On Wed, 2019-02-27 at 08:03 +0100, deloptes wrote: > by all the time I mean each time Evolution opens a signed mail. I use > Trinity Desktop and there - I only see that signature could not be > verified.
Ah, i see. For me (Stretch/Cinnamon) dirmngr is started when Evolution encounters the first sig, and dirmngr remains running until system shutdown. > BTW if you are advanced Linux user as it seems to be ... you may try > Trinity - saves a lot of troubles - but depends what you expect from it. Thanks, I'll certainly look into that more. On a related note I highly recommend Cinnamon for it's clean looks and ease of use. :-) > > > I even do not see any evidence that it is dirmngr that is blocking. > > > When I start the gpg client and search for a key I see dirmngr is > > > started > > > > > > $ while true; do ps -A | grep dir; sleep 1; done > > > > > > > But more to the point, It's not an easy program to debug.... > > > > > > > > Following man page, I created ~/.gnupg/dirmngr.conf and populated > > > > it > > > > with: > > > > verbose > > > > debug-level expert > > > > keyserver na.pool.sks-keyservers.net > > > > disable-ipv6 > > > > disable-ldap > > > > log-file ~/dirmngr.log > > > > allow-ocsp > > > > > > > > > > interesting but on my end I use pool.sks-keyservers.net and there > > > were no issues - well how often you download or upload a key to the > > > server? > > > > I hardly ever upload, but reading this list results in 2 or 3 key > > downloads every few hours. > > > > So it might be a configuration to automatically search and download keys not > present - what if you configure to manually do so (this might be in > Evolution or at system level for the user) I can't find anywhere in .gnupg/* or Evolution config where that would be setup. :-( > > > If I search for a key it takes like 3sec - and yes I think it goes > > > via dirmngr - but sorry no time to bother setting up a config. > > > > > > The config I find here is the default > > > cat ~/.gnupg/dirmngr.conf > > > > > > ###+++--- GPGConf ---+++### > > > disable-ldap > > > debug-level basic > > > log-file socket:///home/pizza/.gnupg/log-socket > > > ###+++--- GPGConf ---+++### Thu 06 Dec 2018 01:45:13 AM CET > > > # GPGConf edited this configuration file. > > > # It will disable options before this marked block, but it will > > > # never change anything below these lines. > > > > Interesting. My 2 Stretch systems did not have that file by default, I > > had to create it. > > > > Yes it is created by the Trinity Kgpg app AFAIR. > > > > > and then I fired up Evolution and opened emails with gpg sigs, but > > > > still no data in the file ~/dirmngr.log. :-( > > > > > > > > What I suspect the problem to be, and what is alluded to on the > > > > sks-keyservers status page, is that there is a big > > > > inconsistency/availability with their servers (they have more off- > > > > pool servers listed than in-pool). Obviously it's a freebie so > > > > complaints seem childish, but it is an important service.. just > > > > like pool.ntp.org (which ironically Debian has taken responsibility > > > > for at least sanitizing that with debian.pool.ntp.org) > > > > > > > > -Jim P. > > > > > > Some time ago keyservers got consolidated - so now we have > > > pool.sks-keyservers.net. I am not sure if you are taking this with > > > prejudices - might be only your setup. > > > > :-) I do run a clean, simple, tighten-down, secure setup. One of those > > things is a DNSSEC validating recursor.... which I now see that dnsviz > > reports DNSSEC errors in... wait for it... sks-keyservers.net <sigh> > > > > http://dnsviz.net/d/pool.sks-keyservers.net/dnssec/ > > > > Now, imagine if pool.ntp.org had those DNSSEC problems and the impact > > it would have on the world. > > > > I am sure not only sks-keyservers.net reports back, but I agree this might > be part of the issue you report. > > > > I know dirmngr is somehow coupled with gpg, but never bothered to > > > look into that as it was always working properly. > > > The keyserver is not configured in ~/.gnupg/dirmngr.conf but in > > > ~/.gnupg/gpg.conf > > > > > > Show your ~/.gnupg/gpg.conf (or at least the relevant parts) > > > > ~$ cat .gnupg/gpa.conf > > default-key 3F1C1EF2E6019EAC646CE45227155EB4C45A2705 > > keyserver hkp://na.pool.sks-keyservers.net > > advanced-ui > > > > I don't have the protocol (hkp) - but the point was to remove the keyserver > from dirmngr.conf - not sure if it is right for your DE though. Thanks for that, testing that now! -Jim P.
