Mailing List Archive: Error importing fetching key from wkd

Error importing fetching key from wkd

gnupg-users at gnupg

May 25, 2022, 1:58 PM

Post #1 of 11 (1221 views)

Hello.

IO tried to fetch a key from WKD, in this case the key of Werner Koch.
Everytime I try this I get the following error:

---
$ LANG=C gpg -v --locate-key wk@gnupg.org
gpg: pub ed25519/63113AE866587D0A 2018-09-28 wk@gnupg.org
gpg: error writing keyring '/home/dgottschalk/.gnupg/pubring.kbx':
Unknown elliptic curve
gpg: error reading '[stream]': Unknown elliptic curve
gpg: Total number processed: 0
gpg: error retrieving 'wk@gnupg.org' via WKD: Unknown elliptic curve
gpg: error retrieving 'wk@gnupg.org' via DANE: No name
gpg: error retrieving 'wk@gnupg.org' via ?: No name
gpg: Total number processed: 0
gpg: auto-key-locate found fingerprint
A4D94E92B0986AB5EE9DCD755DE249965B0358A2
gpg: error retrieving 'wk@gnupg.org' via DNS CERT: No public key
gpg: data source: https://keys.openpgp.org:443
gpg: error retrieving 'wk@gnupg.org' via keyserver: No data
gpg: error reading key: No data
---

Any hints what happens there?

This also happens when I use an empty Keybox with this commnd:
$ gpg -v --no-default-keyring --keyring=test/keyring.kbx --locate-key
wk@gnupg.org

My GnuPG-Version knows ed25519 as you can see below:
---
$ gpg --with-colons --list-config curve
cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;secp25
6k1
---

My GPG-Version:
---
$ gpg --version --no-greeting
gpg (GnuPG) 2.3.6
libgcrypt 1.10.1-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/dgottschalk/.gnupg
Unterstützte Verfahren:
Öff. Schlüssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2
---

Thank you in Advance.

Kind Regards,
Dirk

--
Dirk Gottschalk

GPG key Fingerprint: 7C5B 9D53 EED5 C7B3 A291 D5AA 086B 3660 27E3 5D06
Keyoxide: https://keyoxide.org/7C5B9D53EED5C7B3A291D5AA086B366027E35D06

GitHub: https://github.com/Dirk1980ac

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 28, 2022, 11:29 AM

Post #2 of 11 (1219 views)

On Wed, 25 May 2022 22:58, Dirk Gottschalk said:

> $ gpg --with-colons --list-config curve
> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;secp25
> 6k1

This should read

cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;brainpoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1

Note the Brainpool curves. Seems that Redhat still patches them out of
libgcrypt.

Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 28, 2022, 1:14 PM

Post #3 of 11 (1217 views)

Hi,

Werner Koch via Gnupg-users wrote:
> On Wed, 25 May 2022 22:58, Dirk Gottschalk said:
>
>> $ gpg --with-colons --list-config curve
>> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;secp25
>> 6k1
>
> This should read
>
> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;brainpoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1
>
> Note the Brainpool curves. Seems that Redhat still patches them out of
> libgcrypt.

The question of whether these curves can be kept in Fedora
was brought up on the fedora-legal list some time ago. The
most recent status update? from Fedora Project Leader
Matthew Miller on January 28, 2022 says:

Sooooo, these things move slowly, but this _is_ being
worked on. I'll let you know when I can.

That sounds midly hopeful. With luck, the curves will be
cleared for inclusion (at least eventually, even it not
terribly soon).

? https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/3ESF4KDVMLQPZX4H2S4L7BP5BHJPMPMB/

--
Todd

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 29, 2022, 4:07 AM

Post #4 of 11 (1217 views)

On 2022-05-28 20:29, Werner Koch via Gnupg-users wrote:

> Note the Brainpool curves. Seems that Redhat still patches them out of
> libgcrypt.

Why do they do that? BTW, when I search for brainpool I only find
definitions and RFC's, I seem unable to find why they are needed (or why
they would be peferred) over other curves.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 29, 2022, 6:48 AM

Post #5 of 11 (1217 views)

Hello Werner.

Am Samstag, dem 28.05.2022 um 20:29 +0200 schrieb Werner Koch:
> On Wed, 25 May 2022 22:58, Dirk Gottschalk said:
>
> > $ gpg --with-colons --list-config curve
> > cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;se
> > cp25
> > 6k1
>
> This should read
>
> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;brai
> npoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1
>
> Note the Brainpool curves. Seems that Redhat still patches them out
> of
> libgcrypt.

Yes, they really do '--disable-brainpool' in the .spec file. Thank you
very much for this hint.

I did a custom Rebuild of the package after modifying the .spec and now
everything woks as expected.

Kind regards,
Dirk

--
Dirk Gottschalk

GPG key Fingerprint: 7C5B 9D53 EED5 C7B3 A291 D5AA 086B 3660 27E3 5D06
Keyoxide: https://keyoxide.org/7C5B9D53EED5C7B3A291D5AA086B366027E35D06

GitHub: https://github.com/Dirk1980ac

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 29, 2022, 11:24 AM

Post #6 of 11 (1217 views)

Hello Todd.

Am Samstag, dem 28.05.2022 um 16:14 -0400 schrieb Todd Zullinger via
Gnupg-users:
> Hi,
>
> Werner Koch via Gnupg-users wrote:
> > On Wed, 25 May 2022 22:58, Dirk Gottschalk said:

[...]
>

> > Note the Brainpool curves. Seems that Redhat still patches them
> > out of
> > libgcrypt.
>
> The question of whether these curves can be kept in Fedora
> was brought up on the fedora-legal list some time ago. The
> most recent status update¹ from Fedora Project Leader
> Matthew Miller on January 28, 2022 says:
>
> Sooooo, these things move slowly, but this _is_ being
> worked on. I'll let you know when I can.
>
> That sounds midly hopeful. With luck, the curves will be
> cleared for inclusion (at least eventually, even it not
> terribly soon).

A workaround for this is to download the SRPM, remove the line '--
disable-brainpool' and rebuild the package.

Regards,
Dirk

--
Dirk Gottschalk

GPG key Fingerprint: 7C5B 9D53 EED5 C7B3 A291 D5AA 086B 3660 27E3 5D06
Keyoxide: https://keyoxide.org/7C5B9D53EED5C7B3A291D5AA086B366027E35D06

GitHub: https://github.com/Dirk1980ac

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 29, 2022, 12:19 PM

Post #7 of 11 (1217 views)

Hi,

Dirk Gottschalk via Gnupg-users wrote:
> A workaround for this is to download the SRPM, remove the
> line '--disable-brainpool' and rebuild the package.

Ahh, excellent. That's a relatively recent change. It's
available in the Fedora (and RHEL) libgcrypt-1.10 packages
which I believe are only in the freshly released Fedora 36
and RHEL 9.

Previous releases contained a 'hobbled' libgcrypt tarball
where the brainpool curves were removed entirely. (That's
the usual practice for items which cannot be included for
legal reasons.)

It's good to see things are moving in the right direction,
at least.

--
Todd

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 30, 2022, 12:27 AM

Post #8 of 11 (1211 views)

On Sun, 29 May 2022 13:07, Johan Wevers said:

> Why do they do that? BTW, when I search for brainpool I only find
> definitions and RFC's, I seem unable to find why they are needed (or why
> they would be peferred) over other curves.

That is mostly a political issue: In Europe the use of NIST curves is
not allowed due to security concerns. In the US the Brainpool curves
are not yet part of the FIPS standard and thus may not be used by the
government. However, Curve25519 is also not allowed by FIPS but still
included in RedHat's Libgcrypt build.

I am not aware of any patent issues with standard Weierstrass curves
like NIST-P and Brainpool-P curves. All relevant patents expired a few
years ago.

Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

May 31, 2022, 9:17 AM

Post #9 of 11 (1198 views)

Hello again,

I wrote:
> Dirk Gottschalk via Gnupg-users wrote:
>> A workaround for this is to download the SRPM, remove the
>> line '--disable-brainpool' and rebuild the package.
>
> Ahh, excellent. That's a relatively recent change. It's
> available in the Fedora (and RHEL) libgcrypt-1.10 packages
> which I believe are only in the freshly released Fedora 36
> and RHEL 9.

For the future, you can now rebuild the libgcrypt rpm from
Fedora 36 with brainpool support without having to edit the
spec file manually?. You can pass `--with brainpool` to the
rpmbuild command, e.g.:

rpmbuild -rb --with brainbpool /path/to/libcgrypt.src.rpm

Hopefully that makes life just a little easier for folks
using Fedora who want or need brainpool support.

? https://src.fedoraproject.org/rpms/libgcrypt/c/6571417ff

--
Todd

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

Jun 1, 2022, 2:52 PM

Post #10 of 11 (1187 views)

On Tue, May 31, 2022 at 12:17:05PM -0400, Todd Zullinger via Gnupg-users wrote:
> Hello again,
>
> I wrote:
> > Dirk Gottschalk via Gnupg-users wrote:
> >> A workaround for this is to download the SRPM, remove the
> >> line '--disable-brainpool' and rebuild the package.
> >
> > Ahh, excellent. That's a relatively recent change. It's
> > available in the Fedora (and RHEL) libgcrypt-1.10 packages
> > which I believe are only in the freshly released Fedora 36
> > and RHEL 9.
>
> For the future, you can now rebuild the libgcrypt rpm from
> Fedora 36 with brainpool support without having to edit the
> spec file manually¹. You can pass `--with brainpool` to the
> rpmbuild command, e.g.:
>
> rpmbuild -rb --with brainbpool /path/to/libcgrypt.src.rpm
>
> Hopefully that makes life just a little easier for folks
> using Fedora who want or need brainpool support.

FYI, I also provide gnupg22-static and gnupg23-static packages that can be
rebuilt and installed on RHEL 7+ (though I haven't tried on RHEL9):

https://copr.fedorainfracloud.org/coprs/icon/lfit/packages/

They install into /opt and can be used directly as /opt/gnupg22/bin/gpg (and
others).

-Konstantin

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd [ In reply to ]

gnupg-users at gnupg

Jun 1, 2022, 5:43 PM

Post #11 of 11 (1184 views)

Konstantin Ryabitsev via Gnupg-users wrote:
> FYI, I also provide gnupg22-static and gnupg23-static packages that can be
> rebuilt and installed on RHEL 7+ (though I haven't tried on RHEL9):
>
> https://copr.fedorainfracloud.org/coprs/icon/lfit/packages/
>
> They install into /opt and can be used directly as /opt/gnupg22/bin/gpg (and
> others).

Thanks Konstantin!

On EL8/9, I needed to disable the debugsource packages for a
sucessful build:

%define _debugsource_template %{nil}

I only tested builds of gnupg23-static on EL8/9, but the
gnupg22-static package looks like it would need the same
treatment.

Of course, the difference in algorithm support between
upstream and EL8/9 is much smaller than it was on EL7.
(Here's to seeing the differences disappear entirely.)

--
Todd