cannot query protonmail keyserver hkps://api.protonmail.ch
Protonmail offers a public key server @ hkps://api.protonmail.ch as described here: https://protonmail.com/blog/address-verification-pgp-support/
I am able to successfully query it via GNUPG2 under Linux (including a self-compiled version of the latest 2.2.27 which matches the version shipped with the leatest GPG Suite version 2021.1) but searches always fail when using GNUPG2 from GPG Tools with a "General error" message.
Search command syntax:
gpg2 --keyserver hkps://api.protonmail.ch --search [email blocked]
Good response from a working installation (including GPG Suite version 2020.1):
gpg: searching for "[email blocked]" from hkps server api.protonmail.ch gpg: key "[email blocked]" not found on keyserver
Failed response from GPG Suite version 2021.1:
gpg: error searching keyserver: General error gpg: keyserver search failed: General error
The above examples use a bogus email address, but changing that to a valid email address or GPG Key ID should also result in a successful query as seen below.
Good response for an existing email/key from a working installation (including GPG Suite version 2020.1):
gpg: data source: https://api.protonmail.ch:443 (1) [email blocked] <[email blocked]> EDDSA key 1234567890ABCDEF, created: YYYY-MM-DD
Comments are currently closed for this discussion. You can start a new one.
|?||Show this help|
|ESC||Blurs the current field|
|r||Focus the comment reply box|
|^ + ↩||Submit the comment|
You can use
Command ⌘ instead of
Control ^ on Mac
Support Staff 1 Posted by Luke Le on 26 May, 2021 10:43 PM
this is in fact quite curious. I wonder if GnuPG 2.2.27 or the updated version of GnuTLS is stricter when it comes to peer validation.
I'm seeing the following error in dirmngr.log:
2021-05-27 00:40:20 dirmngr[64881.5] TLS verification of peer failed: The certificate is NOT trusted. The received OCSP status response is invalid.
2 Posted by gpg_dude on 26 May, 2021 11:05 PM
I'm not sure it's strictly GNUPG 2.2.7 since the version I self-compiled does not seem to show the same issue. I may be using a slightly older version of GNUTLS (yours shows 3.6.15 and I believe mine is 3.6.13). However, your dirmngr output notes an invalid OCSP status response received which seems to be what is causing the failure. Could you provide me with the syntax of what debug and/or tls-debug levels you have set and I can try to run the same in my environments to see what I get?
Support Staff 3 Posted by Luke Le on 26 May, 2021 11:14 PM
Sure thing. This is my dirmngr.conf
4 Posted by gpg_dude on 27 May, 2021 02:15 AM
I'm not seeing that on my end:
5 Posted by gpg_dude on 27 May, 2021 08:21 PM
I bumped up the logging levels and tried to normalize between a broken catalina system & a working linux system to see where they diverge. Hopefully this helps in tracking down and fixing the issue.
Support Staff 6 Posted by Luke Le on 27 May, 2021 08:25 PM
Based on debug output it appears that different certificates are received on Catalina and Linux which makes me wonder if different hosts answer.
DNS for api.protonmail.ch however reports only a single IP. I‘m currently not sure where to start.
Support Staff 7 Posted by Luke Le on 27 May, 2021 08:29 PM
The gnutls version of the linux version is the same as the one on macOS‘s gnupg version?
8 Posted by gpg_dude on 27 May, 2021 08:50 PM
I'm not seeing different server certificates being received, but I think there is a different serial number listed in the OCSP check which I'm not super familiar with.
Both systems had GNUPG compiled against GNUTLS 3.6.15
Support Staff 9 Posted by Luke Le on 27 May, 2021 09:07 PM
Yes, I didn't use the correct term. The OSCP signer seems to be different.
Based on the source code it appears that a call to find_signercert doesn't return the same result on linux and on macOS. I'm not seeing any macOS or Linux specific code however, that would lead to that.
Support Staff 10 Posted by Luke Le on 27 May, 2021 09:23 PM
When you run configure for gnutls, could you please tell me what the following line says:
checking whether to disable OCSP support... no
I believe that your linux version has OCSP support partially disabled.
11 Posted by gpg_dude on 27 May, 2021 09:52 PM
Support Staff 12 Posted by Luke Le on 27 May, 2021 09:55 PM
For some reason it appears that on macOS _gnutls_x509_der_encode in gnutls_ocsp_resp_get_certs fails. Where on linux it works as expected. Could you insert a log statement to dump the data passed into _gnutls_x509_der_encode?
it's in gnutls-xxx/lib/x509/common.c line 852:
src_nameand the result of
_gnutls_asn2err(result)would be the values of interest.
13 Posted by gpg_dude on 27 May, 2021 10:22 PM
Can you provide me with a diff? I'm not fluent in C.
But FYI I also have this working with a version of gnupg-2.2.7 I compiled on Catalina, so I'm not sure if it's specifically a Linux vs. macOS thing.
Support Staff 14 Posted by Luke Le on 27 May, 2021 10:37 PM
Could you send the me the same debug output from the working catalina version in the meantime? That would be great!
Support Staff 15 Posted by Luke Le on 27 May, 2021 11:09 PM
Ok, I found one other thing: could you check for a line
checking whether to use the included minitasn1
I wonder if your version does not use minitasn1
Support Staff 16 Posted by Luke Le on 27 May, 2021 11:59 PM
So yep, the asn1 library included in gnutls seems to be faulty.
Your build is probably using libtasn1.
Once a nightly with gnutls using libtasn1 is available, I'll update this discussion.
Thank you for bringing this issue to our attention and for the very helpful debug info!
17 Posted by gpg_dude on 28 May, 2021 01:21 AM
That sounds plausible as I am not using the built-in:
Support Staff 18 Posted by Luke Le on 28 May, 2021 11:21 PM
So, I think we have good news.
The newest MacGPG2 is built with gnutls linked against libtasn1.
Could you please download our latest hotfix GPG Suite and let us know if things are working now for you?
19 Posted by gpg_dude on 01 Jun, 2021 02:35 PM
I am able to query api.protonmail.ch using the latest build, thanks.
FYI - I had to bypass macOS security features to install that build:
Support Staff 20 Posted by Steve on 01 Jun, 2021 05:17 PM
Thanks for verifying adding libtasn1 library resolves the protonmail api problem.
For the new installer problem we have filed another ticket and connected it with this discussion.
Support Staff 21 Posted by Steve on 07 Jun, 2021 03:57 PM
can you retry the latest nightly build which should open without complaining about being unable to check for malicious software:
22 Posted by gpg_dude on 07 Jun, 2021 04:08 PM
That one looks good, thanks.
Steve closed this discussion on 15 Jun, 2021 04:41 PM.