Home / server / Questions / 168826
Accepted
sorin
Asked: 2010-08-11 02:35:37 +0800 CST

How to install gpg keys from behind a firewall?

  • 772

I understand that keyservers are using the port 11371 but in many cases you are not allowed to connect to this port and you cannot add

There a many cases when you cannot modify the firewall configuration.

Example command that fails

 gpg --keyserver keyserver.ubuntu.com --recv-keys 0A5174AF

How do you solve this issue?

firewall gpg

5 Answers

  1. Best Answer

    Some key servers answer to port 80 as well:

    gpg --keyserver hkp://wwwkeys.de.pgp.net:80 --recv-keys 0A5174AF

    And since hkp relies on http, you should be able to use it trough a web proxy too.

    • 21

  2. Something like

    gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 \
    --keyserver-options "timeout=40 http-proxy=$http_proxy" \
    --recv-keys B0F4253373F8F6F510D42178520A9993A1C052F8

    The decisive part is http-proxy=$http_proxy, which can be replaced with http-proxy=http://corporate.proxy.test:8765 for example.

    BTW: https://askubuntu.com/a/102505/519948

    • 18

  3. try this

    sudo apt-key adv --keyserver-options http-proxy="http://<username>:<password>@<proxy_server_addr>:<proxy_port>" --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys <key_to_import>
    • 3

  4. Just wanted to add a few notes here.

    The manual page for gpg notes that the --keyserver-options "http-proxy=foo" will override the http_proxy environment variable, but at least for...

    gpg --version gpg (GnuPG) 2.1.15 libgcrypt 1.7.9

    It fails to pick up the http_proxy environment variable (or HTTP_PROXY) but does accept the --keyserver-options solution.

    • 2

  5. Answers suggesting using key servers that listen on Port 80 will work. Another alternative that offers greater privacy and security is:

    Use HKPS (HKP over TLS)

    This encrypts the connection to the keyserver and helps prevent man-in-the-middle attacks. Also, TCP Port 443 is just as unlikely to be blocked by a corporate firewall as Port 80 (unlike Port 11371).

    gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 94558F59

    Note: the URIs, https://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com:443 are all equivalent.

    Configuring this as the default server

    Since the release of GnuPG 2.1.9 (2015-10-09), the --keyserver option for gpg has been deprecated and users are recommended to “use the --keyserver in dirmngr.conf instead”. The user’s default keyserver can be configured permanently by editing ~/.gnupg/dirmngr.conf:

    keyserver hkps://keyserver.ubuntu.com

    If the dirmngr daemon is already running, you’ll need to run gpgconf --reload dirmngr for the new configuration to take effect.

    System default keyservers

    Currently (since versions 2.2.29 and 2.3.2, released in July/August 2021), the GnuPG project has keyserver.ubuntu.com configured as its default keyserver if none is specified by the user while Debian (and Ubuntu) packages of gnupg2 have configured hkps://keys.openpgp.org as the default keyserver since gnupg2 2.2.17-1 (released in 2019).

    Note: other answers suggest using SKS keyserver pools. Unfortunately, these have suffered privacy and abuse problems and, as of June 2021, are no longer operating.

    • 2