gpg: keyserver send failed: No data

John Rivera's Avatar

John Rivera

10 Jan, 2018 12:28 AM

Hello,

I'm debugging a script that allows for unattended GPG key and revoke cert generation, upload to our private keyserver and then commit to git. This was originally developed a few versions ago so some things are no longer working. Luke helped a lot in getting the revocation certificate generation working and I very much appreciate it. Now, I'm getting an error when attempting to send to our private keyserver. Here's the function and error:

key_send() {
  echo "Start: key_send"
  echo
  echo "Send Key"
  SHORT_KEY="$(gpg -K | grep "sec " | cut -c15-22)"
  gpg --keyserver hkps://keyserverURL --send-key $SHORT_KEY
  echo "Done: key_send"
  echo
}
The error I get is:
gpg: sending key KeyID to hkps://keyserverURL
gpg: keyserver send failed: No data
gpg: keyserver send failed: No data
I tried the command on my existing key and I received the same message. Any help would be appreciated!

Thanks,
John

  1. 1 Posted by John Rivera on 10 Jan, 2018 05:50 PM

    John Rivera's Avatar

    I tried sending my own key to our private server using GPG Keychain and received the same error:

    Send keys failed! (No data)
    Code = 58
    Error text:
    gpg: sending key KeyID to hkps://keyserverURL
    gpg: keyserver send failed: No data
    gpg: keyserver send failed: No data

    I went ahead and submitted a report to include my version numbers.

  2. 2 Posted by John Rivera on 10 Jan, 2018 05:53 PM

    John Rivera's Avatar
  3. Support Staff 3 Posted by Luke Le on 10 Jan, 2018 07:00 PM

    Luke Le's Avatar

    Hi John,

    the problem is that the output of GnuPG has changed. The fingerprint is now on the next line. What you are currently getting is part of the creation date.

    I'm having a look at what the quickest way to get this working might be.

  4. Support Staff 4 Posted by Luke Le on 10 Jan, 2018 07:08 PM

    Luke Le's Avatar

    If you switch your command with the following command to fetch short key id it should work again:

    SHORT_KEY="$(gpg -K --with-fingerprint --with-colons | grep "sec" | cut -f5 -d ':' | cut -c 9-16)"
    

    As an alternative you can also fetch the long key or fingerprint with the following two commands:

    LONG_KEY="$(gpg -K --with-fingerprint --with-colons | grep "sec" | cut -f5 -d ':')"
    FINGERPRINT="$(gpg -K --with-fingerprint --with-colons | grep "fpr" | cut -f10 -d ':')"
    

    This version should also be future proof, since it uses the output which is especially formatted for machine processing.

  5. 5 Posted by John Rivera on 10 Jan, 2018 07:47 PM

    John Rivera's Avatar

    Hi Luke,

    Thanks again for the help here!

    I tried all three options you've provided but I'm still getting the same message. What concerns me is that I also get the same error when uploading using the GPG Keychain GUI.

    Here's the link to the report I submitted earlier with the error from GPG Keychain: https://gpgtools.tenderapp.com/discussions/problems/66803

    Does Error 58 mean anything to you?

    Thanks again!
    John

  6. Support Staff 6 Posted by Luke Le on 10 Jan, 2018 08:55 PM

    Luke Le's Avatar

    Ah hmm... if you are around, I could have a look at it in our live support:
    https://www.hipchat.com/gEAi9viX4

  7. 7 Posted by John Rivera on 10 Jan, 2018 09:09 PM

    John Rivera's Avatar

    Thanks, Luke. I am around. However, it seems that our keyserver just went down. I'm finding out from my admin if he did this on purpose.

  8. 8 Posted by John Rivera on 10 Jan, 2018 11:09 PM

    John Rivera's Avatar

    Hi Luke,

    We disabled authentication on they private keyserver and the key uploaded right away. Now we just need to figure out why it won't work anymore with authentication. If you have any references, please let me know.

    Thanks again!
    John

  9. Support Staff 9 Posted by Luke Le on 10 Jan, 2018 11:10 PM

    Luke Le's Avatar

    I'm currently having a look into the gnupg source code. In theory basic auth should be supported.

  10. 10 Posted by John Rivera on 11 Jan, 2018 12:26 AM

    John Rivera's Avatar

    Hi Luke,

    Sorry to deviate from the topic but I was wondering if you can tell me the command to remove key(s) from our private key server. During troubleshooting, I ended up creating 3 different keys that I now need to remove.

    Thanks,
    John

    --
    This email may contain material that is confidential for the sole use of
    the intended recipient(s). Any review, reliance or distribution or
    disclosure by others without express permission is strictly prohibited. If
    you are not the intended recipient, please contact the sender and delete
    all copies of this message.

  11. Support Staff 11 Posted by Luke Le on 11 Jan, 2018 12:28 AM

    Luke Le's Avatar

    Hi John,

    unfortunately there's no such thing as removing keys from a keyserver, you can only revoke them if you still have the revocation certificates. For each secret key you create, a revocation certificate is created in ~/.gnupg/openpgp-revocs.d
    By importing the revocation certificate and sending the key to server afterwards, you'll be able to revoke them and prevents others from importing them.

  12. 12 Posted by John Rivera on 11 Jan, 2018 12:30 AM

    John Rivera's Avatar

    That's what I thought. Thanks for the quick reply and clarification!

  13. Support Staff 13 Posted by Luke Le on 11 Jan, 2018 12:32 AM

    Luke Le's Avatar

    I'm currently filing a bug with the GnuPG team for HTTP Basic Auth, since from the source code I could now confirm that this feature no longer works. Not sure since when, but it must be quite some time already. I still believe however, that a change of your internal key server system triggered the error you were seeing.

    Let's hope they re-add Basic Auth in the future.

  14. Support Staff 14 Posted by Luke Le on 11 Jan, 2018 12:16 PM

    Luke Le's Avatar

    Quick Update: I've submitted a patch to the folks of GnuPG and they will have a look. Werner (the lead developer of GnuPG) however also questioned the security advantage of using HTTP Basic Auth.

  15. 15 Posted by John Rivera on 12 Jan, 2018 07:44 PM

    John Rivera's Avatar

    Hi Luke,

    Thank you for this. As we discussed, we wanted to prevent our own users from uploading keys to our keyserver. We want our IT department to have complete control of key management. We also frequently have contractors working with us and this is a security measure we had to take.

    As an update to removing keys from the keyserver, we found a way in case someone else is interested. The command is:
    sks drop <hash>

  16. Support Staff 16 Posted by Luke Le on 15 Jan, 2018 11:20 AM

    Luke Le's Avatar

    Hi John,

    you are absolutely right. If you are the administrator of an sks keyserver, you can of course remove an uploaded key. Sorry for the misunderstanding.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac