gpg: WARNING: Tor is not properly configured
Whilst working on another problem, I suddenly discovered that I could no longer interrogate the OpenPGP keyserver network from my Debian stretch workstation:
gnoutchd@monsey:~$ gpg2 --search-keys email@example.com gpg: WARNING: Tor is not properly configured gpg: error searching keyserver: Permission denied gpg: keyserver search failed: Permission denied gnoutchd@monsey:~$
I was rather annoyed to see this, as this was with the default tor configuration that shipped with Debian. (And I know that Tor can be an unforgiving beast, so I really didn’t want to mess with my
Fortunately, the problem went away once I cleaned up my GnuPG configuration. Apparently, the problem only happens if I:
- Connect to an IPv6 network,
- put “
use-tor” in my
- put “
keyserver hkp://pool.sks-keyservers.net” in my
With GnuPG 2.1, you’re supposed to put
keyserver lines into
dirmngr.conf1, but for backwards compatibility (I presume) with pre-dirmngr GnuPG versions,
gpg will still process
keyserver lines in
gpg.conf. But apparently this feature is buggy, at least when dirmngr is using Tor. Once I moved the keyserver line from
dirmngr.conf, my problem went away.2
Why does this happen? I haven’t checked, but I’d guess it’s a side-effect of a DNS leak. When
gpg processes the
keyserver option, it probably does a standard DNS lookup and passes the resolved IP address to
dirmngr, which is responsible for keyserver lookups in GnuPG 2.1. In turn,
dirmngr passes the IP to Tor, which works as long as it’s an IPv4 address. When I’m on an IPv6 network, the DNS resolver gives me an IPv6 address, and Tor barfs.
Really, though, you always want to do DNS lookups though Tor if you’re going to contact a host through Tor.
dirmngr apparently does the right thing when it gets the keyserver list directly from
I’m not sure how I ended up with this configuration. Where did this
dirmngr.conf come from? It may have been some GnuPG 1.4-to-2.1 migration procedure gone wrong, which would be a meaningful bug. I’ll likely file a bug report if I see this happen again.
Still, nice to see that GnuPG has proper Tor integration now.
The relevant log messages, for Google’s sake:
Feb 05 21:44:51.000 [warn] Refusing to connect to IPv6 address [scrubbed] because Port has NoIPv6Traffic set.
Feb 05 21:44:51 monsey dirmngr: can't connect to 'keyserver.pch.net': Permission denied Feb 05 21:44:51 monsey dirmngr: error connecting to 'http://keyserver.pch.net:11371': Permission denied Feb 05 21:44:51 monsey dirmngr: (Tor configuration problem) Feb 05 21:44:51 monsey dirmngr: command 'KS_SEARCH' failed: Permission denied