I have a need at work to import gpg keys automatically from keyservers. To make sure I trust the keys, I fully intended to use hkps keyservers. To that end I found these:
https://SERVER/pks/lookup?search=0x8F3B8C432F4393BD in order to make sure they work. For those who do not know, hkps is "HTTP Keyserver Protocol" as defined in this proposal. Thus, I can just hit the URLs directly, thankfully, because it soon became quite necessary.Time to get the GPG command working. Here's what works on all of the systems I tried EXCEPT CentOS 6. Debugging options ( --verbose --keyserver-options debug ) were added to get additional diagnostic information.gpg --verbose --status-fd 1 --keyserver hkps://keyserver.ubuntu.com --keyserver-options debug --recv-key 8F3B8C432F4393BD Typically works like a charm. CentOS 6 has this error, regardless of which server I use. gpg: requesting key 2F4393BD from hkps server keyserver.ubuntu.com gpgkeys: curl version = libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 * About to connect() to keyserver.ubuntu.com port 443 (#0) * Trying 91.189.90.55... * connected * Connected to keyserver.ubuntu.com (91.189.90.55) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: none CApath: none * Certificate is signed by an untrusted issuer: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US' * NSS error -8172 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates gpgkeys: HTTP fetch error 60: Peer certificate cannot be authenticated with known CA certificates gpg: no valid OpenPGP data found. [GNUPG:] NODATA 1 gpg: Total number processed: 0 [GNUPG:] IMPORT_RES 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Wait a sec, that looks like a CA cert problem. I can curl to the URL directly from CentOS 6 and I also used openssl to manually make an HTTP request. Works every time, except from gpg. I did not dig deep enough to see why gpg does not work because I was much more interested in having this fixed and CentOS 6 is already quite ancient. So, here's what I did as a workaround. curl https://keyserver.ubuntu.com/pks/lookup?search=0x8F3B8C432F4393BD\&op=get | gpg --import --status-fd 1 And you can see here that it works perfectly fine: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3230 100 3230 0 0 18737 0 --:--:-- --:--:-- --:--:-- 175k gpg: /home/centos/.gnupg/trustdb.gpg: trustdb created gpg: key 2F4393BD: public key "Tyler Akins <fidian@rumkin.com>" imported [GNUPG:] IMPORTED 8F3B8C432F4393BD Tyler Akins <fidian@rumkin.com> [GNUPG:] IMPORT_OK 1 164090D5B9551478BE7F25588F3B8C432F4393BD gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [GNUPG:] IMPORT_RES 1 0 1 1 0 0 0 0 0 0 0 0 0 0 Problem solved. |