gpg: keyserver send failed: No data

John Rivera's Avatar

John Rivera

10 Jan, 2018 12:28 AM

Hello,

I'm debugging a script that allows for unattended GPG key and revoke cert generation, upload to our private keyserver and then commit to git. This was originally developed a few versions ago so some things are no longer working. Luke helped a lot in getting the revocation certificate generation working and I very much appreciate it. Now, I'm getting an error when attempting to send to our private keyserver. Here's the function and error:

key_send() {
  echo "Start: key_send"
  echo
  echo "Send Key"
  SHORT_KEY="$(gpg -K | grep "sec " | cut -c15-22)"
  gpg --keyserver hkps://keyserverURL --send-key $SHORT_KEY
  echo "Done: key_send"
  echo
}
The error I get is:
gpg: sending key KeyID to hkps://keyserverURL
gpg: keyserver send failed: No data
gpg: keyserver send failed: No data
I tried the command on my existing key and I received the same message. Any help would be appreciated!

Thanks,
John

  1. 1 Posted by John Rivera on 10 Jan, 2018 05:50 PM

    John Rivera's Avatar

    I tried sending my own key to our private server using GPG Keychain and received the same error:

    Send keys failed! (No data)
    Code = 58
    Error text:
    gpg: sending key KeyID to hkps://keyserverURL
    gpg: keyserver send failed: No data
    gpg: keyserver send failed: No data

    I went ahead and submitted a report to include my version numbers.

  2. 2 Posted by John Rivera on 10 Jan, 2018 05:53 PM

    John Rivera's Avatar
  3. Support Staff 3 Posted by Luke Le on 10 Jan, 2018 07:00 PM

    Luke Le's Avatar

    Hi John,

    the problem is that the output of GnuPG has changed. The fingerprint is now on the next line. What you are currently getting is part of the creation date.

    I'm having a look at what the quickest way to get this working might be.

  4. Support Staff 4 Posted by Luke Le on 10 Jan, 2018 07:08 PM

    Luke Le's Avatar

    If you switch your command with the following command to fetch short key id it should work again:

    SHORT_KEY="$(gpg -K --with-fingerprint --with-colons | grep "sec" | cut -f5 -d ':' | cut -c 9-16)"
    

    As an alternative you can also fetch the long key or fingerprint with the following two commands:

    LONG_KEY="$(gpg -K --with-fingerprint --with-colons | grep "sec" | cut -f5 -d ':')"
    FINGERPRINT="$(gpg -K --with-fingerprint --with-colons | grep "fpr" | cut -f10 -d ':')"
    

    This version should also be future proof, since it uses the output which is especially formatted for machine processing.

  5. 5 Posted by John Rivera on 10 Jan, 2018 07:47 PM

    John Rivera's Avatar

    Hi Luke,

    Thanks again for the help here!

    I tried all three options you've provided but I'm still getting the same message. What concerns me is that I also get the same error when uploading using the GPG Keychain GUI.

    Here's the link to the report I submitted earlier with the error from GPG Keychain: https://gpgtools.tenderapp.com/discussions/problems/66803

    Does Error 58 mean anything to you?

    Thanks again!
    John

  6. Support Staff 6 Posted by Luke Le on 10 Jan, 2018 08:55 PM

    Luke Le's Avatar

    Ah hmm... if you are around, I could have a look at it in our live support:
    https://www.hipchat.com/gEAi9viX4

  7. 7 Posted by John Rivera on 10 Jan, 2018 09:09 PM

    John Rivera's Avatar

    Thanks, Luke. I am around. However, it seems that our keyserver just went down. I'm finding out from my admin if he did this on purpose.

  8. 8 Posted by John Rivera on 10 Jan, 2018 11:09 PM

    John Rivera's Avatar

    Hi Luke,

    We disabled authentication on they private keyserver and the key uploaded right away. Now we just need to figure out why it won't work anymore with authentication. If you have any references, please let me know.

    Thanks again!
    John

  9. Support Staff 9 Posted by Luke Le on 10 Jan, 2018 11:10 PM

    Luke Le's Avatar

    I'm currently having a look into the gnupg source code. In theory basic auth should be supported.

  10. 10 Posted by John Rivera on 11 Jan, 2018 12:26 AM

    John Rivera's Avatar

    Hi Luke,

    Sorry to deviate from the topic but I was wondering if you can tell me the command to remove key(s) from our private key server. During troubleshooting, I ended up creating 3 different keys that I now need to remove.

    Thanks,
    John

    --
    This email may contain material that is confidential for the sole use of
    the intended recipient(s). Any review, reliance or distribution or
    disclosure by others without express permission is strictly prohibited. If
    you are not the intended recipient, please contact the sender and delete
    all copies of this message.

  11. Support Staff 11 Posted by Luke Le on 11 Jan, 2018 12:28 AM

    Luke Le's Avatar

    Hi John,

    unfortunately there's no such thing as removing keys from a keyserver, you can only revoke them if you still have the revocation certificates. For each secret key you create, a revocation certificate is created in ~/.gnupg/openpgp-revocs.d
    By importing the revocation certificate and sending the key to server afterwards, you'll be able to revoke them and prevents others from importing them.

  12. 12 Posted by John Rivera on 11 Jan, 2018 12:30 AM

    John Rivera's Avatar

    That's what I thought. Thanks for the quick reply and clarification!

  13. Support Staff 13 Posted by Luke Le on 11 Jan, 2018 12:32 AM

    Luke Le's Avatar

    I'm currently filing a bug with the GnuPG team for HTTP Basic Auth, since from the source code I could now confirm that this feature no longer works. Not sure since when, but it must be quite some time already. I still believe however, that a change of your internal key server system triggered the error you were seeing.

    Let's hope they re-add Basic Auth in the future.

  14. Support Staff 14 Posted by Luke Le on 11 Jan, 2018 12:16 PM

    Luke Le's Avatar

    Quick Update: I've submitted a patch to the folks of GnuPG and they will have a look. Werner (the lead developer of GnuPG) however also questioned the security advantage of using HTTP Basic Auth.

  15. 15 Posted by John Rivera on 12 Jan, 2018 07:44 PM

    John Rivera's Avatar

    Hi Luke,

    Thank you for this. As we discussed, we wanted to prevent our own users from uploading keys to our keyserver. We want our IT department to have complete control of key management. We also frequently have contractors working with us and this is a security measure we had to take.

    As an update to removing keys from the keyserver, we found a way in case someone else is interested. The command is:
    sks drop <hash>

  16. Support Staff 16 Posted by Luke Le on 15 Jan, 2018 11:20 AM

    Luke Le's Avatar

    Hi John,

    you are absolutely right. If you are the administrator of an sks keyserver, you can of course remove an uploaded key. Sorry for the misunderstanding.

  17. 17 Posted by John Rivera on 01 Mar, 2018 08:51 PM

    John Rivera's Avatar

    Hi Luke,

    Any updates on the patch you submitted regarding http basic auth?

    Thanks,
    John

  18. Support Staff 18 Posted by Luke Le on 02 Mar, 2018 09:45 AM

    Luke Le's Avatar

    Hi John,

    unfortunately we haven't heard back from the gnupg developers and unfortunately I don't believe it is a priority for them. We might consider including the patch in our version of gnupg, but it would feel better to receive approval from the gnupg developers.

  19. 19 Posted by John Rivera on 06 Mar, 2018 06:14 PM

    John Rivera's Avatar

    Hi Luke,

    Thanks. We can certainly test it for you if you were to include it in your version. If not, are there any other ways to secure the keyserver that you can recommend?

    Thanks,
    John

  20. 20 Posted by John Rivera on 23 Apr, 2018 03:54 PM

    John Rivera's Avatar

    Hi Luke,

    Do you have any updates? As I said, we'd be willing to test this out if you include this in your next patch.

    Thanks,
    John

  21. Support Staff 21 Posted by Steve on 24 Apr, 2018 09:23 AM

    Steve's Avatar

    Hi John,

    we submitted a patch to gnupg in 2018 jan. Pinged them in march and april but did not hear back :/

    You may want to ask about the state on their gnupg users mailling list.

    The patch is here: https://dev.gnupg.org/T3730

    All the best,
    steve

  22. Support Staff 22 Posted by Luke Le on 24 Apr, 2018 10:55 PM

    Luke Le's Avatar

    Hi John,

    we have now added support for HTTP auth to our version of GnuPG and the fix is included in the latest hotfix of GPG Suite.

    Please let us know if that works for you,

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  23. 23 Posted by John Rivera on 24 Apr, 2018 11:14 PM

    John Rivera's Avatar

    This is excellent news, Luke. Thank you.

    Do we have to do anything on the server side to get this to work?

    Thanks,
    John

  24. Support Staff 24 Posted by Luke Le on 25 Apr, 2018 11:53 AM

    Luke Le's Avatar

    Hi John,

    no, in theory no changes on the server side should be necessary.
    Simply change the keyserver URL to include the authentication data in the URL, so basically:

        hkp://user:[email blocked]

    Please let us know if it works.
    Thanks!

  25. Support Staff 25 Posted by Steve on 01 May, 2018 01:07 PM

    Steve's Avatar

    Hi John,

    were you able to give this a spin? Make sure to use the latest hotfix build as we fixed a regression in regards to the hkp patch.

    Best,
    steve

  26. 26 Posted by John Rivera on 09 May, 2018 08:11 PM

    John Rivera's Avatar

    Hi Steve,

    I installed 2151n and I was able to upload to our private key server with authentication turned on. Are there any other enhancements on this build? Should we expect this fix to make it to the release version?

    Thanks for letting us test it!

    John

  27. Support Staff 27 Posted by Steve on 09 May, 2018 08:48 PM

    Steve's Avatar

    That sounds good. Yeah, the fix will be included in the upcoming release.

    I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best,
    steve

  28. Steve closed this discussion on 09 May, 2018 08:48 PM.

  29. Steve closed this discussion on 09 May, 2018 08:50 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac