gpg: keyserver send failed: No data
Hello,
I'm debugging a script that allows for unattended GPG key and revoke cert generation, upload to our private keyserver and then commit to git. This was originally developed a few versions ago so some things are no longer working. Luke helped a lot in getting the revocation certificate generation working and I very much appreciate it. Now, I'm getting an error when attempting to send to our private keyserver. Here's the function and error:
key_send() {
echo "Start: key_send"
echo
echo "Send Key"
SHORT_KEY="$(gpg -K | grep "sec " | cut -c15-22)"
gpg --keyserver hkps://keyserverURL --send-key $SHORT_KEY
echo "Done: key_send"
echo
}
The error I get is:
gpg: sending key KeyID to hkps://keyserverURL
gpg: keyserver send failed: No data
gpg: keyserver send failed: No data
I tried the command on my existing key and I received the same message. Any help would be appreciated!
Thanks,
John
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by John Rivera on 10 Jan, 2018 05:50 PM
I tried sending my own key to our private server using GPG Keychain and received the same error:
Send keys failed! (No data)
Code = 58
Error text:
gpg: sending key KeyID to hkps://keyserverURL
gpg: keyserver send failed: No data
gpg: keyserver send failed: No data
I went ahead and submitted a report to include my version numbers.
2 Posted by John Rivera on 10 Jan, 2018 05:53 PM
Report submitted via GPG Keychain: https://gpgtools.tenderapp.com/discussions/problems/66803
Support Staff 3 Posted by Luke Le on 10 Jan, 2018 07:00 PM
Hi John,
the problem is that the output of GnuPG has changed. The fingerprint is now on the next line. What you are currently getting is part of the creation date.
I'm having a look at what the quickest way to get this working might be.
Support Staff 4 Posted by Luke Le on 10 Jan, 2018 07:08 PM
If you switch your command with the following command to fetch short key id it should work again:
As an alternative you can also fetch the long key or fingerprint with the following two commands:
This version should also be future proof, since it uses the output which is especially formatted for machine processing.
5 Posted by John Rivera on 10 Jan, 2018 07:47 PM
Hi Luke,
Thanks again for the help here!
I tried all three options you've provided but I'm still getting the same message. What concerns me is that I also get the same error when uploading using the GPG Keychain GUI.
Here's the link to the report I submitted earlier with the error from GPG Keychain: https://gpgtools.tenderapp.com/discussions/problems/66803
Does
Error 58
mean anything to you?Thanks again!
John
Support Staff 6 Posted by Luke Le on 10 Jan, 2018 08:55 PM
Ah hmm... if you are around, I could have a look at it in our live support:
https://www.hipchat.com/gEAi9viX4
7 Posted by John Rivera on 10 Jan, 2018 09:09 PM
Thanks, Luke. I am around. However, it seems that our keyserver just went down. I'm finding out from my admin if he did this on purpose.
8 Posted by John Rivera on 10 Jan, 2018 11:09 PM
Hi Luke,
We disabled authentication on they private keyserver and the key uploaded right away. Now we just need to figure out why it won't work anymore with authentication. If you have any references, please let me know.
Thanks again!
John
Support Staff 9 Posted by Luke Le on 10 Jan, 2018 11:10 PM
I'm currently having a look into the gnupg source code. In theory basic auth should be supported.
10 Posted by John Rivera on 11 Jan, 2018 12:26 AM
Hi Luke,
Sorry to deviate from the topic but I was wondering if you can tell me the command to remove key(s) from our private key server. During troubleshooting, I ended up creating 3 different keys that I now need to remove.
Thanks,
John
--
This email may contain material that is confidential for the sole use of
the intended recipient(s). Any review, reliance or distribution or
disclosure by others without express permission is strictly prohibited. If
you are not the intended recipient, please contact the sender and delete
all copies of this message.
Support Staff 11 Posted by Luke Le on 11 Jan, 2018 12:28 AM
Hi John,
unfortunately there's no such thing as removing keys from a keyserver, you can only revoke them if you still have the revocation certificates. For each secret key you create, a revocation certificate is created in ~/.gnupg/openpgp-revocs.d
By importing the revocation certificate and sending the key to server afterwards, you'll be able to revoke them and prevents others from importing them.
12 Posted by John Rivera on 11 Jan, 2018 12:30 AM
That's what I thought. Thanks for the quick reply and clarification!
Support Staff 13 Posted by Luke Le on 11 Jan, 2018 12:32 AM
I'm currently filing a bug with the GnuPG team for HTTP Basic Auth, since from the source code I could now confirm that this feature no longer works. Not sure since when, but it must be quite some time already. I still believe however, that a change of your internal key server system triggered the error you were seeing.
Let's hope they re-add Basic Auth in the future.
Support Staff 14 Posted by Luke Le on 11 Jan, 2018 12:16 PM
Quick Update: I've submitted a patch to the folks of GnuPG and they will have a look. Werner (the lead developer of GnuPG) however also questioned the security advantage of using HTTP Basic Auth.
15 Posted by John Rivera on 12 Jan, 2018 07:44 PM
Hi Luke,
Thank you for this. As we discussed, we wanted to prevent our own users from uploading keys to our keyserver. We want our IT department to have complete control of key management. We also frequently have contractors working with us and this is a security measure we had to take.
As an update to removing keys from the keyserver, we found a way in case someone else is interested. The command is:
sks drop <hash>
Support Staff 16 Posted by Luke Le on 15 Jan, 2018 11:20 AM
Hi John,
you are absolutely right. If you are the administrator of an sks keyserver, you can of course remove an uploaded key. Sorry for the misunderstanding.
17 Posted by John Rivera on 01 Mar, 2018 08:51 PM
Hi Luke,
Any updates on the patch you submitted regarding http basic auth?
Thanks,
John
Support Staff 18 Posted by Luke Le on 02 Mar, 2018 09:45 AM
Hi John,
unfortunately we haven't heard back from the gnupg developers and unfortunately I don't believe it is a priority for them. We might consider including the patch in our version of gnupg, but it would feel better to receive approval from the gnupg developers.
19 Posted by John Rivera on 06 Mar, 2018 06:14 PM
Hi Luke,
Thanks. We can certainly test it for you if you were to include it in your version. If not, are there any other ways to secure the keyserver that you can recommend?
Thanks,
John
20 Posted by John Rivera on 23 Apr, 2018 03:54 PM
Hi Luke,
Do you have any updates? As I said, we'd be willing to test this out if you include this in your next patch.
Thanks,
John
Support Staff 21 Posted by Steve on 24 Apr, 2018 09:23 AM
Hi John,
we submitted a patch to gnupg in 2018 jan. Pinged them in march and april but did not hear back :/
You may want to ask about the state on their gnupg users mailling list.
The patch is here: https://dev.gnupg.org/T3730
All the best,
steve
Support Staff 22 Posted by Luke Le on 24 Apr, 2018 10:55 PM
Hi John,
we have now added support for HTTP auth to our version of GnuPG and the fix is included in the latest hotfix of GPG Suite.
Please let us know if that works for you,
Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.
23 Posted by John Rivera on 24 Apr, 2018 11:14 PM
This is excellent news, Luke. Thank you.
Do we have to do anything on the server side to get this to work?
Thanks,
John
Support Staff 24 Posted by Luke Le on 25 Apr, 2018 11:53 AM
Hi John,
no, in theory no changes on the server side should be necessary.
Simply change the keyserver URL to include the authentication data in the URL, so basically:
hkp://user:[email blocked]
Please let us know if it works.
Thanks!
Support Staff 25 Posted by Steve on 01 May, 2018 01:07 PM
Hi John,
were you able to give this a spin? Make sure to use the latest hotfix build as we fixed a regression in regards to the hkp patch.
Best,
steve
26 Posted by John Rivera on 09 May, 2018 08:11 PM
Hi Steve,
I installed 2151n and I was able to upload to our private key server with authentication turned on. Are there any other enhancements on this build? Should we expect this fix to make it to the release version?
Thanks for letting us test it!
John
Support Staff 27 Posted by Steve on 09 May, 2018 08:48 PM
That sounds good. Yeah, the fix will be included in the upcoming release.
I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.
Best,
steve
Steve closed this discussion on 09 May, 2018 08:48 PM.
Steve closed this discussion on 09 May, 2018 08:50 PM.