tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/111369-cannot-query-protonmail-keyserver-hkpsapiprotonmailchGPGTools: Discussion 2022-03-30T00:06:54Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-26T22:43:11Z2021-05-26T22:43:11Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Hi gpg_dude,</p>
<p>this is in fact quite curious. I wonder if GnuPG 2.2.27 or the updated version of GnuTLS is stricter when it comes to peer validation.<br>
I'm seeing the following error in dirmngr.log:</p>
<p><code>2021-05-27 00:40:20 dirmngr[64881.5] TLS verification of peer failed: The certificate is NOT trusted. The received OCSP status response is invalid.</code></p>
<pre>
<code>2021-05-27 00:40:19 dirmngr[64881.5] DBG: Using TLS library: GNUTLS 3.6.15
2021-05-27 00:40:19 dirmngr[64881.5] DBG: http.c:connect_server: trying name='api.protonmail.ch' port=443
2021-05-27 00:40:20 dirmngr[64881.5] DBG: dns: resolve_dns_name(api.protonmail.ch): Erfolg
2021-05-27 00:40:20 dirmngr[64881.5] DBG: http.c:1905:socket_new: object 0x00007f843a3f0880 for fd 6 created
2021-05-27 00:40:20 dirmngr[64881.5] TLS verification of peer failed: status=0x100002
2021-05-27 00:40:20 dirmngr[64881.5] TLS verification of peer failed: The certificate is NOT trusted. The received OCSP status response is invalid.
2021-05-27 00:40:20 dirmngr[64881.5] DBG: expected hostname: api.protonmail.ch
2021-05-27 00:40:20 dirmngr[64881.5] DBG: BEGIN Certificate 'server[0]':
2021-05-27 00:40:20 dirmngr[64881.5] DBG: serial: 4495756BFF642E5CA87129F50497065F19252FA9
2021-05-27 00:40:20 dirmngr[64881.5] DBG: notBefore: 2019-08-09 18:14:06
2021-05-27 00:40:20 dirmngr[64881.5] DBG: notAfter: 2021-08-09 18:14:06
2021-05-27 00:40:20 dirmngr[64881.5] DBG: issuer: CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH
2021-05-27 00:40:20 dirmngr[64881.5] DBG: subject: CN=protonmail.com,O=Proton Technologies AG,L=Plan-les-Ouates,ST=GE,C=CH
2021-05-27 00:40:20 dirmngr[64881.5] DBG: aka: (8:dns-name14:protonmail.com)
2021-05-27 00:40:20 dirmngr[64881.5] DBG: aka: (8:dns-name16:*.protonmail.com)
2021-05-27 00:40:20 dirmngr[64881.5] DBG: aka: (8:dns-name15:*.protonmail.ch)
2021-05-27 00:40:20 dirmngr[64881.5] DBG: aka: (8:dns-name7:*.pm.me)
2021-05-27 00:40:20 dirmngr[64881.5] DBG: aka: (8:dns-name15:*.protonvpn.com)
2021-05-27 00:40:20 dirmngr[64881.5] DBG: aka: (8:dns-name14:*.protonvpn.ch)
2021-05-27 00:40:20 dirmngr[64881.5] DBG: hash algo: 1.2.840.113549.1.1.11
2021-05-27 00:40:20 dirmngr[64881.5] DBG: SHA1 fingerprint: 96A1D276108D03A3A57AE9F08D401FFB21AD6BDC
2021-05-27 00:40:20 dirmngr[64881.5] DBG: END Certificate
2021-05-27 00:40:20 dirmngr[64881.5] DBG: BEGIN Certificate 'server[1]':
2021-05-27 00:40:20 dirmngr[64881.5] DBG: serial: 00FA1DAAEAC9B3A5FA57980B9974DA31
2021-05-27 00:40:20 dirmngr[64881.5] DBG: notBefore: 2014-09-19 14:09:12
2021-05-27 00:40:20 dirmngr[64881.5] DBG: notAfter: 2029-09-15 14:09:12
2021-05-27 00:40:20 dirmngr[64881.5] DBG: issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
2021-05-27 00:40:20 dirmngr[64881.5] DBG: subject: CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH
2021-05-27 00:40:20 dirmngr[64881.5] DBG: hash algo: 1.2.840.113549.1.1.11
2021-05-27 00:40:20 dirmngr[64881.5] DBG: SHA1 fingerprint: ADF2897316718B4525CE370082D9F123D4938F98
2021-05-27 00:40:20 dirmngr[64881.5] DBG: END Certificate
2021-05-27 00:40:20 dirmngr[64881.5] TLS connection authentication failed: Allgemeiner Fehler
2021-05-27 00:40:20 dirmngr[64881.5] Fehler beim Verbinden mit 'https://api.protonmail.ch:443': Allgemeiner Fehler
2021-05-27 00:40:20 dirmngr[64881.5] command 'KS_SEARCH' failed: Allgemeiner Fehler <Quelle nicht angegeben>
202</code>
</pre></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-26T23:05:49Z2021-05-26T23:05:49Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Hi Luke,<br>
I'm not sure it's strictly GNUPG 2.2.7 since the version I self-compiled does not seem to show the same issue. I may be using a slightly older version of GNUTLS (yours shows 3.6.15 and I believe mine is 3.6.13). However, your dirmngr output notes an invalid OCSP status response received which seems to be what is causing the failure. Could you provide me with the syntax of what debug and/or tls-debug levels you have set and I can try to run the same in my environments to see what I get?</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-26T23:14:20Z2021-05-26T23:14:20Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Sure thing. This is my dirmngr.conf</p>
<pre>
<code>debug-level guru
debug-all
gnutls-debug 1
tls-debug 1
log-file /tmp/dirmngr.log
keyserver hkps://api.protonmail.ch</code>
</pre></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T02:15:27Z2021-05-27T02:48:10Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>I'm not seeing that on my end:<br></p>
<pre>
<code>2021-05-26 22:10:56 dirmngr[94525.6] DBG: Using TLS library: GNUTLS 3.6.15
2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:connect_server: trying name='api.protonmail.ch' port=443
2021-05-26 22:10:56 dirmngr[94525.6] DBG: dns: resolve_dns_name(api.protonmail.ch): Success
2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:1905:socket_new: object 0x00007f0be02db8e0 for fd 7 created
2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:request:
2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> GET /pks/lookup?op=index&options=mr&search=redacted@domain.com HTTP/1.0\r\n
2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> Host: api.protonmail.ch\r\n
2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:request-header:
2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> \r\n
2021-05-26 22:10:56 dirmngr[94525.6] DBG: http.c:response:
2021-05-26 22:10:56 dirmngr[94525.6] DBG: >> HTTP/1.0 200 OK\r\n
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'date: Thu, 27 May 2021 02:10:56 GMT'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'cache-control: max-age=0, must-revalidate, no-cache, no-store, private'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'expires: -1'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'access: application/vnd.protonmail.api+json;apiversion=3'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'pragma: no-cache'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'vary: Accept-Encoding'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'set-cookie: Session-Id=YK7-sH767iu1k23EIUsqLQAAAMg; Domain=protonmail.ch; Path=/; HttpOnly; Secure; Max-Age=7776000'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'set-cookie: Version=default; Path=/; Secure; Max-Age=7776000'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'content-length: 129'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'content-type: text/plain; charset=UTF-8'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YK7/sH767iu1k23EIUsqLQAAAMg'; style-src 'self' 'nonce-YK7/sH767iu1k23EIUsqLQAAAMg'; report-uri https://reports.protonmail.ch/reports/csp;'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'strict-transport-security: max-age=31536000; includeSubDomains; preload'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'expect-ct: max-age=2592000, enforce, report-uri="https://reports.protonmail.ch/reports/tls"'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'public-key-pins-report-only: pin-sha256="8joiNBdqaYiQpKskgtkJsqRxF7zN0C0aqfi8DacknnI="; pin-sha256="drtmcR2kFkM8qJClsuWgUzxgBkePfRCkRpqUesyDmeE="; report-uri="https://reports.protonmail.ch/reports/tls"'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'x-content-type-options: nosniff'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'x-xss-protection: 1; mode=block; report=https://reports.protonmail.ch/reports/csp'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'referrer-policy: strict-origin-when-cross-origin'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: 'x-permitted-cross-domain-policies: none'
2021-05-26 22:10:56 dirmngr[94525.6] http.c:RESP: ''
2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> S SOURCE https://api.protonmail.ch:443
2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> D info:1:1%0D%0A
2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> D pub:*****<strong><em>REDACTED</em></strong>*****:22::1573931150::%0D%0A
2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> D uid:redacted@domain.com <redacted@domain.com>:1573931150::%0D%0A
2021-05-26 22:10:56 dirmngr[94525.6] DBG: chan_6 -> OK
2021-05-26 22:10:58 dirmngr[94525.6] DBG: chan_6 <- [eof]
2021-05-26 22:10:58 dirmngr[94525.6] handler for fd 6 terminated</code>
</pre></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T20:21:16Z2021-05-27T20:21:16Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>I bumped up the logging levels and tried to normalize between a broken catalina system & a working linux system to see where they diverge. Hopefully this helps in tracking down and fixing the issue.</p>
<p>CatalinaVM:<br></p>
<pre>
<code>dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_get_certs]:1897
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[find_signercert]:1973
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2329
dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_get_certs]:1897
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[find_signercert]:1973
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: ocsp signer: subject <code>CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH&#39;, issuer</code>CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH', serial 0x00fa1daaeac9b3a5fa57980b9974da31, RSA key 2048 bits, signed using RSA-SHA256, activated <code>2014-09-19 14:09:12 UTC&#39;, expires</code>2029-09-15 14:09:12 UTC', pin-sha256="skyozdmp140ljrHvjRijq3v2/yQ1nyfFyBiA9uOKuw8="
dirmngr[] DBG: gnutls:L3: ASSERT: pk.c[_wrap_nettle_pk_verify]:1479
dirmngr[] DBG: gnutls:L3: ASSERT: pubkey.c[pubkey_verify_data]:2392
dirmngr[] DBG: gnutls:L3: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1942
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[_ocsp_resp_verify_direct]:2122
dirmngr[] DBG: gnutls:L2: OCSP rejection reason: The OCSP response's signature cannot be validated.
dirmngr[] DBG: gnutls:L3: ASSERT: cert-session.c[check_ocsp_response]:313
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp-api.c[gnutls_ocsp_status_request_get2]:99
dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
dirmngr[] TLS verification of peer failed: status=0x100002
dirmngr[] TLS verification of peer failed: The certificate is NOT trusted. The received OCSP status response is invalid.</code>
</pre>
<p>LinuxVM:<br></p>
<pre>
<code>dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: checking whether signed against: subject <code>CN=OCSP Responder Server Gold CA 2014 - G22,O=SwissSign AG,L=Glattbrugg,ST=ZH,C=CH&#39;, issuer</code>CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH', serial 0x755623389015240d417aadee6d6ab830a7f1cf23, RSA key 2048 bits, signed using RSA-SHA256, activated <code>2019-08-15 13:43:43 UTC&#39;, expires</code>2021-08-15 13:43:43 UTC', pin-sha256="jAqpmRgUB+CjPIxZaQ8QOlcsSXIVSDqyxYgzDTzbWoI="
dirmngr[] DBG: gnutls:L2: checking issuer DN
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2348
dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:679
dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:831
dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[_gnutls_verify_crt_status]:1023
dirmngr[] DBG: gnutls:L2: issuer in verification was not found or insecure; trying against trust list
dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:679
dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[verify_crt]:831
dirmngr[] DBG: gnutls:L3: ASSERT: verify.c[_gnutls_verify_crt_status]:1023
dirmngr[] DBG: gnutls:L3: ASSERT: verify-high.c[gnutls_x509_trust_list_verify_crt2]:1368
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2361
dirmngr[] DBG: gnutls:L3: ASSERT: common.c[_gnutls_x509_der_encode]:855
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: checking whether signed against: subject <code>CN=OCSP Responder Server Gold CA 2014 - G22,O=SwissSign AG,L=Glattbrugg,ST=ZH,C=CH&#39;, issuer</code>CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH', serial 0x755623389015240d417aadee6d6ab830a7f1cf23, RSA key 2048 bits, signed using RSA-SHA256, activated <code>2019-08-15 13:43:43 UTC&#39;, expires</code>2021-08-15 13:43:43 UTC', pin-sha256="jAqpmRgUB+CjPIxZaQ8QOlcsSXIVSDqyxYgzDTzbWoI="
dirmngr[] DBG: gnutls:L2: checking issuer DN
dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: ASSERT: mpi.c[wrap_nettle_mpi_print]:60
dirmngr[] DBG: gnutls:L3: ocsp signer: subject <code>CN=OCSP Responder Server Gold CA 2014 - G22,O=SwissSign AG,L=Glattbrugg,ST=ZH,C=CH&#39;, issuer</code>CN=SwissSign Server Gold CA 2014 - G22,O=SwissSign AG,C=CH', serial 0x755623389015240d417aadee6d6ab830a7f1cf23, RSA key 2048 bits, signed using RSA-SHA256, activated <code>2019-08-15 13:43:43 UTC&#39;, expires</code>2021-08-15 13:43:43 UTC', pin-sha256="jAqpmRgUB+CjPIxZaQ8QOlcsSXIVSDqyxYgzDTzbWoI="
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1623
dirmngr[] DBG: gnutls:L3: ASSERT: ocsp-api.c[gnutls_ocsp_status_request_get2]:98
dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
dirmngr[] DBG: gnutls:L3: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
dirmngr[] DBG: http.c:request:
dirmngr[] DBG: >> GET /pks/lookup?op=index&options=mr&search=redacted@domain.com HTTP/1.0\r\n</code>
</pre></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T20:25:59Z2021-05-27T20:25:59Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Thanks!<br>
Based on debug output it appears that different certificates are received on Catalina and Linux which makes me wonder if different hosts answer.</p>
<p>DNS for api.protonmail.ch however reports only a single IP. I‘m currently not sure where to start.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T20:29:06Z2021-05-27T20:29:06Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>The gnutls version of the linux version is the same as the one on macOS‘s gnupg version?</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T20:50:16Z2021-05-27T20:50:16Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>I'm not seeing different server certificates being received, but I think there is a different serial number listed in the OCSP check which I'm not super familiar with.</p>
<p>Both systems had GNUPG compiled against GNUTLS 3.6.15</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T21:07:25Z2021-05-27T21:07:25Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Yes, I didn't use the correct term. The OSCP signer seems to be different.<br>
Based on the source code it appears that a call to find_signercert doesn't return the same result on linux and on macOS. I'm not seeing any macOS or Linux specific code however, that would lead to that.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T21:23:27Z2021-05-27T21:23:27Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>When you run configure for gnutls, could you please tell me what the following line says:</p>
<p>checking whether to disable OCSP support... no</p>
<p>I believe that your linux version has OCSP support partially disabled.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T21:52:27Z2021-05-27T21:52:27Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><pre>
<code>checking whether to disable OCSP support... no</code>
</pre></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T21:55:58Z2021-05-27T21:55:58Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>For some reason it appears that on macOS _gnutls_x509_der_encode in gnutls_ocsp_resp_get_certs fails. Where on linux it works as expected. Could you insert a log statement to dump the data passed into _gnutls_x509_der_encode?</p>
<p>it's in gnutls-xxx/lib/x509/common.c line 852:</p>
<pre>
<code> result = asn1_der_coding(src, src_name, NULL, &size, NULL);
/* this check explicitly covers the case where size == 0 && result == 0 */
if (result != ASN1_MEM_ERROR) {
gnutls_assert();
return _gnutls_asn2err(result);
}</code>
</pre>
<p><code>src</code>, <code>src_name</code> and the result of <code>_gnutls_asn2err(result)</code> would be the values of interest.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T22:22:10Z2021-05-27T22:22:10Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Can you provide me with a diff? I'm not fluent in C.</p>
<p>But FYI I also have this working with a version of gnupg-2.2.7 I compiled on Catalina, so I'm not sure if it's specifically a Linux vs. macOS thing.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T22:37:24Z2021-05-27T22:37:24Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Could you send the me the same debug output from the working catalina version in the meantime? That would be great!</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T23:09:18Z2021-05-27T23:09:18Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Ok, I found one other thing: could you check for a line<br>
<code>checking whether to use the included minitasn1</code></p>
<p>I wonder if your version does not use minitasn1</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-27T23:59:23Z2021-05-27T23:59:23Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>So yep, the asn1 library included in gnutls seems to be faulty.<br>
Your build is probably using libtasn1.<br>
Once a nightly with gnutls using libtasn1 is available, I'll update this discussion.<br>
Thank you for bringing this issue to our attention and for the very helpful debug info!</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-28T01:21:35Z2021-05-28T01:21:35Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>That sounds plausible as I am not using the built-in:<br></p>
<pre>
<code>checking whether to use the included minitasn1... no</code>
</pre></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-05-28T23:21:22Z2021-05-28T23:21:22Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>So, I think we have good news.</p>
<p>The newest MacGPG2 is built with gnutls linked against libtasn1.<br>
Could you please download our latest hotfix GPG Suite and let us know if things are working now for you?<br>
<a href="https://releases.gpgtools.org/nightlies/">https://releases.gpgtools.org/nightlies/</a></p>
<p>Thanks!</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-06-01T14:35:41Z2021-06-01T14:35:41Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>I am able to query api.protonmail.ch using the latest build, thanks.</p>
<p>FYI - I had to bypass macOS security features to install that build:</p>
<pre>
<code>“Install” can’t be opened because Apple cannot check it for malicious software.
This software needs to be updated. Contact the developer for more information.
This item is on the disk image “GPG_Suite-3031n.dmg”. Safari downloaded this disk image today at 07:24.</code>
</pre></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-06-01T17:17:15Z2021-06-01T17:17:15Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Thanks for verifying adding libtasn1 library resolves the protonmail api problem.</p>
<p>For the new installer problem we have filed another ticket and connected it with this discussion.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-06-07T15:57:27Z2021-06-07T15:57:27Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>Hi gpg_dude,</p>
<p>can you retry the latest nightly build which should open without complaining about being unable to check for malicious software:<br>
<a href="https://releases.gpgtools.org/nightlies/">https://releases.gpgtools.org/nightlies/</a></p>
<p>Best,<br>
Steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/492168592021-06-07T16:08:41Z2021-06-07T16:08:41Zcannot query protonmail keyserver hkps://api.protonmail.ch<div><p>That one looks good, thanks.</p></div>gpg_dude