Commit dbfbfa7b authored by intrigeri's avatar intrigeri

Use keys.openpgp.org's Onion service as the default keyserver (refs: #12689, #14770)

For background, see #12689 and its various duplicates. The short version is:

 - Unfortunately, hkp://jirk5u4osbsr34t5.onion is way too unreliable.

 - Most non-tech-savvy OpenPGP users don't use keyservers at all,
   so this change should not affect them much.

 - Tech-savvy OpenPGP users who want to use the Web-of-Trust (which
   keys.openpgp.org's design essentially kills) should be able
   to switch to a keyserver of their choosing, that includes
   non-self certifications.

Let's use the Onion service instead of hkps://keys.openpgp.org/, so that we
don't lose end-to-end encryption and authentication of the keyserver in
Seahorse, which doesn't support hkps://. Alternatively, we could use
hkps://keys.openpgp.org/ everywhere else, but it feels simpler to use the same
keyserver everywhere.

At this point, the only Tails systems that are affected by this change are those
run without GnuPG persistence, and newly created persistent GnuPG configuration.
Pre-existing persistent GnuPG configuration is not updated (yet).

On the test suite front:

 - This commit keeps the Chutney-based redirector setup as-is, except it will
   proxy requests to keys.openpgp.org, instead of pool.sks-keyservers.net
   previously. This should work as long as keys.openpgp.org supports cleartext
   communication on port 11371.

 - In theory, our long-term plan is to replace this with a local mock keyserver
   Onion service. We'll see if that's still worth the effort once we redirect
   requests to a more reliable upstream keyserver.

 - I'm removing the @fragile tag for torified_gnupg.feature. There might
   be other reasons why these scenarios are fragile; let's learn about them.
parent 810b5560
......@@ -3,7 +3,7 @@ item-filter=''
sidebar-visible=true
[desktop/gnome/crypto/pgp]
keyservers = ['hkp://jirk5u4osbsr34t5.onion']
keyservers = ['hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion']
[org/gnome/desktop/a11y]
always-show-universal-access-status=true
......
use-tor
keyserver hkp://jirk5u4osbsr34t5.onion
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
......@@ -4,3 +4,4 @@
pref("extensions.torbirdy.emailwizard", true);
pref("extensions.torbirdy.gpg_already_torified", true);
pref("extensions.torbirdy.custom.extensions.enigmail.keyserver", "hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion");
......@@ -47,7 +47,7 @@ end
def setup_onion_keyserver
resolver = Resolv::DNS.new
keyservers = resolver.getaddresses('pool.sks-keyservers.net').select do |addr|
keyservers = resolver.getaddresses('keys.openpgp.org').select do |addr|
addr.class == Resolv::IPv4
end
onion_keyserver_address = keyservers.sample
......
......@@ -66,7 +66,7 @@ SIKULI_IMAGE_PATH = "#{Dir.pwd}/features/images/"
SIKULI_MIN_SIMILARITY = 0.9
# Constants that are statically initialized.
CONFIGURED_KEYSERVER_HOSTNAME = 'jirk5u4osbsr34t5.onion'
CONFIGURED_KEYSERVER_HOSTNAME = 'zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion'
LIBVIRT_DOMAIN_NAME = "TailsToaster"
LIBVIRT_DOMAIN_UUID = "203552d5-819c-41f3-800e-2c8ef2545404"
LIBVIRT_NETWORK_NAME = "TailsToasterNet"
......
#14770
@product @check_tor_leaks @fragile
@product @check_tor_leaks
Feature: Keyserver interaction with GnuPG
As a Tails user
when I interact with keyservers using various GnuPG tools
......
......@@ -1120,8 +1120,7 @@ possible.
### 3.6.16 GnuPG
GnuPG tools (namely: GPG itself and Seahorse) are configured to use
the sks-keyservers pool since it's reliable, well-synchronized with
the other HKP keyservers pools, and reachable over `hkps://`.
<https://keys.opengpg.org> via its Onion service, since it's reliable.
GnuPG is configured accordingly to the [OpenPGP Best
Practices](https://help.riseup.net/en/security/message-security/openpgp/best-practices),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment