gpg: WARNING: Tor is not properly configured
Whilst working on another problem, I suddenly discovered that I could no longer interrogate the OpenPGP keyserver network from my Debian stretch workstation:
gnoutchd@monsey:~$ gpg2 --search-keys [email protected]
gpg: WARNING: Tor is not properly configured
gpg: error searching keyserver: Permission denied
gpg: keyserver search failed: Permission denied
gnoutchd@monsey:~$
I was rather annoyed to see this, as this was with the default tor configuration that shipped with Debian. (And I know that Tor can be an unforgiving beast, so I really didn’t want to mess with my torrc
.)
Fortunately, the problem went away once I cleaned up my GnuPG configuration. Apparently, the problem only happens if I:
- Connect to an IPv6 network,
- put “
use-tor
” in my~/.gnupg/dirmngr.conf
, and - put “
keyserver hkp://pool.sks-keyservers.net
” in my~/.gnupg/gpg.conf
.
With GnuPG 2.1, you’re supposed to put keyserver
lines into dirmngr.conf
1, but for backwards compatibility (I presume) with pre-dirmngr GnuPG versions, gpg
will still process keyserver
lines in gpg.conf
. But apparently this feature is buggy, at least when dirmngr is using Tor. Once I moved the keyserver line from gpg.conf
to dirmngr.conf
, my problem went away.2
Why does this happen? I haven’t checked, but I’d guess it’s a side-effect of a DNS leak. When gpg
processes the keyserver
option, it probably does a standard DNS lookup and passes the resolved IP address to dirmngr
, which is responsible for keyserver lookups in GnuPG 2.1. In turn, dirmngr
passes the IP to Tor, which works as long as it’s an IPv4 address. When I’m on an IPv6 network, the DNS resolver gives me an IPv6 address, and Tor barfs.
Really, though, you always want to do DNS lookups though Tor if you’re going to contact a host through Tor. dirmngr
apparently does the right thing when it gets the keyserver list directly from dirmngr.conf
.
I’m not sure how I ended up with this configuration. Where did this dirmngr.conf
come from? It may have been some GnuPG 1.4-to-2.1 migration procedure gone wrong, which would be a meaningful bug. I’ll likely file a bug report if I see this happen again.
Still, nice to see that GnuPG has proper Tor integration now.
The relevant log messages, for Google’s sake:
/var/log/tor/log:
Feb 05 21:44:51.000 [warn] Refusing to connect to IPv6 address [scrubbed] because Port has NoIPv6Traffic set.
systemd journal:
Feb 05 21:44:51 monsey dirmngr[2883]: can't connect to 'keyserver.pch.net': Permission denied
Feb 05 21:44:51 monsey dirmngr[2883]: error connecting to 'http://keyserver.pch.net:11371': Permission denied
Feb 05 21:44:51 monsey dirmngr[2883]: (Tor configuration problem)
Feb 05 21:44:51 monsey dirmngr[2883]: command 'KS_SEARCH' failed: Permission denied