gnupg2 appears to ignore http_proxy, fails to retrieve keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GnuPG2 |
Fix Released
|
Unknown
|
|||
gnupg2 (Ubuntu) |
Fix Released
|
Critical
|
Dimitri John Ledkov | ||
Yakkety |
Won't Fix
|
Undecided
|
Dimitri John Ledkov |
Bug Description
As seen in the LXC autopkgtest results: http://
The source of those failures is that pool.sks-
Under gpgv1, this was causing gpg to grab keys through the specified proxy as required in the autopkgtest environment and in a lot of corporate environments where internet access is only available through proxy.
In gpgv2, it looks like dirmngr just entirely ignores any proxy variable and just attempts to fetch the key directly rather than through the proxy, leading to a failure.
### Xenial
iptables -I OUTPUT -p tcp --dport 80 -j REJECT
ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT
root@xenial:~# gpg --keyserver hkp://p80.
gpg: requesting key 22F6E216 from hkp server p80.pool.
?: p80.pool.
gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver unreachable
gpg: keyserver communications error: public key not found
gpg: keyserver receive failed: public key not found
root@xenial:~# http_proxy=http://
gpg: requesting key 22F6E216 from hkp server p80.pool.
gpg: key 22F6E216: "LXC pre-built images <email address hidden>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
### Yakkety
root@yakkety:~# iptables -I OUTPUT -p tcp --dport 80 -j REJECT
root@yakkety:~# ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT
root@yakkety:~# gpg --keyserver hkp://p80.
gpg: keyserver receive failed: Connection refused
root@yakkety:~# http_proxy=http://
gpg: keyserver receive failed: Connection refused
Changed in gnupg2 (Ubuntu): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Changed in gnupg2: | |
status: | Unknown → Fix Released |
Changed in gnupg2 (Ubuntu Yakkety): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Changed in gnupg2 (Ubuntu Yakkety): | |
status: | New → Won't Fix |
Changed in gnupg2 (Ubuntu): | |
status: | Triaged → In Progress |
Upstream decides to ignore http_proxy by default, unless a config option is set.
I shall update the dirmngr.conf skeleton to include "honor-http-proxy" by default.
Existing users will be stuck being confused =(
Automatically, this can be adjusted with:
echo honor-http- proxy:0: 1 | gpgconf --change-options dirmngr honor-http-proxy
this is a real pity for users on http_proxy networks, I used to suffer on such a network, and it was not nice.