cannot query protonmail keyserver hkps://api.protonmail.ch

gpg_dude's Avatar

gpg_dude

26 May, 2021 04:46 PM

Protonmail offers a public key server @ hkps://api.protonmail.ch as described here: https://protonmail.com/blog/address-verification-pgp-support/

I am able to successfully query it via GNUPG2 under Linux (including a self-compiled version of the latest 2.2.27 which matches the version shipped with the leatest GPG Suite version 2021.1) but searches always fail when using GNUPG2 from GPG Tools with a "General error" message.

Search command syntax: gpg2 --keyserver hkps://api.protonmail.ch --search [email blocked]

Good response from a working installation (including GPG Suite version 2020.1):

gpg: searching for "[email blocked]" from hkps server api.protonmail.ch
gpg: key "[email blocked]" not found on keyserver

Failed response from GPG Suite version 2021.1:

gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

The above examples use a bogus email address, but changing that to a valid email address or GPG Key ID should also result in a successful query as seen below.

Good response for an existing email/key from a working installation (including GPG Suite version 2020.1):

gpg: data source: https://api.protonmail.ch:443
(1) [email blocked] <[email blocked]>
      EDDSA key 1234567890ABCDEF, created: YYYY-MM-DD
  1. Support Staff 1 Posted by Luke Le on 26 May, 2021 10:43 PM

    Luke Le's Avatar

    Hi gpg_dude,

    this is in fact quite curious. I wonder if GnuPG 2.2.27 or the updated version of GnuTLS is stricter when it comes to peer validation.
    I'm seeing the following error in dirmngr.log:

    2021-05-27 00:40:20 dirmngr[64881.5] TLS verification of peer failed: The certificate is NOT trusted. The received OCSP status response is invalid.

    2021-05-27 00:40:19 dirmngr[64881.5] DBG: Using TLS library: GNUTLS 3.6.15
    2021-05-27 00:40:19 dirmngr[64881.5] DBG: http.c:connect_server: trying name='api.protonmail.ch' port=443
    2021-05-27 00:40:20 dirmngr[64881.5] DBG: dns: resolve_dns_name(api.protonmail.ch): Erfolg
    2021-05-27 00:40:20 dirmngr[64881.5] DBG: http.c:1905:socket_new: object 0x00007f843a3f0880 for fd 6 created
    2021-05-27 00:40:20 dirmngr[64881.5] TLS verification of peer failed: status=0x100002
    2021-05-27 00:40:20 dirmngr[64881.5] TLS verification of peer failed: The certificate is NOT trusted. The received OCSP status response is invalid. 
    2021-05-27 00:40:20 dirmngr[64881.5] DBG: expected hostname: api.protonmail.ch
    2021-05-27 00:40:20 dirmngr[64881.5] DBG: BEGIN Certificate 'server[0]':
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:      serial: 4495756BFF642E5CA87129F50497065F19252FA9
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:   notBefore: 2019-08-09 18:14:06
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:    notAfter: 2021-08-09 18:14:06
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:      issuer: CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:     subject: CN=protonmail.com,O=Proton Technologies AG,L=Plan-les-Ouates,ST=GE,C=CH
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:         aka: (8:dns-name14:protonmail.com)
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:         aka: (8:dns-name16:*.protonmail.com)
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:         aka: (8:dns-name15:*.protonmail.ch)
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:         aka: (8:dns-name7:*.pm.me)
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:         aka: (8:dns-name15:*.protonvpn.com)
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:         aka: (8:dns-name14:*.protonvpn.ch)
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:   hash algo: 1.2.840.113549.1.1.11
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:   SHA1 fingerprint: 96A1D276108D03A3A57AE9F08D401FFB21AD6BDC
    2021-05-27 00:40:20 dirmngr[64881.5] DBG: END Certificate
    2021-05-27 00:40:20 dirmngr[64881.5] DBG: BEGIN Certificate 'server[1]':
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:      serial: 00FA1DAAEAC9B3A5FA57980B9974DA31
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:   notBefore: 2014-09-19 14:09:12
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:    notAfter: 2029-09-15 14:09:12
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:      issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:     subject: CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:   hash algo: 1.2.840.113549.1.1.11
    2021-05-27 00:40:20 dirmngr[64881.5] DBG:   SHA1 fingerprint: ADF2897316718B4525CE370082D9F123D4938F98
    2021-05-27 00:40:20 dirmngr[64881.5] DBG: END Certificate
    2021-05-27 00:40:20 dirmngr[64881.5] TLS connection authentication failed: Allgemeiner Fehler
    2021-05-27 00:40:20 dirmngr[64881.5] Fehler beim Verbinden mit 'https://api.protonmail.ch:443': Allgemeiner Fehler
    2021-05-27 00:40:20 dirmngr[64881.5] command 'KS_SEARCH' failed: Allgemeiner Fehler <Quelle nicht angegeben>
    202
    
  2. 2 Posted by gpg_dude on 26 May, 2021 11:05 PM

    gpg_dude's Avatar

    Hi Luke,
    I'm not sure it's strictly GNUPG 2.2.7 since the version I self-compiled does not seem to show the same issue. I may be using a slightly older version of GNUTLS (yours shows 3.6.15 and I believe mine is 3.6.13). However, your dirmngr output notes an invalid OCSP status response received which seems to be what is causing the failure. Could you provide me with the syntax of what debug and/or tls-debug levels you have set and I can try to run the same in my environments to see what I get?

  3. Support Staff 3 Posted by Luke Le on 26 May, 2021 11:14 PM

    Luke Le's Avatar

    Sure thing. This is my dirmngr.conf

    debug-level guru
    debug-all
    gnutls-debug 1
    tls-debug 1
    log-file /tmp/dirmngr.log
    keyserver hkps://api.protonmail.ch
    
  4. 4 Posted by gpg_dude on 27 May, 2021 02:15 AM

    gpg_dude's Avatar

    I'm not seeing that on my end:

    2021-05-26 22:10:56 dirmngr[94525.6] DBG: Using TLS library: GNUTLS 3.6.15
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:connect_server: trying name='api.protonmail.ch' port=443
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: dns: resolve_dns_name(api.protonmail.ch): Success
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:1905:socket_new: object 0x00007f0be02db8e0 for fd 7 created
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:request:
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> GET /pks/lookup?op=index&options=mr&search=[email blocked] HTTP/1.0\r\n
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> Host: api.protonmail.ch\r\n
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:request-header:
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> \r\n
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:response:
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> HTTP/1.0 200 OK\r\n
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'date: Thu, 27 May 2021 02:10:56 GMT'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'cache-control: max-age=0, must-revalidate, no-cache, no-store, private'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'expires: -1'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'access: application/vnd.protonmail.api+json;apiversion=3'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'pragma: no-cache'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'vary: Accept-Encoding'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'set-cookie: Session-Id=YK7-sH767iu1k23EIUsqLQAAAMg; Domain=protonmail.ch; Path=/; HttpOnly; Secure; Max-Age=7776000'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'set-cookie: Version=default; Path=/; Secure; Max-Age=7776000'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'content-length: 129'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'content-type: text/plain; charset=UTF-8'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YK7/sH767iu1k23EIUsqLQAAAMg'; style-src 'self' 'nonce-YK7/sH767iu1k23EIUsqLQAAAMg'; report-uri https://reports.protonmail.ch/reports/csp;'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'strict-transport-security: max-age=31536000; includeSubDomains; preload'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'expect-ct: max-age=2592000, enforce, report-uri="https://reports.protonmail.ch/reports/tls"'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'public-key-pins-report-only: pin-sha256="8joiNBdqaYiQpKskgtkJsqRxF7zN0C0aqfi8DacknnI="; pin-sha256="drtmcR2kFkM8qJClsuWgUzxgBkePfRCkRpqUesyDmeE="; report-uri="https://reports.protonmail.ch/reports/tls"'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'x-content-type-options: nosniff'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'x-xss-protection: 1; mode=block; report=https://reports.protonmail.ch/reports/csp'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'referrer-policy: strict-origin-when-cross-origin'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'x-permitted-cross-domain-policies: none'
    2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: ''
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> S SOURCE https://api.protonmail.ch:443
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> D info:1:1%0D%0A
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> D pub:*****REDACTED*****:22::1573931150::%0D%0A
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> D uid:[email blocked] <[email blocked]>:1573931150::%0D%0A
    2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> OK
    2021-05-26 22:10:58 dirmngr[94525.6] DBG: chan_6 <- [eof]
    2021-05-26 22:10:58 dirmngr[94525.6] handler for fd 6 terminated
    
  5. 5 Posted by gpg_dude on 27 May, 2021 08:21 PM

    gpg_dude's Avatar

    I bumped up the logging levels and tried to normalize between a broken catalina system & a working linux system to see where they diverge. Hopefully this helps in tracking down and fixing the issue.

    CatalinaVM:

    dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_get_certs]:1897
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[find_signercert]:1973
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2329
    dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_get_certs]:1897
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[find_signercert]:1973
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: ocsp signer: subject CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH&#39;, issuerCN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH', serial 0x00fa1daaeac9b3a5fa57980b9974da31, RSA key 2048 bits, signed using RSA-SHA256, activated 2014-09-19 14:09:12 UTC&#39;, expires2029-09-15 14:09:12 UTC', pin-sha256="skyozdmp140ljrHvjRijq3v2/yQ1nyfFyBiA9uOKuw8="
    dirmngr[] DBG: gnutls:L3: ASSERT: pk.c[_wrap_nettle_pk_verify]:1479
    dirmngr[] DBG: gnutls:L3: ASSERT: pubkey.c[pubkey_verify_data]:2392
    dirmngr[] DBG: gnutls:L3: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1942
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[_ocsp_resp_verify_direct]:2122
    dirmngr[] DBG: gnutls:L2: OCSP rejection reason: The OCSP response's signature cannot be validated.
    dirmngr[] DBG: gnutls:L3: ASSERT: cert-session.c[check_ocsp_response]:313
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp-api.c[gnutls_ocsp_status_request_get2]:99
    dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
    dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
    dirmngr[] TLS verification of peer failed: status=0x100002
    dirmngr[] TLS verification of peer failed: The certificate is NOT trusted. The received OCSP status response is invalid.
    

    LinuxVM:

    dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: checking whether signed against: subject CN=OCSP Responder Server Gold CA 2014 - G22,O=SwissSign AG,L=Glattbrugg,ST=ZH,C=CH&#39;, issuerCN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH', serial 0x755623389015240d417aadee6d6ab830a7f1cf23, RSA key 2048 bits, signed using RSA-SHA256, activated 2019-08-15 13:43:43 UTC&#39;, expires2021-08-15 13:43:43 UTC', pin-sha256="jAqpmRgUB+CjPIxZaQ8QOlcsSXIVSDqyxYgzDTzbWoI="
    dirmngr[] DBG: gnutls:L2: checking issuer DN
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2348
    dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:679
    dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:831
    dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[_gnutls_verify_crt_status]:1023
    dirmngr[] DBG: gnutls:L2: issuer in verification was not found or insecure; trying against trust list
    dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:679
    dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:831
    dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[_gnutls_verify_crt_status]:1023
    dirmngr[] DBG: gnutls:L3: ASSERT: verify-high.c[gnutls_x509_trust_list_verify_crt2]:1368
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2361
    dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: checking whether signed against: subject CN=OCSP Responder Server Gold CA 2014 - G22,O=SwissSign AG,L=Glattbrugg,ST=ZH,C=CH&#39;, issuerCN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH', serial 0x755623389015240d417aadee6d6ab830a7f1cf23, RSA key 2048 bits, signed using RSA-SHA256, activated 2019-08-15 13:43:43 UTC&#39;, expires2021-08-15 13:43:43 UTC', pin-sha256="jAqpmRgUB+CjPIxZaQ8QOlcsSXIVSDqyxYgzDTzbWoI="
    dirmngr[] DBG: gnutls:L2: checking issuer DN
    dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
    dirmngr[] DBG: gnutls:L3: ocsp signer: subject CN=OCSP Responder Server Gold CA 2014 - G22,O=SwissSign AG,L=Glattbrugg,ST=ZH,C=CH&#39;, issuerCN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH', serial 0x755623389015240d417aadee6d6ab830a7f1cf23, RSA key 2048 bits, signed using RSA-SHA256, activated 2019-08-15 13:43:43 UTC&#39;, expires2021-08-15 13:43:43 UTC', pin-sha256="jAqpmRgUB+CjPIxZaQ8QOlcsSXIVSDqyxYgzDTzbWoI="
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1623
    dirmngr[] DBG: gnutls:L3: ASSERT: ocsp-api.c[gnutls_ocsp_status_request_get2]:98
    dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
    dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
    dirmngr[] DBG: http.c:request:
    dirmngr[] DBG: >> GET /pks/lookup?op=index&options=mr&search=[email blocked] HTTP/1.0\r\n
    
  6. Support Staff 6 Posted by Luke Le on 27 May, 2021 08:25 PM

    Luke Le's Avatar

    Thanks!
    Based on debug output it appears that different certificates are received on Catalina and Linux which makes me wonder if different hosts answer.

    DNS for api.protonmail.ch however reports only a single IP. I‘m currently not sure where to start.

  7. Support Staff 7 Posted by Luke Le on 27 May, 2021 08:29 PM

    Luke Le's Avatar

    The gnutls version of the linux version is the same as the one on macOS‘s gnupg version?

  8. 8 Posted by gpg_dude on 27 May, 2021 08:50 PM

    gpg_dude's Avatar

    I'm not seeing different server certificates being received, but I think there is a different serial number listed in the OCSP check which I'm not super familiar with.

    Both systems had GNUPG compiled against GNUTLS 3.6.15

  9. Support Staff 9 Posted by Luke Le on 27 May, 2021 09:07 PM

    Luke Le's Avatar

    Yes, I didn't use the correct term. The OSCP signer seems to be different.
    Based on the source code it appears that a call to find_signercert doesn't return the same result on linux and on macOS. I'm not seeing any macOS or Linux specific code however, that would lead to that.

  10. Support Staff 10 Posted by Luke Le on 27 May, 2021 09:23 PM

    Luke Le's Avatar

    When you run configure for gnutls, could you please tell me what the following line says:

    checking whether to disable OCSP support... no

    I believe that your linux version has OCSP support partially disabled.

  11. 11 Posted by gpg_dude on 27 May, 2021 09:52 PM

    gpg_dude's Avatar
    checking whether to disable OCSP support... no
    
  12. Support Staff 12 Posted by Luke Le on 27 May, 2021 09:55 PM

    Luke Le's Avatar

    For some reason it appears that on macOS _gnutls_x509_der_encode in gnutls_ocsp_resp_get_certs fails. Where on linux it works as expected. Could you insert a log statement to dump the data passed into _gnutls_x509_der_encode?

    it's in gnutls-xxx/lib/x509/common.c line 852:

     result = asn1_der_coding(src, src_name, NULL, &size, NULL);
        /* this check explicitly covers the case where size == 0 && result == 0 */
        if (result != ASN1_MEM_ERROR) {
            gnutls_assert();
            return _gnutls_asn2err(result);
        }
    

    src, src_name and the result of _gnutls_asn2err(result) would be the values of interest.

  13. 13 Posted by gpg_dude on 27 May, 2021 10:22 PM

    gpg_dude's Avatar

    Can you provide me with a diff? I'm not fluent in C.

    But FYI I also have this working with a version of gnupg-2.2.7 I compiled on Catalina, so I'm not sure if it's specifically a Linux vs. macOS thing.

  14. Support Staff 14 Posted by Luke Le on 27 May, 2021 10:37 PM

    Luke Le's Avatar

    Could you send the me the same debug output from the working catalina version in the meantime? That would be great!

  15. Support Staff 15 Posted by Luke Le on 27 May, 2021 11:09 PM

    Luke Le's Avatar

    Ok, I found one other thing: could you check for a line
    checking whether to use the included minitasn1

    I wonder if your version does not use minitasn1

  16. Support Staff 16 Posted by Luke Le on 27 May, 2021 11:59 PM

    Luke Le's Avatar

    So yep, the asn1 library included in gnutls seems to be faulty.
    Your build is probably using libtasn1.
    Once a nightly with gnutls using libtasn1 is available, I'll update this discussion.
    Thank you for bringing this issue to our attention and for the very helpful debug info!

  17. 17 Posted by gpg_dude on 28 May, 2021 01:21 AM

    gpg_dude's Avatar

    That sounds plausible as I am not using the built-in:

    checking whether to use the included minitasn1... no
    
  18. Support Staff 18 Posted by Luke Le on 28 May, 2021 11:21 PM

    Luke Le's Avatar

    So, I think we have good news.

    The newest MacGPG2 is built with gnutls linked against libtasn1.
    Could you please download our latest hotfix GPG Suite and let us know if things are working now for you?
    https://releases.gpgtools.org/nightlies/

    Thanks!

  19. 19 Posted by gpg_dude on 01 Jun, 2021 02:35 PM

    gpg_dude's Avatar

    I am able to query api.protonmail.ch using the latest build, thanks.

    FYI - I had to bypass macOS security features to install that build:

    “Install” can’t be opened because Apple cannot check it for malicious software.
    
    This software needs to be updated. Contact the developer for more information.
    
    This item is on the disk image “GPG_Suite-3031n.dmg”. Safari downloaded this disk image today at 07:24.
    
  20. Support Staff 20 Posted by Steve on 01 Jun, 2021 05:17 PM

    Steve's Avatar

    Thanks for verifying adding libtasn1 library resolves the protonmail api problem.

    For the new installer problem we have filed another ticket and connected it with this discussion.

  21. Support Staff 21 Posted by Steve on 07 Jun, 2021 03:57 PM

    Steve's Avatar

    Hi gpg_dude,

    can you retry the latest nightly build which should open without complaining about being unable to check for malicious software:
    https://releases.gpgtools.org/nightlies/

    Best,
    Steve

  22. 22 Posted by gpg_dude on 07 Jun, 2021 04:08 PM

    gpg_dude's Avatar

    That one looks good, thanks.

  23. Steve closed this discussion on 15 Jun, 2021 04:41 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac