headers
Jeffrey Ollie | 28 Nov 2011 23:04
Picon
Gravatar

GnuPG v1 Bug in CentOS

Hello,

I've bee trying to get MonkeySphere set up on my hosts and I appear to
have run across a bug in GnuPG v1 that affects MonkeySphere.  Before I
figured out the problem, none of my CentOS 5 hosts would publish their
host key to the keyservers.  I even set up a private keyserver just so
that I could do some testing.  What is happening is that GnuPG v1 on
CentOS 5 hosts (and likely RHEL 5 hosts) won't publish a key to a
keyserver if you specify the key using the full 40 byte fingerprint.
So the following command to publish the key fails:

[root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host --keyserver
web10.dmacc.net --send-key 0xB8511DF00DA989B4BABE2DD91D59F99C42F35B7F
gpg: sending key 42F35B7F to hkp server web10.dmacc.net
[root <at> web04 ~]# echo $?
0

While this command works:

[root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host --keyserver
web10.dmacc.net --send-key 0x42F35B7F
gpg: sending key 42F35B7F to hkp server web10.dmacc.net
[root <at> web04 ~]# echo $?
0

GnuPG v2 on CentOS 5 and all versions of GnuPG on Fedora 14+ work just fine.

For now I'm going to work around the problem by editing
/usr/share/monkeysphere/mh/publish_key to use GnuPG 2.
(Continue reading)

Permalink | Reply |
headers
Daniel Kahn Gillmor | 28 Nov 2011 23:19

Re: GnuPG v1 Bug in CentOS

Hi Jeffrey--

On 11/28/2011 05:04 PM, Jeffrey Ollie wrote:
> I've bee trying to get MonkeySphere set up on my hosts and I appear to
> have run across a bug in GnuPG v1 that affects MonkeySphere.  Before I
> figured out the problem, none of my CentOS 5 hosts would publish their
> host key to the keyservers.  I even set up a private keyserver just so
> that I could do some testing.  What is happening is that GnuPG v1 on
> CentOS 5 hosts (and likely RHEL 5 hosts) won't publish a key to a
> keyserver if you specify the key using the full 40 byte fingerprint.
> So the following command to publish the key fails:
> 
> [root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host --keyserver
> web10.dmacc.net --send-key 0xB8511DF00DA989B4BABE2DD91D59F99C42F35B7F
> gpg: sending key 42F35B7F to hkp server web10.dmacc.net
> [root <at> web04 ~]# echo $?
> 0

what makes you say this is failing?  what do you see if you add
--keyserver-options debug here?

what is the output of "gpg --version" ?

what about "ls -l /usr/lib/gnupg/" ?

If this is a bug in gnupg, I can help you report it to that project.  If
it's a bug in monkeysphere, we can try to fix it ourselves.

	--dkg
(Continue reading)

Permalink | Reply |
headers
Jeffrey Ollie | 28 Nov 2011 23:36
Picon
Gravatar

Re: GnuPG v1 Bug in CentOS

On Mon, Nov 28, 2011 at 4:19 PM, Daniel Kahn Gillmor
<dkg <at> fifthhorseman.net> wrote:
>
> On 11/28/2011 05:04 PM, Jeffrey Ollie wrote:
>> So the following command to publish the key fails:
>>
>> [root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host --keyserver
>> web10.dmacc.net --send-key 0xB8511DF00DA989B4BABE2DD91D59F99C42F35B7F
>> gpg: sending key 42F35B7F to hkp server web10.dmacc.net
>> [root <at> web04 ~]# echo $?
>> 0
>
> what makes you say this is failing?

I watch the server and the key is never sent.

>  what do you see if you add
> --keyserver-options debug here?

[root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host
--keyserver-options debug --keyserver web10.dmacc.net --send-key
0xB8511DF00DA989B4BABE2DD91D59F99C42F35B7F
gpg: sending key 42F35B7F to hkp server web10.dmacc.net
gpgkeys: curl version = libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
[root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host
--keyserver-options debug --keyserver web10.dmacc.net --send-key
0x42F35B7F
gpg: sending key 42F35B7F to hkp server web10.dmacc.net
gpgkeys: curl version = libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
* About to connect() to web10.dmacc.net port 11371
(Continue reading)

Permalink | Reply |
headers
Daniel Kahn Gillmor | 28 Nov 2011 23:46

Re: GnuPG v1 Bug in CentOS

On 11/28/2011 05:36 PM, Jeffrey Ollie wrote:
> [root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host
> --keyserver-options debug --keyserver web10.dmacc.net --send-key
> 0xB8511DF00DA989B4BABE2DD91D59F99C42F35B7F
> gpg: sending key 42F35B7F to hkp server web10.dmacc.net
> gpgkeys: curl version = libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> [root <at> web04 ~]# gpg --home /var/lib/monkeysphere/host
> --keyserver-options debug --keyserver web10.dmacc.net --send-key
> 0x42F35B7F
> gpg: sending key 42F35B7F to hkp server web10.dmacc.net
> gpgkeys: curl version = libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> * About to connect() to web10.dmacc.net port 11371
> *   Trying 2610:130:2301:3:250:56ff:fe95:15bf... * Connection refused
> *   Trying 161.210.221.23... * connected
> * Connected to web10.dmacc.net (161.210.221.23) port 11371
>> POST /pks/add HTTP/1.1
> Host: web10.dmacc.net:11371
> Accept: */*
> Content-Length: 1106
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
> < HTTP/1.0 200 OK
> < Server: sks_www/1.1.1
> < Content-type: text/html; charset=UTF-8
> * Closing connection #0

Can you compare the output of this command with the same invocation with
an 8-xdigit keyid?  (btw, i didn't intend for you to run all this as
root, i'd be fine with it coming from a non-privileged user account).
(Continue reading)

Permalink | Reply |

Gmane