gnupg2 not honoring http-proxy argument
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnupg2 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I discovered this while running the following apt-key command:
sudo apt-key adv --keyserver hkp://keyserver
I was hoping apt-key would pick up the http_proxy environment variable, however it did not. So I had to pass it into gpg manually:
sudo apt-key adv --keyserver hkp://keyserver
However, that still didn't work. So I messed around with running gnupg manually and found that the dirmngr has a bug in the implementation of its HTTP client. Essentially, dirmngr does not handle the http_proxy quite right, as it is still trying to resolve the hostname of the keyserver instead of just proxying the request through the HTTP proxy defined with the http-proxy argument.
I configured dirmngr to show all debugging output:
$ cat ~/.gnupg/
log-file /home/wlaw/
verbose
debug all
Output of running gpg manually:
$ gpg --debug-level guru --keyserver hkp://keyserver
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/wlaw/.gnupg
gpg: DBG: chan_3 <- # Config: /home/wlaw/
gpg: DBG: chan_3 <- OK Dirmngr 2.2.4 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.4
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION http-proxy=http://
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkp://keyserver
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0x2EE0EA64E40A8
gpg: DBG: chan_3 <- ERR 167772346 No keyserver available <Dirmngr>
gpg: keyserver receive failed: No keyserver available
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
gpg: rndjent stat: collector=
gpg: secmem usage: 0/65536 bytes in 0 blocks
Output of dirmngr.log:
$ cat ~/.gnupg/
2018-08-21 10:18:41 dirmngr[22513.0] permanently loaded certificates: 139
2018-08-21 10:18:41 dirmngr[22513.0] runtime cached certificates: 0
2018-08-21 10:18:41 dirmngr[22513.0] trusted certificates: 139 (138,0,0,1)
2018-08-21 10:18:41 dirmngr[22513.6] handler for fd 6 started
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> # Home: /home/wlaw/.gnupg
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> # Config: /home/wlaw/
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> OK Dirmngr 2.2.4 at your service
2018-08-21 10:18:41 dirmngr[22513.6] connection from process 22512 (1000:1000)
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 <- GETINFO version
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> D 2.2.4
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> OK
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 <- OPTION http-proxy=http://
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> OK
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 <- KEYSERVER --clear hkp://keyserver
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> OK
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 <- KS_GET -- 0x2EE0EA64E40A8
2018-08-21 10:18:41 dirmngr[22513.6] DBG: dns: libdns initialized
2018-08-21 10:18:41 dirmngr[22513.6] DBG: dns: resolve_
2018-08-21 10:18:41 dirmngr[22513.6] resolving 'keyserver.
2018-08-21 10:18:41 dirmngr[22513.6] number of system provided CAs: 138
2018-08-21 10:18:41 dirmngr[22513.6] DBG: http.c:
2018-08-21 10:18:41 dirmngr[22513.6] DBG: dns: resolve_
2018-08-21 10:18:41 dirmngr[22513.6] can't connect to 'localhost': no IP address for host
2018-08-21 10:18:41 dirmngr[22513.6] error connecting to 'http://
2018-08-21 10:18:41 dirmngr[22513.6] marking host 'keyserver.
2018-08-21 10:18:41 dirmngr[22513.6] DBG: dns: resolve_
2018-08-21 10:18:41 dirmngr[22513.6] resolving 'keyserver.
2018-08-21 10:18:41 dirmngr[22513.6] host 'keyserver.
2018-08-21 10:18:41 dirmngr[22513.6] command 'KS_GET' failed: No keyserver available
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> ERR 167772346 No keyserver available <Dirmngr>
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 <- BYE
2018-08-21 10:18:41 dirmngr[22513.6] DBG: chan_6 -> OK closing connection
2018-08-21 10:18:41 dirmngr[22513.6] handler for fd 6 terminated
This is only a problem when you're on a network that does not resolve DNS of internet hostnames (i.e. some sort of split-horizon setup). However, that shouldn't matter, because dirmngr should not be trying to resolve the address on its own if a proxy server has been defined and provided as an argument.
I can curl the hostname just fine using the HTTP proxy:
$ curl keyserver.
* Rebuilt URL to: keyserver.
% Total % Received % Xferd Average Speed Time Time Time Current
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3128 (#0)
> GET http://
> Host: keyserver.
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Tue, 21 Aug 2018 12:15:44 GMT
< Server: sks_www/1.1.6
< Content-Length: 5004
< Content-Type: text/html; charset=UTF-8
< Access-
< Vary: Accept-Encoding
< Warning: 110 squid/3.5.12 "Response is stale"
< X-Cache: HIT from cassava.
< X-Cache-Lookup: HIT from cassava.
< Via: 1.1 cassava.
< Proxy-Connection: Keep-Alive
< Connection: Keep-Alive
< Age: 7534
<
{ [3595 bytes data]
100 5004 100 5004 0 0 56224 0 --:--:-- --:--:-- --:--:-- 56224
* Connection #0 to host localhost left intact
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gnupg2 2.2.4-1ubuntu1.1
ProcVersionSign
Uname: Linux 4.15.0-30-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.9-0ubuntu7.2
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 21 10:04:02 2018
InstallationDate: Installed on 2018-04-06 (136 days ago)
InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228)
PackageArchitec
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gnupg2
UpgradeStatus: Upgraded to bionic on 2018-05-11 (101 days ago)
Okay, it looks like issues have been created upstream (https:/ /dev.gnupg. org/T3065# 111023). But it appears that the gpg devs don't really get how to implement a standards compliant HTTP client:
> Note that an HTTP proxy is independent of the DNS resolver because it works at the HTTP layer.