I have a need at work to import gpg keys automatically from keyservers. To make sure I trust the keys, I fully intended to use hkps keyservers. To that end I found these:
- hkps://hkps.pool.sks-keyservers.net (custom CA cert)
- hkps://zimmermann.mayfirst.org (custom CA cert)
So far so good. I installed the two CA certs and I can use curl to hit
in order to make sure they work. For those who do not know, hkps is "HTTP Keyserver Protocol" as defined in this proposal
. Thus, I can just hit the URLs directly, thankfully, because it soon became quite necessary.
Time to get the GPG command working. Here's what works on all of the systems I tried EXCEPT CentOS 6. Debugging options (
--verbose --keyserver-options debug) were added to get additional diagnostic information.
gpg --verbose --status-fd 1 --keyserver hkps://keyserver.ubuntu.com --keyserver-options debug --recv-key 8F3B8C432F4393BD
Typically works like a charm. CentOS 6 has this error, regardless of which server I use.
gpg: requesting key 2F4393BD from hkps server keyserver.ubuntu.com
gpgkeys: curl version = libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
* About to connect() to keyserver.ubuntu.com port 443 (#0)
* Trying 184.108.40.206... * connected
* Connected to keyserver.ubuntu.com (220.127.116.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: none
* Certificate is signed by an untrusted issuer: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
gpgkeys: HTTP fetch error 60: Peer certificate cannot be authenticated with known CA certificates
gpg: no valid OpenPGP data found.
[GNUPG:] NODATA 1
gpg: Total number processed: 0
[GNUPG:] IMPORT_RES 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Wait a sec, that looks like a CA cert problem. I can curl to the URL directly from CentOS 6 and I also used openssl to manually make an HTTP request. Works every time, except from gpg. I did not dig deep enough to see why gpg does not work because I was much more interested in having this fixed and CentOS 6 is already quite ancient. So, here's what I did as a workaround.
curl https://keyserver.ubuntu.com/pks/lookup?search=0x8F3B8C432F4393BD\&op=get | gpg --import --status-fd 1
And you can see here that it works perfectly fine:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3230 100 3230 0 0 18737 0 --:--:-- --:--:-- --:--:-- 175k
gpg: /home/centos/.gnupg/trustdb.gpg: trustdb created
gpg: key 2F4393BD: public key "Tyler Akins <firstname.lastname@example.org>" imported
[GNUPG:] IMPORTED 8F3B8C432F4393BD Tyler Akins <email@example.com>
[GNUPG:] IMPORT_OK 1 164090D5B9551478BE7F25588F3B8C432F4393BD
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[GNUPG:] IMPORT_RES 1 0 1 1 0 0 0 0 0 0 0 0 0 0