Mailing List Archive

Error when trying to locate key via WKD
Hello,

I tried to get a key via WKD (using the command --locate-keys), but it
didn't work as expected. The error message I got was:

gpg: using pgp trust model
gpg: error retrieving 'christoph-klassen@mail.de' via Local: No public key
gpg: Note: WKD uses a cached result
gpg: error retrieving 'christoph-klassen@mail.de' via WKD: No data
gpg: error reading key: No data

But when I use the following link (direct method), it is possible to
download the key:

https://mail.de/.well-known/openpgpkey/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6

I used GnuPG 2.2.19.


Regards,

Christoph



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error when trying to locate key via WKD [ In reply to ]
On Mittwoch, 27. Oktober 2021 18:16:14 CEST Christoph Klassen via Gnupg-users wrote:
> Hello,
>
> I tried to get a key via WKD (using the command --locate-keys), but it
> didn't work as expected. The error message I got was:
>
> gpg: using pgp trust model
> gpg: error retrieving 'christoph-klassen@mail.de' via Local: No public key
> gpg: Note: WKD uses a cached result
> gpg: error retrieving 'christoph-klassen@mail.de' via WKD: No data
> gpg: error reading key: No data
>
> But when I use the following link (direct method), it is possible to
> download the key:
>
> https://mail.de/.well-known/openpgpkey/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6

I added
```
log-file <some-absolute-path>/dirmngr.log
debug-level guru
debug-all
```
in dirmngr.conf, ran the command and got the below log.

The important part is
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen HTTP/1.0\r\n
i.e. in the URL that dirmngr requests there is an additional "mail.de"
between "/openpgp/" and "/hu/" that is missing in your URL.

```
[...]
2021-10-27 20:44:04 dirmngr[26980.6] DBG: chan_6 <- WKD_GET -- christoph-klassen@mail.de
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: libdns initialized
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: resolve_dns_name(openpgpkey.mail.de): Success
2021-10-27 20:44:04 dirmngr[26980.6] DBG: chan_6 -> S SOURCE https://openpgpkey.mail.de
2021-10-27 20:44:04 dirmngr[26980.6] number of system provided CAs: 520
2021-10-27 20:44:04 dirmngr[26980.6] DBG: Using TLS library: GNUTLS 3.7.2
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:connect_server: trying name='openpgpkey.mail.de' port=443
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: resolve_dns_name(openpgpkey.mail.de): Success
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:1917:socket_new: object 0x00007efc7404ced0 for fd 7 created
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen HTTP/1.0\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> Host: openpgpkey.mail.de\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request-header:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> \r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:response:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> HTTP/1.1 301 Moved Permanently\r\n
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Server: nginx'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Date: Wed, 27 Oct 2021 18:44:04 GMT'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Content-Type: text/html'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Content-Length: 162'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Connection: close'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Location: https://mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: ''
2021-10-27 20:44:04 dirmngr[26980.6] URL 'https://openpgpkey.mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen' redirected to 'https://mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen' (301)
2021-10-27 20:44:04 dirmngr[26980.6] DBG: Using TLS library: GNUTLS 3.7.2
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:connect_server: trying name='mail.de' port=443
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: resolve_dns_name(mail.de): Success
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:1917:socket_new: object 0x00007efc740157f0 for fd 7 created
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen HTTP/1.0\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> Host: mail.de\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request-header:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> \r\n
2021-10-27 20:44:05 dirmngr[26980.6] DBG: http.c:response:
2021-10-27 20:44:05 dirmngr[26980.6] DBG: >> HTTP/1.1 404 Not Found\r\n
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Server: nginx'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Date: Wed, 27 Oct 2021 18:44:05 GMT'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Content-Type: text/html; charset=UTF-8'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Content-Length: 13'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Connection: close'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: ''
2021-10-27 20:44:05 dirmngr[26980.6] error accessing 'https://mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen': http status 404
2021-10-27 20:44:05 dirmngr[26980.6] command 'WKD_GET' failed: No data
2021-10-27 20:44:05 dirmngr[26980.6] DBG: chan_6 -> ERR 167772218 No data <Dirmngr>
2021-10-27 20:44:05 dirmngr[26980.6] DBG: chan_6 <- BYE
2021-10-27 20:44:05 dirmngr[26980.6] DBG: chan_6 -> OK closing connection
[...]
```

Regards,
Ingo
Re: Error when trying to locate key via WKD [ In reply to ]
[.Putting this back on the mailing list. Please keep replies on the list.]

On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
> On 27.10.21 20:54, Ingo Kl?cker wrote:
> > The important part is
> > 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
> > /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr
> > istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
> > an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in
> > your URL.
>
> That would be the advanced method of WKD (Here's the draft:
> https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/),
> which indeed doesn't work with my mail provider. But when I try the
> direct method (Example from the draft:
> https://example.org/.well-known/openpgpkey/
> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
> provider's WKD server. I admit I forgot the parameter in the URL I post.
>
> But that wasn't the point. My problem is that GnuGP couldn't get the key
> via WKD and I don't understand why because it seems like it should work.

The problem is that the domain openpgpkey.mail.de exists (or seems to exist)
although mail.de doesn't support the advanced method. The draft you mentioned
says:

There are two variants on how to form the request URI: The advanced
and the direct method. Implementations MUST first try the advanced
method. Only if the required sub-domain does not exist, they SHOULD
fall back to the direct method.

The advanced method requires that a sub-domain with the fixed name
"openpgpkey" is created and queried.

Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist),
gpg first tries the advanced method. This fails. gpg doesn't fall back to the
direct method as per the spec: "Only if the required sub-domain does not
exist, they SHOULD fall back to the direct method."

The problem is that mail.de redirects any sub-domain to mail.de, e.g.
`curl https://foobar.mail.de` is also redirected to `https://mail.de`. The
problem with wildcard sub-domains and WKD has been discussed here or on
gnupg-devel recently.

Regards,
Ingo
Re: Error when trying to locate key via WKD [ In reply to ]
On 27.10.21 22:54, Ingo Kl?cker wrote:
> [.Putting this back on the mailing list. Please keep replies on the list.]
>
> On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
>> On 27.10.21 20:54, Ingo Kl?cker wrote:
>>> The important part is
>>> 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
>>> /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr
>>> istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
>>> an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in
>>> your URL.
>> That would be the advanced method of WKD (Here's the draft:
>> https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/),
>> which indeed doesn't work with my mail provider. But when I try the
>> direct method (Example from the draft:
>> https://example.org/.well-known/openpgpkey/
>> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
>> provider's WKD server. I admit I forgot the parameter in the URL I post.
>>
>> But that wasn't the point. My problem is that GnuGP couldn't get the key
>> via WKD and I don't understand why because it seems like it should work.
> The problem is that the domain openpgpkey.mail.de exists (or seems to exist)
> although mail.de doesn't support the advanced method. The draft you mentioned
> says:
>
> There are two variants on how to form the request URI: The advanced
> and the direct method. Implementations MUST first try the advanced
> method. Only if the required sub-domain does not exist, they SHOULD
> fall back to the direct method.
>
> The advanced method requires that a sub-domain with the fixed name
> "openpgpkey" is created and queried.
>
> Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist),
> gpg first tries the advanced method. This fails. gpg doesn't fall back to the
> direct method as per the spec: "Only if the required sub-domain does not
> exist, they SHOULD fall back to the direct method."
>
> The problem is that mail.de redirects any sub-domain to mail.de, e.g.
> `curl https://foobar.mail.de` is also redirected to `https://mail.de`. The
> problem with wildcard sub-domains and WKD has been discussed here or on
> gnupg-devel recently.

Thank you for your explanation, Ingo! Now I understand what you meant.
It's a pity that GPG doesn't fall back to the direct method.


Regards,

Christoph



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error when trying to locate key via WKD [ In reply to ]
Am Donnerstag 28 Oktober 2021 09:32:55 schrieb Christoph Klassen via
Gnupg-users:
> that GPG doesn't fall back to the direct method.

AFAIU it cannot fall back, because openpgpkey.mail.de seem to exist.


Am Mittwoch 27 Oktober 2021 22:54:48 schrieb Ingo Kl?cker:
> The problem with wildcard sub-domains and WKD has been discussed here or on
> gnupg-devel recently.

Ingo,
can you provide me a pointer to the gnupg-devel thread?
(Did a few minutes of searching, I probably missed something.)

Best Regards,
Bernhard

--
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: Error when trying to locate key via WKD [ In reply to ]
On 28/10/2021 10:44, Bernhard Reiter wrote:
> Am Mittwoch 27 Oktober 2021 22:54:48 schrieb Ingo Kl?cker:
>> The problem with wildcard sub-domains and WKD has been discussed here or on
>> gnupg-devel recently.
>
> Ingo,
> can you provide me a pointer to the gnupg-devel thread?
> (Did a few minutes of searching, I probably missed something.)
>

The megathread from hell starts here :-)

https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html

But the most concise summary is probably this:

https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064575.html

--
Andrew Gallagher