HKPS keyserver support

Filippo Valsorda's Avatar

Filippo Valsorda

22 Oct, 2014 12:57 PM

Right now GPGTools uses a plaintext HKP connection to the keyserver (and that combined with auto-key-retrieve poses a serious privacy risk). Also this lowers the bar a lot for key forging if the user is not checking signatures, now the attacker needs just to control the network to swap a key on flight, instead of the keyserver.

The issue with HKPS is that the system curl on OS X < 10.10 is outdated and fails to verify the certificate chain (gpgkeys: HTTP search error 60: SSL certificate problem: Invalid certificate chain), so you need to brew curl and add depends_on to the gpg2 Formula.

Then, you'll want the following lines in conf:

keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/Users/filippo/.gnupg/sks-keyservers.netCA.pem
keyserver-options include-revoked
keyserver-options no-honor-keyserver-url
keyserver-options no-try-dns-srv

Ref: https://github.com/Homebrew/homebrew/pull/33460

  1. Support Staff 1 Posted by Steve on 22 Oct, 2014 02:19 PM

    Steve's Avatar

    Hey Filippo,

    this is much more efficient than Twitter :)

    Thanks for taking the time to gather this info. I hope that we can indeed solve this. We got our head stuck around 10.10 at the moment so no promises. But as Luke already said: this has been on the To-Do for a while now and it would be great to get it fixed.

    Regards,
    steve

  2. 2 Posted by Lars on 29 Oct, 2014 09:01 AM

    Lars's Avatar

    Thanks for that, very helpful! Used it to follow through with the OpenPGP Best Practices from riseup (https://help.riseup.net/en/security/message-security/openpgp/best-p...).

  3. 3 Posted by Nicolas on 30 Oct, 2014 12:52 PM

    Nicolas's Avatar

    Managed to get through to brewing curl (removing the original Mac OS X version, and linking the Homebrew version instead, correct ?) and modifying the conf file. But how do you "add depends_on to the gpg2 Formula" ?

    It would have been great if Filippo had provided just a bit more detail so that common users could follow and secure their setup.

    Thanks for any guidelines someone might provide.

  4. 4 Posted by bip on 30 Oct, 2014 01:13 PM

    bip's Avatar

    @Nicolas I upstreamed the fix to Homebrew if you are building your own gnupg, so in that case you only need brew update && brew upgrade.

    If instead you are using GPGTools I'm afraid I can't help you since I don't know how to recompile the packaged binaries. This is something that needs to be addressed by an update (or instructions) from the team.

  5. 5 Posted by Nicolas on 30 Oct, 2014 01:19 PM

    Nicolas's Avatar

    Thanks for the quick response.
    Got it. I thought that the described fix could be usable with the standard package.
    I have not gotten into building my own binaries yet, so I guess that's that.
    Will have to wait until it is updated.

    Thanks !

  6. Support Staff 6 Posted by Steve on 19 Nov, 2014 09:44 PM

    Steve's Avatar

    We've a ticket for this problem:

    https://gpgtools.lighthouseapp.com/projects/66001-macgpg2/tickets/119

    If this discussion get's closed, it will be re-opened as soon as the ticket is closed so you'll receive a notification. Feel free to open a new discussions should you run into further problems or need assistance.

  7. Support Staff 7 Posted by Steve on 21 Dec, 2014 01:06 PM

    Steve's Avatar

    Hi all,

    the hkps sks cluster is our new default key server and should be working.

    If you want to test this and provide feedback, grad the latest GPG Suite nightly from https://releases.gpgtools.org/nightlies/ .

    All the best,
    steve

  8. Steve closed this discussion on 24 Dec, 2014 08:45 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac