FS#65184 : pacman fails to sync gpg keys under http proxy

FS#65184 - pacman fails to sync gpg keys under http proxy

Attached to Project: Arch Linux
Opened by Rodrigo (rodarima) - Friday, 17 January 2020, 13:51 GMT
Last edited by freswa (frederik) - Thursday, 20 February 2020, 21:59 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

I'm using a proxy with the http_proxy env variable. When upgrading with pacman -Syu, it attempts to update the gpg keys but it fails to connect to the gpg server. I can see with netstat it attempted to contact the server directly rather than using the proxy

tcp 0 1 x.x.x.x:52522 192.146.137.99:443 SYN_SENT 88014/dirmngr

I found that gpg is not honoring the http_proxy, but it can be fixed by setting the honor-http-proxy option in /etc/pacman.d/gnupg/dirmngr.conf:

# echo honor-http-proxy > /etc/pacman.d/gnupg/dirmngr.conf

Steps to reproduce:

Select a keyserver that uses http or https ports in /etc/pacman.d/gnupg/gpg.conf:

keyserver hkps://hkps.pool.sks-keyservers.net:443

Block access to the gpg server port, maybe with iptables. Set up a proxy to tunnel the http and https traffic to a proxy in another host, thus bypassing the block. Then attempt to receive keys and it will fail:

# pacman-key --refresh-keys
gpg: refreshing 113 keys from hkps://hkps.pool.sks-keyservers.net:443

# netstat -atpn | grep dirmngr
tcp 0 1 x.x.x.x:52522 192.146.137.99:443 SYN_SENT 88014/dirmngr

This task depends upon

Closed by freswa (frederik)
Thursday, 20 February 2020, 21:59 GMT
Reason for closing: Not a bug

Comment by Rodrigo (rodarima) - Friday, 17 January 2020, 13:53 GMT

Tested with pacman 5.2.1-4 after the upgrade and still failing.

Comment by Allan McRae (Allan) - Friday, 17 January 2020, 14:17 GMT

An alternative title could be "partially setting up a system to use a http proxy results in some things not working".

Comment by Rodrigo (rodarima) - Friday, 17 January 2020, 14:32 GMT

Yes, it was partially configured by lack of information.

No mention here: https://wiki.archlinux.org/index.php/pacman#Pacman_does_not_honor_proxy_settings

Nor here: https://wiki.archlinux.org/index.php/Proxy_server#Environment_variables

Only in a tip here: https://wiki.archlinux.org/index.php/GnuPG#Use_a_keyserver

But, shouldn't honor http_proxy by default?

Comment by Eli Schwartz (eschwartz) - Friday, 17 January 2020, 14:34 GMT

Then the correct solution is to improve the wiki. It would be great if you could do that. :)

Comment by Eli Schwartz (eschwartz) - Friday, 17 January 2020, 14:36 GMT

> But, shouldn't honor http_proxy by default?

Why does GnuPG upstream not honor http_proxy by default? I don't think we should override that decision ourselves.

Comment by Rodrigo (rodarima) - Friday, 17 January 2020, 17:10 GMT

> Then the correct solution is to improve the wiki. It would be great if you could do that. :)

Added!

> Why does GnuPG upstream not honor http_proxy by default? I don't think we should override that decision ourselves.

Not sure, I couldn't find any explanation.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#65184 - pacman fails to sync gpg keys under http proxy

Details

Loading...