tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/28674-hkpsGPGTools: Discussion 2014-12-30T18:32:08Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-10-22T12:57:24Z2014-10-22T14:19:47ZHKPS keyserver support<div><p>Right now GPGTools uses a plaintext HKP connection to the
keyserver (and that combined with auto-key-retrieve poses a serious
privacy risk). Also this lowers the bar a lot for key forging if
the user is not checking signatures, now the attacker needs just to
control the network to swap a key on flight, instead of the
keyserver.</p>
<p>The issue with HKPS is that the system curl on OS X < 10.10
is outdated and fails to verify the certificate chain
(<code>gpgkeys: HTTP search error 60: SSL certificate problem:
Invalid certificate chain</code>), so you need to brew curl and add
<code>depends_on</code> to the gpg2 Formula.</p>
<p>Then, you'll want the following lines in conf:</p>
<pre>
<code>keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/Users/filippo/.gnupg/sks-keyservers.netCA.pem
keyserver-options include-revoked
keyserver-options no-honor-keyserver-url
keyserver-options no-try-dns-srv</code>
</pre>
<p>Ref: <a href=
"https://github.com/Homebrew/homebrew/pull/33460">https://github.com/Homebrew/homebrew/pull/33460</a></p></div>Filippo Valsordatag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-10-22T14:19:05Z2014-10-22T14:19:05ZHKPS keyserver support<div><p>Hey Filippo,</p>
<p>this is much more efficient than Twitter :)</p>
<p>Thanks for taking the time to gather this info. I hope that we
can indeed solve this. We got our head stuck around 10.10 at the
moment so no promises. But as Luke already said: this has been on
the To-Do for a while now and it would be great to get it
fixed.</p>
<p>Regards,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-10-29T09:01:04Z2014-10-29T09:01:05ZHKPS keyserver support<div><p>Thanks for that, very helpful! Used it to follow through with
the OpenPGP Best Practices from riseup (<a href=
"https://help.riseup.net/en/security/message-security/openpgp/best-practices">https://help.riseup.net/en/security/message-security/openpgp/best-p...</a>).</p></div>Larstag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-10-30T12:52:29Z2014-10-30T12:52:30ZHKPS keyserver support<div><p>Managed to get through to brewing curl (removing the original
Mac OS X version, and linking the Homebrew version instead, correct
?) and modifying the conf file. But how do you "add
<code>depends_on</code> to the gpg2 Formula" ?</p>
<p>It would have been great if Filippo had provided just a bit more
detail so that common users could follow and secure their
setup.</p>
<p>Thanks for any guidelines someone might provide.</p></div>Nicolastag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-10-30T13:13:45Z2014-10-30T13:13:47ZHKPS keyserver support<div><p>@Nicolas I upstreamed the fix to Homebrew if you are building
your own gnupg, so in that case you only need <code>brew update
&& brew upgrade</code>.</p>
<p>If instead you are using GPGTools I'm afraid I can't help you
since I don't know how to recompile the packaged binaries. This is
something that needs to be addressed by an update (or instructions)
from the team.</p></div>biptag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-10-30T13:19:54Z2014-10-30T13:19:55ZHKPS keyserver support<div><p>Thanks for the quick response.<br>
Got it. I thought that the described fix could be usable with the
standard package.<br>
I have not gotten into building my own binaries yet, so I guess
that's that.<br>
Will have to wait until it is updated.</p>
<p>Thanks !</p></div>Nicolastag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-11-19T21:44:52Z2014-11-19T21:44:52ZHKPS keyserver support<div><p>We've a ticket for this problem:</p>
<p><a href=
"https://gpgtools.lighthouseapp.com/projects/66001-macgpg2/tickets/119">
https://gpgtools.lighthouseapp.com/projects/66001-macgpg2/tickets/119</a></p>
<p>If this discussion get's closed, it will be re-opened as soon as
the ticket is closed so you'll receive a notification. Feel free to
open a new discussions should you run into further problems or need
assistance.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/350326832014-12-21T13:06:11Z2014-12-21T13:06:11ZHKPS keyserver support<div><p>Hi all,</p>
<p>the hkps sks cluster is our new default key server and should be
working.</p>
<p>If you want to test this and provide feedback, grad the latest
GPG Suite nightly from <a href=
"https://releases.gpgtools.org/nightlies/">https://releases.gpgtools.org/nightlies/</a>
.</p>
<p>All the best,<br>
steve</p></div>Steve