Skip to content
  • intrigeri's avatar
    Use keys.openpgp.org's Onion service as the default keyserver (refs: #12689, #14770) · dbfbfa7b
    intrigeri authored
    For background, see #12689 and its various duplicates. The short version is:
    
     - Unfortunately, hkp://jirk5u4osbsr34t5.onion is way too unreliable.
    
     - Most non-tech-savvy OpenPGP users don't use keyservers at all,
       so this change should not affect them much.
    
     - Tech-savvy OpenPGP users who want to use the Web-of-Trust (which
       keys.openpgp.org's design essentially kills) should be able
       to switch to a keyserver of their choosing, that includes
       non-self certifications.
    
    Let's use the Onion service instead of hkps://keys.openpgp.org/, so that we
    don't lose end-to-end encryption and authentication of the keyserver in
    Seahorse, which doesn't support hkps://. Alternatively, we could use
    hkps://keys.openpgp.org/ everywhere else, but it feels simpler to use the same
    keyserver everywhere.
    
    At this point, the only Tails systems that are affected by this change are those
    run without GnuPG persistence, and newly created persistent GnuPG configuration.
    Pre-existing persistent GnuPG configuration is not updated (yet).
    
    On the test suite front:
    
     - This commit keeps the Chutney-based redirector setup as-is, except it will
       proxy requests to keys.openpgp.org, instead of pool.sks-keyservers.net
       previously. This should work as long as keys.openpgp.org supports cleartext
       communication on port 11371.
    
     - In theory, our long-term plan is to replace this with a local mock keyserver
       Onion service. We'll see if that's still worth the effort once we redirect
       requests to a more reliable upstream keyserver.
    
     - I'm removing the @fragile tag for torified_gnupg.feature. There might
       be other reasons why these scenarios are fragile; let's learn about them.
    dbfbfa7b