HKPS keyserver support
Right now GPGTools uses a plaintext HKP connection to the keyserver (and that combined with auto-key-retrieve poses a serious privacy risk). Also this lowers the bar a lot for key forging if the user is not checking signatures, now the attacker needs just to control the network to swap a key on flight, instead of the keyserver.
The issue with HKPS is that the system curl on OS X < 10.10
is outdated and fails to verify the certificate chain
(gpgkeys: HTTP search error 60: SSL certificate problem:
Invalid certificate chain), so you need to brew curl and add
depends_on to the gpg2 Formula.
Then, you'll want the following lines in conf:
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/Users/filippo/.gnupg/sks-keyservers.netCA.pem
keyserver-options include-revoked
keyserver-options no-honor-keyserver-url
keyserver-options no-try-dns-srv
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Steve on 22 Oct, 2014 02:19 PM
Hey Filippo,
this is much more efficient than Twitter :)
Thanks for taking the time to gather this info. I hope that we can indeed solve this. We got our head stuck around 10.10 at the moment so no promises. But as Luke already said: this has been on the To-Do for a while now and it would be great to get it fixed.
Regards,
steve
2 Posted by Lars on 29 Oct, 2014 09:01 AM
Thanks for that, very helpful! Used it to follow through with the OpenPGP Best Practices from riseup (https://help.riseup.net/en/security/message-security/openpgp/best-p...).
3 Posted by Nicolas on 30 Oct, 2014 12:52 PM
Managed to get through to brewing curl (removing the original Mac OS X version, and linking the Homebrew version instead, correct ?) and modifying the conf file. But how do you "add
depends_onto the gpg2 Formula" ?It would have been great if Filippo had provided just a bit more detail so that common users could follow and secure their setup.
Thanks for any guidelines someone might provide.
4 Posted by bip on 30 Oct, 2014 01:13 PM
@Nicolas I upstreamed the fix to Homebrew if you are building your own gnupg, so in that case you only need
brew update && brew upgrade.If instead you are using GPGTools I'm afraid I can't help you since I don't know how to recompile the packaged binaries. This is something that needs to be addressed by an update (or instructions) from the team.
5 Posted by Nicolas on 30 Oct, 2014 01:19 PM
Thanks for the quick response.
Got it. I thought that the described fix could be usable with the standard package.
I have not gotten into building my own binaries yet, so I guess that's that.
Will have to wait until it is updated.
Thanks !
Support Staff 6 Posted by Steve on 19 Nov, 2014 09:44 PM
We've a ticket for this problem:
https://gpgtools.lighthouseapp.com/projects/66001-macgpg2/tickets/119
If this discussion get's closed, it will be re-opened as soon as the ticket is closed so you'll receive a notification. Feel free to open a new discussions should you run into further problems or need assistance.
Support Staff 7 Posted by Steve on 21 Dec, 2014 01:06 PM
Hi all,
the hkps sks cluster is our new default key server and should be working.
If you want to test this and provide feedback, grad the latest GPG Suite nightly from https://releases.gpgtools.org/nightlies/ .
All the best,
steve
Steve closed this discussion on 24 Dec, 2014 08:45 AM.