gpg key retrieval gives bogus, confusing error message

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1044156/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

I just discovered that if I replace the hostname by its IP address, the retrieval works. I'm reporting that as a separate bug.

Please install gnupg-curl and try again. We build gnupg in two different ways: one time with the built-in cURL implementation and one time against the cURL library. The first has some limitations and maybe you hit one. If that doesn't solve the issue for you, please enable debugging and verbose output for server communication (--keyserver-options verbode,debug) and post the output.

I installed gnupg-curl, tried the command again with the options you suggested, and got this:

pwa@pwa-K60IJ:~/Documents$ sudo gpg --keyserver hkp://subkeys.pgp.net --keyserver-options verbose,debug --recv-keys A8AA1FAA3F055C03
gpg: requesting key 3F055C03 from hkp server subkeys.pgp.net
gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
* getaddrinfo(3) failed for subkeys.pgp.net:11371
* Couldn't resolve host 'subkeys.pgp.net'
* Closing connection #0
gpgkeys: HTTP fetch error 6: Couldn't resolve host 'subkeys.pgp.net'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

But port 11371 is open:

pwa@pwa-K60IJ:~/Documents$ sudo ufw status
Status: active

To Action From
-- ------ ----
11371 ALLOW Anywhere
11371 ALLOW Anywhere (v6)

It cannot resolve the hostname 'subkeys.pgp.net' to an IP address. Sounds like you have a problem with your DNS resolver, which might be caused by your configuration of iptables/ufw usage. Please check the relevant logs and contact a user or support forum for iptables to get help to find and fix the error. This is very probably not a bug in gnupg. I'm therefor tagging it 'Incomplete' for the moment. Please report back if you can verify, that this is not related to your iptables config/ufw usage.

I don't have a problem in resolving that hostname in any other context. For instance:

pwa@pwa-K60IJ:~/Documents$ ping subkeys.pgp.net
PING subkeys.pgp.net (116.240.198.71) 56(84) bytes of data.
64 bytes from web-196-keysigning.ivt.com.au (116.240.198.71): icmp_req=1 ttl=46 time=255 ms
64 bytes from web-196-keysigning.ivt.com.au (116.240.198.71): icmp_req=2 ttl=46 time=254 ms

And I can bring up a page with the URL also.

So if there's an iptables/urw problem, it's very particular to this context. Others have also reported this problem, though most of them have resolved it. It seemed to be related to the use of a proxy server, but I'm not using one. as System Settings verifies.

What log should I look at for further information? It will be quite difficult for anyone from the iptables world to track this down if it only occurs in this one context.

IMO iptables leaves log messages in the syslog. You can also grep for iptales or relevant phrases through /var/log.

I just tried again, with interesting, different, and puzzling results:

pwa@pwa-K60IJ:~$ gpg --keyserver hkp://subkeys.pgp.net --recv-keys A8AA1FAA3F055C03
gpg: failed to create temporary file `/home/pwa/.gnupg/.#lk0x1021490.pwa-K60IJ.947': Permission denied
gpg: keyblock resource `/home/pwa/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/pwa/.gnupg/.#lk0x10238e0.pwa-K60IJ.947': Permission denied
gpg: keyblock resource `/home/pwa/.gnupg/pubring.gpg': general error
gpg: requesting key 3F055C03 from hkp server subkeys.pgp.net
gpgkeys: HTTP fetch error 6: Couldn't resolve host 'subkeys.pgp.net'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
pwa@pwa-K60IJ:~$ sudo gpg --keyserver hkp://subkeys.pgp.net --recv-keys A8AA1FAA3F055C03
gpg: requesting key 3F055C03 from hkp server subkeys.pgp.net
gpgkeys: HTTP fetch error 6: Couldn't resolve host 'subkeys.pgp.net'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
pwa@pwa-K60IJ:~$ ll -d .gnupg
drwx------ 2 root root 4096 Sep 1 19:02 .gnupg/

There's nothing interesting iptables anywhere in /var/log. The only entries there have to do with dpkg or dist-upgrade, and they're old.

I don't think that ufw/iptables has anything to do with the problem. Look at this:

root@Lenovo-Z580:~# host pgpkeys.mit.edu
pgpkeys.mit.edu is an alias for CRYPTONOMICON.mit.edu.
CRYPTONOMICON.mit.edu has address 18.9.60.141
root@Lenovo-Z580:~# gpg --keyserver hkp://pgpkeys.mit.edu --recv-keys A8AA1FAA3F055C03
gpg: requesting key 3F055C03 from hkp server pgpkeys.mit.edu
?: pgpkeys.mit.edu: Host not found
gpgkeys: HTTP fetch error 7: couldn't connect: Success
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
root@Lenovo-Z580:~# gpg --keyserver hkp://18.9.60.141 --recv-keys A8AA1FAA3F055C03
gpg: requesting key 3F055C03 from hkp server 18.9.60.141
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 3F055C03: public key "Launchpad PPA for Daniel Richter" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

If you use the Web address of the keyserver, the key retrieval fails. If you use its IP address, the key retrieval succeeds. If there was any kind of firewall problem involved, either both of these should succeed or both of these should fail (or it's a pitiful firewall indeed). The problem seems to lie in the way that gpg resolves URLs, or perhaps in how it finds a nameserver to resolve them.

I should also mention that uvw says that the firewall is inactive.

[Expired for gnupg (Ubuntu) because there has been no activity for 60 days.]