Complete install of services on DigitalOcean.
Stalls during GPG key refresh
https://github.com/StreisandEffect/streisand/blob/fcfb0d560cd4c8fa20e55c5a49ac111bf80b175b/playbooks/roles/gpg/tasks/main.yml#L78
Manually running GPG refresh on target host shows following error of signatures being too large for keyring.
# gpg2 --no-default-keyring --keyring /root/.gnupg/streisand/pubring.gpg --keyserver-options timeout=120 --refresh
gpg: refreshing 10 keys from hkps://hkps.pool.sks-keyservers.net
gpg: key 4D4D5458: "Corban Raun <[email protected]>" not changed
gpg: key F67DA905: "Jay Carlson <[email protected]>" not changed
gpg: key A7A356D6: "Joshua Lund <[email protected]>" not changed
gpg: key BF0F6049: "Daniel McCarney <[email protected]>" not changed
gpg: key DD3AAAA3: "Michał Trojnara <[email protected]>" not changed
gpg: key B43434E4: "PuTTY Releases <[email protected]>" not changed
gpg: error writing keyring '/root/.gnupg/streisand/pubring.gpg': Provided object is too large
gpg: key 93298290: "Tor Browser Developers (signing key) <[email protected]>" 100103 new signatures
gpg: key 93298290: "Tor Browser Developers (signing key) <[email protected]>" 1 new subkey
gpg: key 96865171: "Nikos Mavrogiannopoulos <[email protected]>" 22 new signatures
gpg: key 7F343FA7: "Nikos Mavrogiannopoulos <[email protected]>" not changed
gpg: key 2F2B01E7: "OpenVPN - Security Mailing List <[email protected]>" 39 new signatures
gpg: key 2F2B01E7: "OpenVPN - Security Mailing List <[email protected]>" 2 new subkeys
gpg: Total number processed: 10
gpg: unchanged: 7
gpg: new subkeys: 3
gpg: new signatures: 100164
gpg: not imported: 1
also seeing this on a non-DO host, trying several different keyservers
The 100,000 signatures on the TOR key may be related to the SKS Keyserver attack reported elsewhere: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
This is pretty annoying (at least on the Vagrant VMs) to troubleshoot.
In @plattrap's link, the recommended alternative key server is keys.openpgp.org, however if you replace the streisand_gpg_keyserver_address variable in the gpg role default, you'll get another error:
2019-07-07 04:02:08 dirmngr[24101.1] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
2019-07-07 04:02:08 dirmngr[24101.1] TLS verification of peer failed: status=0x0042
2019-07-07 04:02:08 dirmngr[24101.1] TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown.
2019-07-07 04:02:08 dirmngr[24101.1] DBG: expected hostname: keys.openpgp.org
2019-07-07 04:02:08 dirmngr[24101.1] DBG: BEGIN Certificate 'server[0]':
2019-07-07 04:02:08 dirmngr[24101.1] DBG: serial: 03D804FE5B5614E157F04E714A7BEBC64E91
2019-07-07 04:02:08 dirmngr[24101.1] DBG: notBefore: 2019-06-07 13:24:06
2019-07-07 04:02:08 dirmngr[24101.1] DBG: notAfter: 2019-09-05 13:24:06
2019-07-07 04:02:08 dirmngr[24101.1] DBG: issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
2019-07-07 04:02:08 dirmngr[24101.1] DBG: subject: CN=keys.openpgp.org
2019-07-07 04:02:08 dirmngr[24101.1] DBG: hash algo: 1.2.840.113549.1.1.11
2019-07-07 04:02:08 dirmngr[24101.1] DBG: SHA1 fingerprint: 163C12F44D3D2597904C2A86C091B9A7464E8BC4
2019-07-07 04:02:08 dirmngr[24101.1] DBG: END Certificate
2019-07-07 04:02:08 dirmngr[24101.1] DBG: BEGIN Certificate 'server[1]':
2019-07-07 04:02:08 dirmngr[24101.1] DBG: serial: 0A0141420000015385736A0B85ECA708
2019-07-07 04:02:08 dirmngr[24101.1] DBG: notBefore: 2016-03-17 16:40:46
2019-07-07 04:02:08 dirmngr[24101.1] DBG: notAfter: 2021-03-17 16:40:46
2019-07-07 04:02:08 dirmngr[24101.1] DBG: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2019-07-07 04:02:08 dirmngr[24101.1] DBG: subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
2019-07-07 04:02:08 dirmngr[24101.1] DBG: hash algo: 1.2.840.113549.1.1.11
2019-07-07 04:02:08 dirmngr[24101.1] DBG: SHA1 fingerprint: E6A3B45B062D509B3382282D196EFE97D5956CCB
2019-07-07 04:02:08 dirmngr[24101.1] DBG: END Certificate
2019-07-07 04:02:08 dirmngr[24101.1] TLS connection authentication failed: General error
2019-07-07 04:02:08 dirmngr[24101.1] error connecting to 'https://keys.openpgp.org:443': General error
2019-07-07 04:02:08 dirmngr[24101.1] TLS verification of peer failed: status=0x0042
2019-07-07 04:02:08 dirmngr[24101.1] TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown.
The LetsEncrypt CA isn't loaded by GnuPG's dirmngr service by default. So, you'd need to download the certificates from LetsEncrypt's certificates page and specify them in the dirmngr.conf file, like so:
hkp-cacert /path/to/isrgrootx1.pem
keyserver hkps://keys.openpgp.org
However, there's two problems with this approach. One, there's hidden binary data within the file, so you'd need to strip that beforehand. Second, there's a long running bug in the OpenSSL parser (https://github.com/openssl/openssl/issues/1381) that prevents certificates from being read correctly. It's supposedly resolved, but that brings us to another issue…
So, I had the thought of simply mitigating the need to use the alternative keys.openpgp.org at all. What would be a better alternative than keyserver.ubuntu.com? Well, the administrators misconfigured a server behind it, cassava.canonical.com's SSL certificate targets don't match.
root@streisand-host:/etc/ssl/certs# curl https://cassava.canonical.com
curl: (51) SSL: certificate subject name (keyserver.ubuntu.com) does not match target host name 'cassava.canonical.com'
Them fixing this wouldn't necessary solve the issue either because of another issue. In short, dirmngr doesn't read system certificates in the current published version of GnuPG 2. The feature was added in 2.2.x: https://dev.gnupg.org/rG7c1613d41566f7d8db116790087de323621205fe
While we have…
root@streisand-host:/etc/ssl/certs# gpg2 --version
gpg (GnuPG) 2.1.11
It's almost 2 am, so I'm gonna stop digging for the night. I hope these notes help anyone else curious about this.
Same problem. Are there any temp solutions?
i changed playbooks/roles/gpg/vars/main.yml to the following:
streisand_gpg_keyserver_address: "hkp://pgp.surfnet.nl"
which seemed to work OK. of course, you should do due diligence if your thread model involves compromised key servers.
Looks like the problem is not with the key server but the ssh keys.
The Key 96865171 <[email protected]> has been recently revoked.
Also seems like some of the other ones are too big (4096R and 3072R vs 2048R ) and the gpg2 has problems with it ( or that's what I've read ).
I've fixed it by commenting out all those keys from the vars file (playbooks/roles/gpg/vars/main.yml)
# Which keys from files/ do we add to the keyring in first setup? These keys are
# trusted ultimately to verify software signatures during Streisand provisioning.
streisand_bootstrap_gpg_keys:
# OpenVPN release signing key
# - [email protected]
# Openconnect
# - [email protected]
# - [email protected]
# Tor browser release signing key
# - [email protected]
# PuTTY release signing key
- [email protected]
# Stunnel release signing key
- [email protected]
# Streisand maintainer - Github @cpu
- [email protected]
# Streisand maintainer - Github @jlund
- [email protected]
# Streisand maintainer - Github @nopdotcom
- [email protected]
# Streisand maintainer - Github @CorbanR
- [email protected]
# Streisand maintainer - Github @alimakki (Commented out for now because it
# breaks CI)
#- [email protected]
In my case I'm only configuring WireGuard so it works just fine. I guess they will have to figure out which are the correct keys to add so it knows how to refresh them from the server.
What worked for me is changing streisand_gpg_keyserver_address to hkp://pgp.mit.edu:80
I don't use streisand but, related to @jpmontez 's troubleshooting above, I ran across similar hkps: connectivity issues trying to connect to the new keyserver hkps://keys.openpgp.org in the (older) GnuPG 2.0.14, which does not have the dirmngr component.
In my case, the secret sauce was to manually specify the ca-cert-file key server option in my ~/.gnupg/gpg.conf file. This option sets the CAfile setting for the NSS SSL/TLS library, which is used by curl to connect to the secure key server.
keyserver hkps://keys.openpgp.org
keyserver-options ca-cert-file=/etc/pki/tls/certs/ca-bundle.crt
On another server with slightly newer GnuPG 2.0.22 (but still no dirmngr), that gpg was able to connect to hkps://keys.openpgp.org without any ca-cert-file option explicitly set. However while debugging, I noticed that NSS' CAfile was already correctly set to the system-wide certificate authority bundle file.
The correct ca-cert-file path will differ depending on the underlying operating system.
The alternative hkp: based key servers that @maxthomas and @lucasff mentioned above also bypass these SSL/TLS connectivity issues, by avoiding key server encryption/security entirely. The hkp: method is like plain-text HTTP vs. hkps: is more equivalent to encrypted HTTPS.
Here's what worked for me (git patch file included below). I tested this by enabling all Streisand features/services (including Tor). I put the changes into a git patch file which you can grab from the gist URL below, and apply with git am < 0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patch:
https://gist.github.com/nickgnazzo/e7204e35c281e30c8fbdde08f72af1c4#file-0001-move-to-mozilla-gpg-keyserver-fix-a-few-gpg-verifica-patch
The tl;dr steps:
cd /path/to/Streisand/repocurl -O https://gist.githubusercontent.com/nickgnazzo/e7204e35c281e30c8fbdde08f72af1c4/raw/b9e4066c85e315774134d8721d916022d15e718e/0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patchgit am < 0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patchSummary of changes made:
keys.openpgp.org (which has some mitigations against the SKS Keyserver attack) won't work _yet_. There's an issue causing gpg2 to fail to refresh keys when no "user ID" information is available. The problem here's two-fold, keys.openpgp.org requires email verification in order to allow publishing keys with their email address attached, and gpg2 refuses to process keys that have no user ID when refreshing. So by default, if you don't opt-in/verify your email address with OpenPGP, they won't publish the email associated with a public key (so when you run gpg2 refresh, you get the public keys without any user ID info), and then gpg2 refuses to process/import the keys. Meaning in order for this to work, you either have to wait for every key owner in Streisand's keyring to verfiy their email/identity with OpenPGP, or wait for GnuPG to fix the issue with the gpg2 client (or some other workaround I haven't thought of). The people running the OpenPGP keyserver are "working with" the GnuPG maintainers to address the problem (they mention it here).gpg2 refresh: gpg: key XXXXXXXXXXXXXXXX: no user IDC3C07136 (which seems to be Georg Koppen's pubkey), but they have switched to using the pubkey with user ID "The Tor Browser Developers" (D9FF06E2). Both of these key IDs are on Tor's signing keys page. AF131CAE to 5ACFEAC6 within Streisand's variables and that made the verification pass for me. 5ACFEAC6 in a few keyservers).playbooks/roles/gpg/files/ and are imported using the variable streisand_bootstrap_gpg_keys (referenced by another task).B43434E4 to 4AE8DA82 within Streisand variables.Here's what worked for me:
# - name: "Refresh the Streisand GPG keyring with keyserver information"
# command: "gpg2 {{ streisand_default_gpg_flags }} {{ streisand_default_key_import_flags }} --refresh"
# register: gpg2_refresh_result
# until: "gpg2_refresh_result is success"
# retries: 10
# delay: 5
# # NOTE(@cpu): We skip the keyring refresh in CI so that when the static keys
# # in the repo become too stale to be used without successsful refresh the
# # maintainers will notice failed builds and fix them by refreshing their own
# # keyrings and updating the static repo keys until the build passes again.
# when: not streisand_ci
same issue here.
Fixed in #1604; reopen if it's still an issue.
Most helpful comment
Here's what worked for me (git patch file included below). I tested this by enabling all Streisand features/services (including Tor). I put the changes into a git patch file which you can grab from the gist URL below, and apply with
git am < 0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patch:https://gist.github.com/nickgnazzo/e7204e35c281e30c8fbdde08f72af1c4#file-0001-move-to-mozilla-gpg-keyserver-fix-a-few-gpg-verifica-patch
The tl;dr steps:
cd /path/to/Streisand/repocurl -O https://gist.githubusercontent.com/nickgnazzo/e7204e35c281e30c8fbdde08f72af1c4/raw/b9e4066c85e315774134d8721d916022d15e718e/0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patchgit am < 0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patchSummary of changes made:
keys.openpgp.org(which has some mitigations against the SKS Keyserver attack) won't work _yet_. There's an issue causing gpg2 to fail to refresh keys when no "user ID" information is available. The problem here's two-fold, keys.openpgp.org requires email verification in order to allow publishing keys with their email address attached, and gpg2 refuses to process keys that have no user ID when refreshing. So by default, if you don't opt-in/verify your email address with OpenPGP, they won't publish the email associated with a public key (so when you rungpg2 refresh, you get the public keys without any user ID info), and then gpg2 refuses to process/import the keys. Meaning in order for this to work, you either have to wait for every key owner in Streisand's keyring to verfiy their email/identity with OpenPGP, or wait for GnuPG to fix the issue with the gpg2 client (or some other workaround I haven't thought of). The people running the OpenPGP keyserver are "working with" the GnuPG maintainers to address the problem (they mention it here).gpg2 refresh:gpg: key XXXXXXXXXXXXXXXX: no user IDC3C07136(which seems to be Georg Koppen's pubkey), but they have switched to using the pubkey with user ID "The Tor Browser Developers" (D9FF06E2). Both of these key IDs are on Tor's signing keys page.AF131CAEto5ACFEAC6within Streisand's variables and that made the verification pass for me.5ACFEAC6in a few keyservers).playbooks/roles/gpg/files/and are imported using the variablestreisand_bootstrap_gpg_keys(referenced by another task).B43434E4to4AE8DA82within Streisand variables.