How to install gpg keys from behind a firewall?

Question

I understand that keyservers are using the port 11371 but in many cases you are not allowed to connect to this port and you cannot add

There a many cases when you cannot modify the firewall configuration.

Example command that fails

 gpg --keyserver keyserver.ubuntu.com --recv-keys 0A5174AF

How do you solve this issue?

score 21 · Accepted Answer · edited Mar 28 '18 at 20:08

21

Some key servers answer to port 80 as well:

gpg --keyserver hkp://wwwkeys.de.pgp.net:80 --recv-keys 0A5174AF

And since hkp relies on http, you should be able to use it trough a web proxy too.

edited Mar 28 '18 at 20:08

Community

1

answered Aug 10 '10 at 11:01

b0fh

3,313
1
20
32

2

Ubuntu solve this problem and now the server also responds on port 80. – sorin Sep 22 '10 at 13:58
3

`wwwkeys.de.pgp.net:80` does not work anymore. – BuZZ-dEE Feb 23 '17 at 12:22
1

hkp://p80.pool.sks-keyservers.net:80 works. – irritable_phd_syndrome Feb 26 '18 at 13:06
1

also `hkp://keys.gnupg.net:80` – Trevor Boyd Smith Dec 11 '19 at 16:46

uav · Answer 2 · 2021-03-19T20:21:49.273

18

Something like

gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 \
    --keyserver-options "timeout=40 http-proxy=$http_proxy" \
    --recv-keys B0F4253373F8F6F510D42178520A9993A1C052F8

The decisive part is http-proxy=$http_proxy, which can be replaced with http-proxy=http://corporate.proxy.test:8765 for example.

BTW: https://askubuntu.com/a/102505/519948

edited Mar 19 '21 at 20:21

answered Dec 18 '17 at 17:17

uav

494
3
16

3

Important to note that the order of the flags is important here. If you put `--recv-keys` before `--keyserver-options`, you'll get an error that looks like: `gpg: Note: '--keyserver-options' is not considered an option gpg: "--keyserver-options" not a key ID: skipping gpg: "timeout=10 http-proxy=http://fooproxy:8080" not a key ID: skipping ` – Mani May 23 '18 at 09:01
1

The manual page states that keyserver-options can be comma or space delimited, but I found the comma necessary whilst space-delimiting resulting in a gpg usage error. gpg version 2.0.22. Like: `--keyserver-options "timeout=10,http-proxy=${http_proxy}"` – Ed Randall Jan 09 '20 at 09:15

score 3 · Answer 3 · answered Oct 15 '15 at 09:38

3

try this

sudo apt-key adv --keyserver-options http-proxy="http://<username>:<password>@<proxy_server_addr>:<proxy_port>" --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys <key_to_import>

answered Oct 15 '15 at 09:38

Jude Job

39
3

1

Welcome to Server Fault! Whilst this may theoretically answer the question, please provide context around commands so others will have some idea what it is supposed to do and why it’s a solution. - Using a proxy is often a good solution though. – HBruijn Oct 15 '15 at 11:54

score 2 · Answer 4 · answered Dec 23 '21 at 13:06

Answers suggesting using key servers that listen on Port 80 will work. Another alternative that offers greater privacy and security is:

Use HKPS (HKP over TLS)

This encrypts the connection to the keyserver and helps prevent man-in-the-middle attacks. Also, TCP Port 443 is just as unlikely to be blocked by a corporate firewall as Port 80 (unlike Port 11371).

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 94558F59

Note: the URIs, https://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com:443 are all equivalent.

Configuring this as the default server

Since the release of GnuPG 2.1.9 (2015-10-09), the --keyserver option for gpg has been deprecated and users are recommended to “use the --keyserver in dirmngr.conf instead”. The user’s default keyserver can be configured permanently by editing ~/.gnupg/dirmngr.conf:

keyserver hkps://keyserver.ubuntu.com

If the dirmngr daemon is already running, you’ll need to run gpgconf --reload dirmngr for the new configuration to take effect.

System default keyservers

Currently (since versions 2.2.29 and 2.3.2, released in July/August 2021), the GnuPG project has keyserver.ubuntu.com configured as its default keyserver if none is specified by the user while Debian (and Ubuntu) packages of gnupg2 have configured hkps://keys.openpgp.org as the default keyserver since gnupg2 2.2.17-1 (released in 2019).

Note: other answers suggest using SKS keyserver pools. Unfortunately, these have suffered privacy and abuse problems and, as of June 2021, are no longer operating.

score 2 · Answer 5 · answered May 23 '18 at 09:20

2

Just wanted to add a few notes here.

The manual page for gpg notes that the --keyserver-options "http-proxy=foo" will override the http_proxy environment variable, but at least for...

gpg --version gpg (GnuPG) 2.1.15 libgcrypt 1.7.9

It fails to pick up the http_proxy environment variable (or HTTP_PROXY) but does accept the --keyserver-options solution.

answered May 23 '18 at 09:20

Mani

131
5

Can you please provide a link to this site? I suspect that the options switch overwrites the proxy variable, but only for this one command. The http_proxy variable is then unchanged to the old one. However, it is not perfectly programmed if the http_proxy and no_proxy variables are ignored. – uav Oct 11 '19 at 20:21
1

I don't understand why apt, Java and gpg need their own proxy definitions anyway. They should, in my opinion, use the default environment variables! There is a trick for apt. Just create an empty /etc/apt/apt.conf. LOL, who makes this up? – uav Oct 11 '19 at 20:27

How to install gpg keys from behind a firewall?

5 Answers5

Use HKPS (HKP over TLS)

Configuring this as the default server

System default keyservers