gpg: WARNING: Tor is not properly configured

Posted on February 5, 2017

Whilst working on another problem, I suddenly discovered that I could no longer interrogate the OpenPGP keyserver network from my Debian stretch workstation:

gnoutchd@monsey:~$ gpg2 --search-keys gnoutchd@softwarefreedom.org
gpg: WARNING: Tor is not properly configured
gpg: error searching keyserver: Permission denied
gpg: keyserver search failed: Permission denied
gnoutchd@monsey:~$

I was rather annoyed to see this, as this was with the default tor configuration that shipped with Debian. (And I know that Tor can be an unforgiving beast, so I really didn’t want to mess with my torrc.)

Fortunately, the problem went away once I cleaned up my GnuPG configuration. Apparently, the problem only happens if I:

  1. Connect to an IPv6 network,
  2. put “use-tor” in my ~/.gnupg/dirmngr.conf, and
  3. put “keyserver hkp://pool.sks-keyservers.net” in my ~/.gnupg/gpg.conf.

With GnuPG 2.1, you’re supposed to put keyserver lines into dirmngr.conf1, but for backwards compatibility (I presume) with pre-dirmngr GnuPG versions, gpg will still process keyserver lines in gpg.conf. But apparently this feature is buggy, at least when dirmngr is using Tor. Once I moved the keyserver line from gpg.conf to dirmngr.conf, my problem went away.2

Why does this happen? I haven’t checked, but I’d guess it’s a side-effect of a DNS leak. When gpg processes the keyserver option, it probably does a standard DNS lookup and passes the resolved IP address to dirmngr, which is responsible for keyserver lookups in GnuPG 2.1. In turn, dirmngr passes the IP to Tor, which works as long as it’s an IPv4 address. When I’m on an IPv6 network, the DNS resolver gives me an IPv6 address, and Tor barfs.

Really, though, you always want to do DNS lookups though Tor if you’re going to contact a host through Tor. dirmngr apparently does the right thing when it gets the keyserver list directly from dirmngr.conf.

I’m not sure how I ended up with this configuration. Where did this dirmngr.conf come from? It may have been some GnuPG 1.4-to-2.1 migration procedure gone wrong, which would be a meaningful bug. I’ll likely file a bug report if I see this happen again.

Still, nice to see that GnuPG has proper Tor integration now.

The relevant log messages, for Google’s sake:

/var/log/tor/log:

Feb 05 21:44:51.000 [warn] Refusing to connect to IPv6 address [scrubbed] because Port has NoIPv6Traffic set.

systemd journal:

Feb 05 21:44:51 monsey dirmngr[2883]: can't connect to 'keyserver.pch.net': Permission denied
Feb 05 21:44:51 monsey dirmngr[2883]: error connecting to 'http://keyserver.pch.net:11371': Permission denied
Feb 05 21:44:51 monsey dirmngr[2883]: (Tor configuration problem)
Feb 05 21:44:51 monsey dirmngr[2883]: command 'KS_SEARCH' failed: Permission denied

  1. See man gpg’s section on --keyserver.

  2. Ultimately, I took dirmngr back to a default configuration by replacing my ~/.gnupg/dirmngr.conf with a copy of /usr/share/gnupg/dirmngr-conf.skel, the template that GnuPG 2.1 uses when creating a fresh ~/.gnupg.