26

I understand that keyservers are using the port 11371 but in many cases you are not allowed to connect to this port and you cannot add

There a many cases when you cannot modify the firewall configuration.

Example command that fails

 gpg --keyserver keyserver.ubuntu.com --recv-keys 0A5174AF

How do you solve this issue?

sorin
  • 8,454

5 Answers5

22

Some key servers answer to port 80 as well:

gpg --keyserver hkp://wwwkeys.de.pgp.net:80 --recv-keys 0A5174AF

And since hkp relies on http, you should be able to use it trough a web proxy too.

Community
  • 1
b0fh
  • 3,353
  • 1
  • 23
  • 32
22

Something like

gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 \
    --keyserver-options "timeout=40 http-proxy=$http_proxy" \
    --recv-keys B0F4253373F8F6F510D42178520A9993A1C052F8

The decisive part is http-proxy=$http_proxy, which can be replaced with http-proxy=http://corporate.proxy.test:8765 for example.

BTW: https://askubuntu.com/a/102505/519948

uav
  • 624
  • 8
  • 20
5

Answers suggesting using key servers that listen on Port 80 will work. Another alternative that offers greater privacy and security is:

Use HKPS (HKP over TLS)

This encrypts the connection to the keyserver and helps prevent man-in-the-middle attacks. Also, TCP Port 443 is just as unlikely to be blocked by a corporate firewall as Port 80 (unlike Port 11371).

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 94558F59

Note: the URIs, https://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com:443 are all equivalent.

Configuring this as the default server

Since the release of GnuPG 2.1.9 (2015-10-09), the --keyserver option for gpg has been deprecated and users are recommended to “use the --keyserver in dirmngr.conf instead”. The user’s default keyserver can be configured permanently by editing ~/.gnupg/dirmngr.conf:

keyserver hkps://keyserver.ubuntu.com

If the dirmngr daemon is already running, you’ll need to run gpgconf --reload dirmngr for the new configuration to take effect.

System default keyservers

Currently (since versions 2.2.29 and 2.3.2, released in July/August 2021), the GnuPG project has keyserver.ubuntu.com configured as its default keyserver if none is specified by the user while Debian (and Ubuntu) packages of gnupg2 have configured hkps://keys.openpgp.org as the default keyserver since gnupg2 2.2.17-1 (released in 2019).

Note: other answers suggest using SKS keyserver pools. Unfortunately, these have suffered privacy and abuse problems and, as of June 2021, are no longer operating.

Anthony Geoghegan
  • 2,976
5

try this

sudo apt-key adv --keyserver-options http-proxy="http://<username>:<password>@<proxy_server_addr>:<proxy_port>" --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys <key_to_import>
Jude Job
  • 59
2

Just wanted to add a few notes here.

The manual page for gpg notes that the --keyserver-options "http-proxy=foo" will override the http_proxy environment variable, but at least for...

gpg --version gpg (GnuPG) 2.1.15 libgcrypt 1.7.9

It fails to pick up the http_proxy environment variable (or HTTP_PROXY) but does accept the --keyserver-options solution.

Mani
  • 131