Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6479 > unrolled thread
| Started by | Francesco Poli <invernomuto@paranoici.org> |
|---|---|
| First post | 2025-11-15 10:40 +0100 |
| Last post | 2025-11-18 01:50 +0100 |
| Articles | 14 — 6 participants |
Back to article view | Back to linux.debian.security
Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-15 10:40 +0100
Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-15 19:10 +0100
Re: Keyserver for gpg.conf ? Holger Levsen <holger@layer-acht.org> - 2025-11-15 21:50 +0100
Re: Keyserver for gpg.conf ? debianmailinglists.hz5zm@simplelogin.com - 2025-11-16 04:10 +0100
Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
Re: Keyserver for gpg.conf ? Jeremy Stanley <fungi@yuggoth.org> - 2025-11-17 16:30 +0100
Re: Keyserver for gpg.conf ? Jeffrey Walton <noloader@gmail.com> - 2025-11-17 16:40 +0100
Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
Re: Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-16 13:40 +0100
Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
Re: Keyserver for gpg.conf ? Jeffrey Walton <noloader@gmail.com> - 2025-11-17 17:00 +0100
Re: Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-17 18:40 +0100
Re: Keyserver for gpg.conf ? Jeremy Stanley <fungi@yuggoth.org> - 2025-11-17 18:50 +0100
Re: Keyserver for gpg.conf ? debianmailinglists.hz5zm@simplelogin.com - 2025-11-18 01:50 +0100
| From | Francesco Poli <invernomuto@paranoici.org> |
|---|---|
| Date | 2025-11-15 10:40 +0100 |
| Subject | Keyserver for gpg.conf ? |
| Message-ID | <LRkVb-d7Jl-5@gated-at.bofh.it> |
[Multipart message — attachments visible in raw view] — view raw
Hello everyone! I had keyserver hkps://pgp.surf.nl in my ~/.gnupg/gpg.conf , but I have been experiencing issues with it for the last few days, see the following excerpt from /var/log/syslog : dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 dirmngr[3569]: command 'KS_GET' failed: No data I tried to change keyserver. The Debian wiki key signing [page] suggests the following ones (beyond the Debian keyring one): * https://keyserver.ubuntu.com (recommended) * https://keys.openpgp.org/ (used by Thunderbird) * https://pgp.surf.nl/ * https://pgp.mit.edu [page]: <https://wiki.debian.org/Keysigning> Among these, I only managed to make the following one work: keyserver hkps://pgp.mit.edu But it seems to work unreliably, it worked for a couple of key refreshes, but now it's giving me: dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: command 'KS_GET' failed: No keyserver available dirmngr[4391]: host 'pgp.mit.edu' marked as dead dirmngr[4391]: command 'KS_GET' failed: No keyserver available Which keyserver do you currently use/recommend ? Thanks for any help you may provide! P.S.: please Cc me on replies, I am not subscribed to the list. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
[toc] | [next] | [standalone]
| From | Gunnar Wolf <gwolf@debian.org> |
|---|---|
| Date | 2025-11-15 19:10 +0100 |
| Message-ID | <LRsSK-ddir-17@gated-at.bofh.it> |
| In reply to | #6479 |
[Multipart message — attachments visible in raw view] — view raw
Francesco Poli dijo [Sat, Nov 15, 2025 at 10:34:27AM +0100]:
>Hello everyone!
<choir>Hello Francesco!</choir> 😉
>I had
>
> keyserver hkps://pgp.surf.nl
>
>in my ~/.gnupg/gpg.conf , but I have been experiencing issues with it
>for the last few days, see the following excerpt from /var/log/syslog :
>(...)
>I tried to change keyserver.
>The Debian wiki key signing [page] suggests the following ones (beyond
>the Debian keyring one):
>
> * https://keyserver.ubuntu.com (recommended)
> * https://keys.openpgp.org/ (used by Thunderbird)
> * https://pgp.surf.nl/
> * https://pgp.mit.edu
>
>[page]: <https://wiki.debian.org/Keysigning>
>
>Among these, I only managed to make the following one work:
>
> keyserver hkps://pgp.mit.edu
>
>But it seems to work unreliably, it worked for a couple of key
>refreshes, but now it's giving me:
>(...)
>Which keyserver do you currently use/recommend ?
My usual suggestion is to use:
hkps://pgpkeys.eu/
You can see the status of the different working nodes by refering to:
https://spider.pgpkeys.eu/graphs/
Greetings!
[toc] | [prev] | [next] | [standalone]
| From | Holger Levsen <holger@layer-acht.org> |
|---|---|
| Date | 2025-11-15 21:50 +0100 |
| Message-ID | <LRvnA-deMI-9@gated-at.bofh.it> |
| In reply to | #6481 |
[Multipart message — attachments visible in raw view] — view raw
On Sat, Nov 15, 2025 at 12:04:34PM -0600, Gunnar Wolf wrote: > My usual suggestion is to use: > hkps://pgpkeys.eu/ I also like keyring.debian.org! ;) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ "We'll just terraform Mars," they insist, unable to terraform Earth, a planet that is already perfect except it's like 2° too warm.
[toc] | [prev] | [next] | [standalone]
| From | debianmailinglists.hz5zm@simplelogin.com |
|---|---|
| Date | 2025-11-16 04:10 +0100 |
| Message-ID | <LRBjj-diRy-1@gated-at.bofh.it> |
| In reply to | #6482 |
[Multipart message — attachments visible in raw view] — view raw
Do these other keyring servers leave the key intact? I stopped using the key servers for my small personal projects and just have my public key posted on my personal website because one of them ( keys.openpgp.org I think ) lists my public key, but it seems to have stripped all the identifying information from it so it can't be searched for by email address and even if you download the copy they have apps like Kleopatra fail to import it, and when comparing it to my copy of the public key I manually exported the contents are MUCH shorter on their copy. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Dean Adams Signal: [gerowen.81](https://signal.me/#eu/qTai8gc2fArQDCaX07fIccbmOMvJWfC6FpTWXzT0aY0mKgITRIZPZJs7Vq0FfYv0) Mastodon: [gerowen@mastodon.social](https://mastodon.social/@gerowen) Website: https://marcusadams.me "Civilization is the limitless multiplication of unnecessary necessities." -- Mark Twain On Sat, 2025-11-15 at 20:39 +0000, Holger Levsen - holger at layer-acht.org wrote: > On Sat, Nov 15, 2025 at 12:04:34PM -0600, Gunnar Wolf wrote: > >> My usual suggestion is to use: >> hkps://pgpkeys.eu/ > > I also like keyring.debian.org! ;)
[toc] | [prev] | [next] | [standalone]
| From | Gunnar Wolf <gwolf@debian.org> |
|---|---|
| Date | 2025-11-16 17:10 +0100 |
| Message-ID | <LRNua-dqPs-23@gated-at.bofh.it> |
| In reply to | #6483 |
debianmailinglists.hz5zm@simplelogin.com dijo [Sun, Nov 16, 2025 at 02:57:02AM +0000]: >Do these other keyring servers leave the key intact? I stopped using the >key servers for my small personal projects and just have my public key >posted on my personal website because one of them ( keys.openpgp.org I >think ) lists my public key, but it seems to have stripped all the >identifying information from it so it can't be searched for by email >address and even if you download the copy they have apps like Kleopatra >fail to import it, and when comparing it to my copy of the public key I >manually exported the contents are MUCH shorter on their copy. keys.openpgp.org is a very opinionated keyserver run by the Sequoia project (with their "Hagrid" keyserver software). Its operational logic is differente from most keyservers as they are a _validating_ keyserver, so they will "comb through" your key, and only accept the bits from it they deem as adequate. Particularly, if you haven't verified you control the mail addresses for your subkeys, they won't have anything but a record that it exists (and thus, any subkeys without an email-bearing UID won't be useful). Of course, https://keys.openpgp.org/about/ has better, more authorized information on their operation 🙂
[toc] | [prev] | [next] | [standalone]
| From | Jeremy Stanley <fungi@yuggoth.org> |
|---|---|
| Date | 2025-11-17 16:30 +0100 |
| Message-ID | <LS9l0-dF3N-7@gated-at.bofh.it> |
| In reply to | #6483 |
[Multipart message — attachments visible in raw view] — view raw
On 2025-11-16 02:57:02 +0000 (+0000), debianmailinglists.hz5zm@simplelogin.com wrote: > Do these other keyring servers leave the key intact? I stopped > using the key servers for my small personal projects and just have > my public key posted on my personal website because one of them ( > keys.openpgp.org I think ) lists my public key, but it seems to > have stripped all the identifying information from it so it can't > be searched for by email address and even if you download the copy > they have apps like Kleopatra fail to import it, and when > comparing it to my copy of the public key I manually exported the > contents are MUCH shorter on their copy. [...] The main reason for this, as I understand it, is to avoid the vulnerabilities which led to the fall of the SKS keyserver network. In short, the traditional keyserver model of allowing anyone to upload third-party signatures for keys they didn't control led eventually to vandals and other malicious persons uploading unwanted signatures with objectionable content or in volumes which overflowed the ability of clients and servers to deal with them (denial of service on the network and also on specific keys making them irretrievable). They did this in the most severe way possible, essentially filtering out all third-party signatures and even self-signatures and UIDs if the uploader can't prove control of the E-mail addresses associated with them (which implicitly means discarding non-E-mail identities too such as photo images). Discussions I followed some time ago indicated they were willing to accept updates that enabled a caff-style approval process for third-party signatures at least, but it sounded like the existing team didn't have the resources to develop such a feature and that it would require additional volunteers working on that. -- Jeremy Stanley
[toc] | [prev] | [next] | [standalone]
| From | Jeffrey Walton <noloader@gmail.com> |
|---|---|
| Date | 2025-11-17 16:40 +0100 |
| Message-ID | <LS9uI-dF8I-81@gated-at.bofh.it> |
| In reply to | #6488 |
On Mon, Nov 17, 2025 at 10:27 AM Jeremy Stanley <fungi@yuggoth.org> wrote: > > On 2025-11-16 02:57:02 +0000 (+0000), debianmailinglists.hz5zm@simplelogin.com wrote: > > Do these other keyring servers leave the key intact? I stopped > > using the key servers for my small personal projects and just have > > my public key posted on my personal website because one of them ( > > keys.openpgp.org I think ) lists my public key, but it seems to > > have stripped all the identifying information from it so it can't > > be searched for by email address and even if you download the copy > > they have apps like Kleopatra fail to import it, and when > > comparing it to my copy of the public key I manually exported the > > contents are MUCH shorter on their copy. > [...] > > The main reason for this, as I understand it, is to avoid the > vulnerabilities which led to the fall of the SKS keyserver network. > In short, the traditional keyserver model of allowing anyone to > upload third-party signatures for keys they didn't control led > eventually to vandals and other malicious persons uploading unwanted > signatures with objectionable content or in volumes which overflowed > the ability of clients and servers to deal with them (denial of > service on the network and also on specific keys making them > irretrievable). They did this in the most severe way possible, > essentially filtering out all third-party signatures and even > self-signatures and UIDs if the uploader can't prove control of the > E-mail addresses associated with them (which implicitly means > discarding non-E-mail identities too such as photo images). > > Discussions I followed some time ago indicated they were willing to > accept updates that enabled a caff-style approval process for > third-party signatures at least, but it sounded like the existing > team didn't have the resources to develop such a feature and that it > would require additional volunteers working on that. And to add some reading material, see <https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html>. Daniel Kahn Gillmor (dkg) was one of the folks who was targeted in the attack. Jeff
[toc] | [prev] | [next] | [standalone]
| From | Gunnar Wolf <gwolf@debian.org> |
|---|---|
| Date | 2025-11-16 17:10 +0100 |
| Message-ID | <LRNua-dqPs-17@gated-at.bofh.it> |
| In reply to | #6482 |
[Multipart message — attachments visible in raw view] — view raw
Holger Levsen dijo [Sat, Nov 15, 2025 at 08:39:42PM +0000]: >On Sat, Nov 15, 2025 at 12:04:34PM -0600, Gunnar Wolf wrote: >> My usual suggestion is to use: >> hkps://pgpkeys.eu/ > >I also like keyring.debian.org! ;) I also love it and take care of it, but it does not accept keys not in our set, so probably it's not what Francesco wants.
[toc] | [prev] | [next] | [standalone]
| From | Francesco Poli <invernomuto@paranoici.org> |
|---|---|
| Date | 2025-11-16 13:40 +0100 |
| Message-ID | <LRKcV-doB2-1@gated-at.bofh.it> |
| In reply to | #6481 |
[Multipart message — attachments visible in raw view] — view raw
On Sat, 15 Nov 2025 12:04:34 -0600 Gunnar Wolf wrote: [...] > My usual suggestion is to use: > > hkps://pgpkeys.eu/ Hello Gunnar, thanks for your reply. However, it seems to me that this keyserver (or keyserver network) works unreliably. I tried to refresh 50 keys and gpg found 17 of them on the keyserver and exited with zero exit status. Then I tried again to refresh *the same* 50 keys and gpg found only 3 of them (+ 1 that it hadn't found in the previous run) and exited with non-zero exit status, spitting out the following error message: gpg: keyserver refresh failed: No data I had never had so many issues with a keyserver before last week... -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
[toc] | [prev] | [next] | [standalone]
| From | Gunnar Wolf <gwolf@debian.org> |
|---|---|
| Date | 2025-11-16 17:10 +0100 |
| Message-ID | <LRNu9-dqPs-9@gated-at.bofh.it> |
| In reply to | #6484 |
[Multipart message — attachments visible in raw view] — view raw
Francesco Poli dijo [Sun, Nov 16, 2025 at 01:34:43PM +0100]: >Hello Gunnar, >thanks for your reply. > >However, it seems to me that this keyserver (or keyserver network) >works unreliably. > >I tried to refresh 50 keys and gpg found 17 of them on the keyserver >and exited with zero exit status. > >Then I tried again to refresh *the same* 50 keys and gpg found only 3 of >them (+ 1 that it hadn't found in the previous run) and exited with >non-zero exit status, spitting out the following error message: > > gpg: keyserver refresh failed: No data > >I had never had so many issues with a keyserver before last week... That is very weird, and does not match my experience — but I see you share my surprise :-] I hope it was a transient issue. I will share this thread with some of the people responsible for servers in that network. In any case, you can also use Noodles' keyserver, based on a completely different codebase (Onak), at https://the.earth.li/ — I trust him to be among the most capable operators, only that this keyserver does not peer with any others TTBOMK. Greetings,
[toc] | [prev] | [next] | [standalone]
| From | Jeffrey Walton <noloader@gmail.com> |
|---|---|
| Date | 2025-11-17 17:00 +0100 |
| Message-ID | <LS9O2-dFgx-9@gated-at.bofh.it> |
| In reply to | #6479 |
On Sat, Nov 15, 2025 at 8:10 AM Francesco Poli <invernomuto@paranoici.org> wrote: > > Hello everyone! > > I had > > keyserver hkps://pgp.surf.nl > > in my ~/.gnupg/gpg.conf , but I have been experiencing issues with it > for the last few days, see the following excerpt from /var/log/syslog : > > dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 > dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) > dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 > dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) > dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 > dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) > dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 > dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) > dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 > dirmngr[3569]: selecting a different host due to a 503 (Service Unavailable) > dirmngr[3569]: error accessing 'https://pgp.surf.nl:443/pks/lookup?op=get&options=mr&search=0x............': http status 503 > dirmngr[3569]: command 'KS_GET' failed: No data > > > I tried to change keyserver. > The Debian wiki key signing [page] suggests the following ones (beyond > the Debian keyring one): > > * https://keyserver.ubuntu.com (recommended) > * https://keys.openpgp.org/ (used by Thunderbird) > * https://pgp.surf.nl/ > * https://pgp.mit.edu > > [page]: <https://wiki.debian.org/Keysigning> > > Among these, I only managed to make the following one work: > > keyserver hkps://pgp.mit.edu Daniel Kahn Gillmor (dkg) recommends using a constrained keyserver like keys.openpgp.org if you want to check for certificate updates, revocation, expiration, or subkey rollover. If there's a problem with OpenPGS's keyserver, then it might be a good idea to contact them. Also note that newer OpenPGP servers can give older GnuPG clients problems. See <https://www.google.com/search?q=openpgp+gnupg+key+server+interoperability+issues>. > But it seems to work unreliably, it worked for a couple of key > refreshes, but now it's giving me: > > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: command 'KS_GET' failed: No keyserver available > dirmngr[4391]: host 'pgp.mit.edu' marked as dead > dirmngr[4391]: command 'KS_GET' failed: No keyserver available > > Which keyserver do you currently use/recommend ? > > Thanks for any help you may provide! > > P.S.: please Cc me on replies, I am not subscribed to the list. Jeff
[toc] | [prev] | [next] | [standalone]
| From | Francesco Poli <invernomuto@paranoici.org> |
|---|---|
| Date | 2025-11-17 18:40 +0100 |
| Message-ID | <LSbmN-dGn2-5@gated-at.bofh.it> |
| In reply to | #6490 |
[Multipart message — attachments visible in raw view] — view raw
On Mon, 17 Nov 2025 10:49:00 -0500 Jeffrey Walton wrote: [...] > Daniel Kahn Gillmor (dkg) recommends using a constrained keyserver > like keys.openpgp.org if you want to check for certificate updates, > revocation, expiration, or subkey rollover. Dear Jeffrey, thanks for following up. I've just tried to refresh 50 keys with: keyserver hkps://keys.openpgp.org in my ~/.gnupg/gpg.conf It only found 2 of them and exited with non-zero status, spitting out out the following error message: gpg: keyserver refresh failed: No data Am I the only one who's experiencing issues in refreshing OpenPGP keys with gnupg/2.4.8-4 on an up-to-date Debian testing box? Am I the only one left who still uses gnupg in Debian? Have you all switched to sequoia-chameleon-gnupg, perhaps? I am really puzzled... :-( -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
[toc] | [prev] | [next] | [standalone]
| From | Jeremy Stanley <fungi@yuggoth.org> |
|---|---|
| Date | 2025-11-17 18:50 +0100 |
| Message-ID | <LSbwt-dGqA-3@gated-at.bofh.it> |
| In reply to | #6491 |
[Multipart message — attachments visible in raw view] — view raw
On 2025-11-17 18:32:05 +0100 (+0100), Francesco Poli wrote: [...] >I've just tried to refresh 50 keys with: > > keyserver hkps://keys.openpgp.org > >in my ~/.gnupg/gpg.conf > >It only found 2 of them and exited with non-zero status, spitting out >out the following error message: > > gpg: keyserver refresh failed: No data > >Am I the only one who's experiencing issues in refreshing OpenPGP keys >with gnupg/2.4.8-4 on an up-to-date Debian testing box? > >Am I the only one left who still uses gnupg in Debian? Have you all >switched to sequoia-chameleon-gnupg, perhaps? [...] This is what I get with gnupg 2.4.8-4 on sid: >> $ gpg --refresh-keys >> gpg: refreshing 148 keys from hkps://keys.openpgp.org >> [...] >> gpg: Total number processed: 28 >> gpg: unchanged: 25 >> gpg: new signatures: 26 >> [...] >> $ echo $? >> 0 PDO says the version in forky is the same as what I'm using. -- Jeremy Stanley
[toc] | [prev] | [next] | [standalone]
| From | debianmailinglists.hz5zm@simplelogin.com |
|---|---|
| Date | 2025-11-18 01:50 +0100 |
| Message-ID | <LSi4V-dL4J-9@gated-at.bofh.it> |
| In reply to | #6491 |
[Multipart message — attachments visible in raw view] — view raw
Preface, I'm not a Debian developer. You're not the only one, but after some tinkering I've discovered that there's a whole slew of "Hockeypuck" GPG/PGP servers that seem to work fine for me. hkp://pgpkeys.eu hkps://pgp.id They all seem to intercommunicate reliably. I was able to issue a revocation for an old key to pgpkeys.eu and it populated across to pgp.id within minutes. I posted on Mastodon about this and somebody sent me this link with a list of various compatible servers. I haven't tried them all, just thought I'd share. https://spider.pgpkeys.eu/sks-peers -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Dean Adams Signal: [gerowen.81](https://signal.me/#eu/qTai8gc2fArQDCaX07fIccbmOMvJWfC6FpTWXzT0aY0mKgITRIZPZJs7Vq0FfYv0) Mastodon: [gerowen@mastodon.social](https://mastodon.social/@gerowen) Website: https://marcusadams.me "Civilization is the limitless multiplication of unnecessary necessities." -- Mark Twain On Mon, 2025-11-17 at 18:32 +0100, Francesco Poli - invernomuto at paranoici.org wrote: > On Mon, 17 Nov 2025 10:49:00 -0500 Jeffrey Walton wrote: > > [...] > >> Daniel Kahn Gillmor (dkg) recommends using a constrained keyserver >> like keys.openpgp.org if you want to check for certificate updates, >> revocation, expiration, or subkey rollover. > > Dear Jeffrey, thanks for following up. > > I've just tried to refresh 50 keys with: > > keyserver hkps://keys.openpgp.org > > in my ~/.gnupg/gpg.conf > > It only found 2 of them and exited with non-zero status, spitting out > out the following error message: > > gpg: keyserver refresh failed: No data > > Am I the only one who's experiencing issues in refreshing OpenPGP keys > with gnupg/2.4.8-4 on an up-to-date Debian testing box? > > Am I the only one left who still uses gnupg in Debian? Have you all > switched to sequoia-chameleon-gnupg, perhaps? > > I am really puzzled... :-(
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.security
csiph-web