Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > linux.debian.security > #6479 > unrolled thread

Keyserver for gpg.conf ?

Started byFrancesco Poli <invernomuto@paranoici.org>
First post2025-11-15 10:40 +0100
Last post2025-11-18 01:50 +0100
Articles 14 — 6 participants

Back to article view | Back to linux.debian.security


Contents

  Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-15 10:40 +0100
    Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-15 19:10 +0100
      Re: Keyserver for gpg.conf ? Holger Levsen <holger@layer-acht.org> - 2025-11-15 21:50 +0100
        Re: Keyserver for gpg.conf ? debianmailinglists.hz5zm@simplelogin.com - 2025-11-16 04:10 +0100
          Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
          Re: Keyserver for gpg.conf ? Jeremy Stanley <fungi@yuggoth.org> - 2025-11-17 16:30 +0100
            Re: Keyserver for gpg.conf ? Jeffrey Walton <noloader@gmail.com> - 2025-11-17 16:40 +0100
        Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
      Re: Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-16 13:40 +0100
        Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
    Re: Keyserver for gpg.conf ? Jeffrey Walton <noloader@gmail.com> - 2025-11-17 17:00 +0100
      Re: Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-17 18:40 +0100
        Re: Keyserver for gpg.conf ? Jeremy Stanley <fungi@yuggoth.org> - 2025-11-17 18:50 +0100
        Re: Keyserver for gpg.conf ? debianmailinglists.hz5zm@simplelogin.com - 2025-11-18 01:50 +0100

#6479 — Keyserver for gpg.conf ?

FromFrancesco Poli <invernomuto@paranoici.org>
Date2025-11-15 10:40 +0100
SubjectKeyserver for gpg.conf ?
Message-ID<LRkVb-d7Jl-5@gated-at.bofh.it>

[Multipart message — attachments visible in raw view] — view raw

Hello everyone!

I had

  keyserver hkps://pgp.surf.nl

in my ~/.gnupg/gpg.conf , but I have been experiencing issues with it
for the last few days, see the following excerpt from /var/log/syslog :

  dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
  dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
  dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
  dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
  dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
  dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
  dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
  dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
  dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
  dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
  dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
  dirmngr[3569]: command 'KS_GET' failed: No data


I tried to change keyserver.
The Debian wiki key signing [page] suggests the following ones (beyond
the Debian keyring one):

 * https://keyserver.ubuntu.com (recommended)
 * https://keys.openpgp.org/ (used by Thunderbird)
 * https://pgp.surf.nl/
 * https://pgp.mit.edu

[page]: <https://wiki.debian.org/Keysigning>

Among these, I only managed to make the following one work:

  keyserver hkps://pgp.mit.edu

But it seems to work unreliably, it worked for a couple of key
refreshes, but now it's giving me:

  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: command 'KS_GET' failed: No keyserver available
  dirmngr[4391]: host 'pgp.mit.edu' marked as dead
  dirmngr[4391]: command 'KS_GET' failed: No keyserver available


Which keyserver do you currently use/recommend ?

Thanks for any help you may provide!


P.S.: please Cc me on replies, I am not subscribed to the list.

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[toc] | [next] | [standalone]


#6481

FromGunnar Wolf <gwolf@debian.org>
Date2025-11-15 19:10 +0100
Message-ID<LRsSK-ddir-17@gated-at.bofh.it>
In reply to#6479

[Multipart message — attachments visible in raw view] — view raw

Francesco Poli dijo [Sat, Nov 15, 2025 at 10:34:27AM +0100]:
>Hello everyone!

<choir>Hello Francesco!</choir> 😉

>I had
>
>  keyserver hkps://pgp.surf.nl
>
>in my ~/.gnupg/gpg.conf , but I have been experiencing issues with it
>for the last few days, see the following excerpt from /var/log/syslog :
>(...)
>I tried to change keyserver.
>The Debian wiki key signing [page] suggests the following ones (beyond
>the Debian keyring one):
>
> * https://keyserver.ubuntu.com (recommended)
> * https://keys.openpgp.org/ (used by Thunderbird)
> * https://pgp.surf.nl/
> * https://pgp.mit.edu
>
>[page]: <https://wiki.debian.org/Keysigning>
>
>Among these, I only managed to make the following one work:
>
>  keyserver hkps://pgp.mit.edu
>
>But it seems to work unreliably, it worked for a couple of key
>refreshes, but now it's giving me:
>(...)
>Which keyserver do you currently use/recommend ?

My usual suggestion is to use:

     hkps://pgpkeys.eu/

You can see the status of the different working nodes by refering to:

     https://spider.pgpkeys.eu/graphs/

Greetings!

[toc] | [prev] | [next] | [standalone]


#6482

FromHolger Levsen <holger@layer-acht.org>
Date2025-11-15 21:50 +0100
Message-ID<LRvnA-deMI-9@gated-at.bofh.it>
In reply to#6481

[Multipart message — attachments visible in raw view] — view raw

On Sat, Nov 15, 2025 at 12:04:34PM -0600, Gunnar Wolf wrote:
> My usual suggestion is to use:
>     hkps://pgpkeys.eu/

I also like keyring.debian.org! ;)


-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"We'll just terraform Mars," they insist, unable to terraform Earth, a planet
that is already perfect except it's like 2° too warm.

[toc] | [prev] | [next] | [standalone]


#6483

Fromdebianmailinglists.hz5zm@simplelogin.com
Date2025-11-16 04:10 +0100
Message-ID<LRBjj-diRy-1@gated-at.bofh.it>
In reply to#6482

[Multipart message — attachments visible in raw view] — view raw

Do these other keyring servers leave the key intact? I stopped using the key servers for my small personal projects and just have my public key posted on my personal website because one of them ( keys.openpgp.org I think ) lists my public key, but it seems to have stripped all the identifying information from it so it can't be searched for by email address and even if you download the copy they have apps like Kleopatra fail to import it, and when comparing it to my copy of the public key I manually exported the contents are MUCH shorter on their copy.

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Marcus Dean Adams

Signal: [gerowen.81](https://signal.me/#eu/qTai8gc2fArQDCaX07fIccbmOMvJWfC6FpTWXzT0aY0mKgITRIZPZJs7Vq0FfYv0)

Mastodon: [gerowen@mastodon.social](https://mastodon.social/@gerowen)

Website: https://marcusadams.me

"Civilization is the limitless multiplication
of unnecessary necessities."
-- Mark Twain

On Sat, 2025-11-15 at 20:39 +0000, Holger Levsen - holger at layer-acht.org wrote:

> On Sat, Nov 15, 2025 at 12:04:34PM -0600, Gunnar Wolf wrote:
>
>> My usual suggestion is to use:
>> hkps://pgpkeys.eu/
>
> I also like keyring.debian.org! ;)

[toc] | [prev] | [next] | [standalone]


#6487

FromGunnar Wolf <gwolf@debian.org>
Date2025-11-16 17:10 +0100
Message-ID<LRNua-dqPs-23@gated-at.bofh.it>
In reply to#6483
debianmailinglists.hz5zm@simplelogin.com dijo [Sun, Nov 16, 2025 at 02:57:02AM +0000]:
>Do these other keyring servers leave the key intact? I stopped using the
>key servers for my small personal projects and just have my public key
>posted on my personal website because one of them ( keys.openpgp.org I
>think ) lists my public key, but it seems to have stripped all the
>identifying information from it so it can't be searched for by email
>address and even if you download the copy they have apps like Kleopatra
>fail to import it, and when comparing it to my copy of the public key I
>manually exported the contents are MUCH shorter on their copy.

keys.openpgp.org is a very opinionated keyserver run by the Sequoia
project (with their "Hagrid" keyserver software). Its operational logic is
differente from most keyservers as they are a _validating_ keyserver, so
they will "comb through" your key, and only accept the bits from it they
deem as adequate. Particularly, if you haven't verified you control the
mail addresses for your subkeys, they won't have anything but a record that
it exists (and thus, any subkeys without an email-bearing UID won't be
useful).

Of course, https://keys.openpgp.org/about/ has better, more authorized
information on their operation 🙂

[toc] | [prev] | [next] | [standalone]


#6488

FromJeremy Stanley <fungi@yuggoth.org>
Date2025-11-17 16:30 +0100
Message-ID<LS9l0-dF3N-7@gated-at.bofh.it>
In reply to#6483

[Multipart message — attachments visible in raw view] — view raw

On 2025-11-16 02:57:02 +0000 (+0000), debianmailinglists.hz5zm@simplelogin.com wrote:
> Do these other keyring servers leave the key intact? I stopped 
> using the key servers for my small personal projects and just have 
> my public key posted on my personal website because one of them ( 
> keys.openpgp.org I think ) lists my public key, but it seems to 
> have stripped all the identifying information from it so it can't 
> be searched for by email address and even if you download the copy 
> they have apps like Kleopatra fail to import it, and when 
> comparing it to my copy of the public key I manually exported the 
> contents are MUCH shorter on their copy.
[...]

The main reason for this, as I understand it, is to avoid the 
vulnerabilities which led to the fall of the SKS keyserver network. 
In short, the traditional keyserver model of allowing anyone to 
upload third-party signatures for keys they didn't control led 
eventually to vandals and other malicious persons uploading unwanted 
signatures with objectionable content or in volumes which overflowed 
the ability of clients and servers to deal with them (denial of 
service on the network and also on specific keys making them 
irretrievable). They did this in the most severe way possible, 
essentially filtering out all third-party signatures and even 
self-signatures and UIDs if the uploader can't prove control of the 
E-mail addresses associated with them (which implicitly means 
discarding non-E-mail identities too such as photo images).

Discussions I followed some time ago indicated they were willing to 
accept updates that enabled a caff-style approval process for 
third-party signatures at least, but it sounded like the existing 
team didn't have the resources to develop such a feature and that it 
would require additional volunteers working on that.
-- 
Jeremy Stanley

[toc] | [prev] | [next] | [standalone]


#6489

FromJeffrey Walton <noloader@gmail.com>
Date2025-11-17 16:40 +0100
Message-ID<LS9uI-dF8I-81@gated-at.bofh.it>
In reply to#6488
On Mon, Nov 17, 2025 at 10:27 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
>
> On 2025-11-16 02:57:02 +0000 (+0000), debianmailinglists.hz5zm@simplelogin.com wrote:
> > Do these other keyring servers leave the key intact? I stopped
> > using the key servers for my small personal projects and just have
> > my public key posted on my personal website because one of them (
> > keys.openpgp.org I think ) lists my public key, but it seems to
> > have stripped all the identifying information from it so it can't
> > be searched for by email address and even if you download the copy
> > they have apps like Kleopatra fail to import it, and when
> > comparing it to my copy of the public key I manually exported the
> > contents are MUCH shorter on their copy.
> [...]
>
> The main reason for this, as I understand it, is to avoid the
> vulnerabilities which led to the fall of the SKS keyserver network.
> In short, the traditional keyserver model of allowing anyone to
> upload third-party signatures for keys they didn't control led
> eventually to vandals and other malicious persons uploading unwanted
> signatures with objectionable content or in volumes which overflowed
> the ability of clients and servers to deal with them (denial of
> service on the network and also on specific keys making them
> irretrievable). They did this in the most severe way possible,
> essentially filtering out all third-party signatures and even
> self-signatures and UIDs if the uploader can't prove control of the
> E-mail addresses associated with them (which implicitly means
> discarding non-E-mail identities too such as photo images).
>
> Discussions I followed some time ago indicated they were willing to
> accept updates that enabled a caff-style approval process for
> third-party signatures at least, but it sounded like the existing
> team didn't have the resources to develop such a feature and that it
> would require additional volunteers working on that.

And to add some reading material, see
<https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html>.
Daniel Kahn Gillmor (dkg) was one of the folks who was targeted in the
attack.

Jeff

[toc] | [prev] | [next] | [standalone]


#6486

FromGunnar Wolf <gwolf@debian.org>
Date2025-11-16 17:10 +0100
Message-ID<LRNua-dqPs-17@gated-at.bofh.it>
In reply to#6482

[Multipart message — attachments visible in raw view] — view raw

Holger Levsen dijo [Sat, Nov 15, 2025 at 08:39:42PM +0000]:
>On Sat, Nov 15, 2025 at 12:04:34PM -0600, Gunnar Wolf wrote:
>> My usual suggestion is to use:
>>     hkps://pgpkeys.eu/
>
>I also like keyring.debian.org! ;)

I also love it and take care of it, but it does not accept keys not in our
set, so probably it's not what Francesco wants.

[toc] | [prev] | [next] | [standalone]


#6484

FromFrancesco Poli <invernomuto@paranoici.org>
Date2025-11-16 13:40 +0100
Message-ID<LRKcV-doB2-1@gated-at.bofh.it>
In reply to#6481

[Multipart message — attachments visible in raw view] — view raw

On Sat, 15 Nov 2025 12:04:34 -0600 Gunnar Wolf wrote:

[...]
> My usual suggestion is to use:
> 
>      hkps://pgpkeys.eu/

Hello Gunnar,
thanks for your reply.

However, it seems to me that this keyserver (or keyserver network)
works unreliably.

I tried to refresh 50 keys and gpg found 17 of them on the keyserver
and exited with zero exit status.

Then I tried again to refresh *the same* 50 keys and gpg found only 3 of
them (+ 1 that it hadn't found in the previous run) and exited with
non-zero exit status, spitting out the following error message:

  gpg: keyserver refresh failed: No data


I had never had so many issues with a keyserver before last week...


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[toc] | [prev] | [next] | [standalone]


#6485

FromGunnar Wolf <gwolf@debian.org>
Date2025-11-16 17:10 +0100
Message-ID<LRNu9-dqPs-9@gated-at.bofh.it>
In reply to#6484

[Multipart message — attachments visible in raw view] — view raw

Francesco Poli dijo [Sun, Nov 16, 2025 at 01:34:43PM +0100]:
>Hello Gunnar,
>thanks for your reply.
>
>However, it seems to me that this keyserver (or keyserver network)
>works unreliably.
>
>I tried to refresh 50 keys and gpg found 17 of them on the keyserver
>and exited with zero exit status.
>
>Then I tried again to refresh *the same* 50 keys and gpg found only 3 of
>them (+ 1 that it hadn't found in the previous run) and exited with
>non-zero exit status, spitting out the following error message:
>
>  gpg: keyserver refresh failed: No data
>
>I had never had so many issues with a keyserver before last week...

That is very weird, and does not match my experience — but I see you share
my surprise :-] I hope it was a transient issue.

I will share this thread with some of the people responsible for servers in
that network. In any case, you can also use Noodles' keyserver, based on a
completely different codebase (Onak), at https://the.earth.li/ — I trust
him to be among the most capable operators, only that this keyserver does
not peer with any others TTBOMK.

Greetings,

[toc] | [prev] | [next] | [standalone]


#6490

FromJeffrey Walton <noloader@gmail.com>
Date2025-11-17 17:00 +0100
Message-ID<LS9O2-dFgx-9@gated-at.bofh.it>
In reply to#6479
On Sat, Nov 15, 2025 at 8:10 AM Francesco Poli
<invernomuto@paranoici.org> wrote:
>
> Hello everyone!
>
> I had
>
>   keyserver hkps://pgp.surf.nl
>
> in my ~/.gnupg/gpg.conf , but I have been experiencing issues with it
> for the last few days, see the following excerpt from /var/log/syslog :
>
>   dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
>   dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
>   dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
>   dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
>   dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
>   dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
>   dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
>   dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
>   dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
>   dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable)
>   dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503
>   dirmngr[3569]: command 'KS_GET' failed: No data
>
>
> I tried to change keyserver.
> The Debian wiki key signing [page] suggests the following ones (beyond
> the Debian keyring one):
>
>  * https://keyserver.ubuntu.com (recommended)
>  * https://keys.openpgp.org/ (used by Thunderbird)
>  * https://pgp.surf.nl/
>  * https://pgp.mit.edu
>
> [page]: <https://wiki.debian.org/Keysigning>
>
> Among these, I only managed to make the following one work:
>
>   keyserver hkps://pgp.mit.edu

Daniel Kahn Gillmor (dkg) recommends using a constrained keyserver
like keys.openpgp.org if you want to check for certificate updates,
revocation, expiration, or subkey rollover.  If there's a problem with
OpenPGS's keyserver, then it might be a good idea to contact them.

Also note that newer OpenPGP servers can give older GnuPG clients
problems.  See <https://www.google.com/search?q=openpgp+gnupg+key+server+interoperability+issues>.

> But it seems to work unreliably, it worked for a couple of key
> refreshes, but now it's giving me:
>
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: command 'KS_GET' failed: No keyserver available
>   dirmngr[4391]: host 'pgp.mit.edu' marked as dead
>   dirmngr[4391]: command 'KS_GET' failed: No keyserver available
>
> Which keyserver do you currently use/recommend ?
>
> Thanks for any help you may provide!
>
> P.S.: please Cc me on replies, I am not subscribed to the list.

Jeff

[toc] | [prev] | [next] | [standalone]


#6491

FromFrancesco Poli <invernomuto@paranoici.org>
Date2025-11-17 18:40 +0100
Message-ID<LSbmN-dGn2-5@gated-at.bofh.it>
In reply to#6490

[Multipart message — attachments visible in raw view] — view raw

On Mon, 17 Nov 2025 10:49:00 -0500 Jeffrey Walton wrote:

[...]
> Daniel Kahn Gillmor (dkg) recommends using a constrained keyserver
> like keys.openpgp.org if you want to check for certificate updates,
> revocation, expiration, or subkey rollover.

Dear Jeffrey, thanks for following up.

I've just tried to refresh 50 keys with:

  keyserver hkps://keys.openpgp.org

in my ~/.gnupg/gpg.conf


It only found 2 of them and exited with non-zero status, spitting out
out the following error message:

  gpg: keyserver refresh failed: No data


Am I the only one who's experiencing issues in refreshing OpenPGP keys
with gnupg/2.4.8-4 on an up-to-date Debian testing box?

Am I the only one left who still uses gnupg in Debian? Have you all
switched to sequoia-chameleon-gnupg, perhaps?

I am really puzzled...   :-(

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[toc] | [prev] | [next] | [standalone]


#6492

FromJeremy Stanley <fungi@yuggoth.org>
Date2025-11-17 18:50 +0100
Message-ID<LSbwt-dGqA-3@gated-at.bofh.it>
In reply to#6491

[Multipart message — attachments visible in raw view] — view raw

On 2025-11-17 18:32:05 +0100 (+0100), Francesco Poli wrote:
[...]
>I've just tried to refresh 50 keys with:
>
>  keyserver hkps://keys.openpgp.org
>
>in my ~/.gnupg/gpg.conf
>
>It only found 2 of them and exited with non-zero status, spitting out 
>out the following error message:
>
>  gpg: keyserver refresh failed: No data
>
>Am I the only one who's experiencing issues in refreshing OpenPGP keys 
>with gnupg/2.4.8-4 on an up-to-date Debian testing box?
>
>Am I the only one left who still uses gnupg in Debian? Have you all 
>switched to sequoia-chameleon-gnupg, perhaps?
[...]

This is what I get with gnupg 2.4.8-4 on sid:

>> $ gpg --refresh-keys
>> gpg: refreshing 148 keys from hkps://keys.openpgp.org
>> [...]
>> gpg: Total number processed: 28
>> gpg:              unchanged: 25
>> gpg:         new signatures: 26
>> [...]
>> $ echo $?
>> 0

PDO says the version in forky is the same as what I'm using.
-- 
Jeremy Stanley

[toc] | [prev] | [next] | [standalone]


#6493

Fromdebianmailinglists.hz5zm@simplelogin.com
Date2025-11-18 01:50 +0100
Message-ID<LSi4V-dL4J-9@gated-at.bofh.it>
In reply to#6491

[Multipart message — attachments visible in raw view] — view raw

Preface, I'm not a Debian developer.

You're not the only one, but after some tinkering I've discovered that there's a whole slew of "Hockeypuck" GPG/PGP servers that seem to work fine for me.

hkp://pgpkeys.eu
hkps://pgp.id

They all seem to intercommunicate reliably. I was able to issue a revocation for an old key to pgpkeys.eu and it populated across to pgp.id within minutes.

I posted on Mastodon about this and somebody sent me this link with a list of various compatible servers. I haven't tried them all, just thought I'd share.

https://spider.pgpkeys.eu/sks-peers

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Marcus Dean Adams

Signal: [gerowen.81](https://signal.me/#eu/qTai8gc2fArQDCaX07fIccbmOMvJWfC6FpTWXzT0aY0mKgITRIZPZJs7Vq0FfYv0)

Mastodon: [gerowen@mastodon.social](https://mastodon.social/@gerowen)

Website: https://marcusadams.me

"Civilization is the limitless multiplication
of unnecessary necessities."
-- Mark Twain

On Mon, 2025-11-17 at 18:32 +0100, Francesco Poli - invernomuto at paranoici.org wrote:

> On Mon, 17 Nov 2025 10:49:00 -0500 Jeffrey Walton wrote:
>
> [...]
>
>> Daniel Kahn Gillmor (dkg) recommends using a constrained keyserver
>> like keys.openpgp.org if you want to check for certificate updates,
>> revocation, expiration, or subkey rollover.
>
> Dear Jeffrey, thanks for following up.
>
> I've just tried to refresh 50 keys with:
>
> keyserver hkps://keys.openpgp.org
>
> in my ~/.gnupg/gpg.conf
>
> It only found 2 of them and exited with non-zero status, spitting out
> out the following error message:
>
> gpg: keyserver refresh failed: No data
>
> Am I the only one who's experiencing issues in refreshing OpenPGP keys
> with gnupg/2.4.8-4 on an up-to-date Debian testing box?
>
> Am I the only one left who still uses gnupg in Debian? Have you all
> switched to sequoia-chameleon-gnupg, perhaps?
>
> I am really puzzled... :-(

[toc] | [prev] | [standalone]


Back to top | Article view | linux.debian.security


csiph-web