sophisticated protections are a work in progress, however it is not 
correct to say that modern synchronising keyservers lack functionality. 
All that is missing is a shared DNS entry to replace 
pool.sks-keyservers.net, but this just means that you have to pick a 
specific keyserver (GnuPG upstream has chosen keyserver.ubuntu.com as 
the default).

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20211222/0a0786d7/attachment-0001.sig>

More information about the Gpg4win-users-en mailing list