gpg --recv-keys not working with CentOS 6 and hkps

posted Feb 26, 2016, 7:32 AM by Tyler Akins
I have a need at work to import gpg keys automatically from keyservers.  To make sure I trust the keys, I fully intended to use hkps keyservers.  To that end I found these:
  • hkps://keyserver.ubuntu.com
  • hkps://hkps.pool.sks-keyservers.net (custom CA cert)
  • hkps://zimmermann.mayfirst.org (custom CA cert)
So far so good.  I installed the two CA certs and I can use curl to hit https://SERVER/pks/lookup?search=0x8F3B8C432F4393BD in order to make sure they work.  For those who do not know, hkps is "HTTP Keyserver Protocol" as defined in this proposal.  Thus, I can just hit the URLs directly, thankfully, because it soon became quite necessary.

Time to get the GPG command working.  Here's what works on all of the systems I tried EXCEPT CentOS 6.  Debugging options (--verbose --keyserver-options debug) were added to get additional diagnostic information.

gpg --verbose --status-fd 1 --keyserver hkps://keyserver.ubuntu.com --keyserver-options debug --recv-key 8F3B8C432F4393BD

Typically works like a charm.  CentOS 6 has this error, regardless of which server I use.

gpg: requesting key 2F4393BD from hkps server keyserver.ubuntu.com
gpgkeys: curl version = libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
* About to connect() to keyserver.ubuntu.com port 443 (#0)
*   Trying 91.189.90.55... * connected
* Connected to keyserver.ubuntu.com (91.189.90.55) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: none
  CApath: none
* Certificate is signed by an untrusted issuer: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
gpgkeys: HTTP fetch error 60: Peer certificate cannot be authenticated with known CA certificates
gpg: no valid OpenPGP data found.
[GNUPG:] NODATA 1
gpg: Total number processed: 0
[GNUPG:] IMPORT_RES 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Wait a sec, that looks like a CA cert problem.  I can curl to the URL directly from CentOS 6 and I also used openssl to manually make an HTTP request.  Works every time, except from gpg.  I did not dig deep enough to see why gpg does not work because I was much more interested in having this fixed and CentOS 6 is already quite ancient.  So, here's what I did as a workaround.

curl https://keyserver.ubuntu.com/pks/lookup?search=0x8F3B8C432F4393BD\&op=get | gpg --import --status-fd 1

And you can see here that it works perfectly fine:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3230  100  3230    0     0  18737      0 --:--:-- --:--:-- --:--:--  175k
gpg: /home/centos/.gnupg/trustdb.gpg: trustdb created
gpg: key 2F4393BD: public key "Tyler Akins <fidian@rumkin.com>" imported
[GNUPG:] IMPORTED 8F3B8C432F4393BD Tyler Akins <fidian@rumkin.com>
[GNUPG:] IMPORT_OK 1 164090D5B9551478BE7F25588F3B8C432F4393BD
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[GNUPG:] IMPORT_RES 1 0 1 1 0 0 0 0 0 0 0 0 0 0

Problem solved.
Comments