You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some servers in the list work fine, others are unresponsive ("connection timed out" or "no data"), and others have an outdated key (even a month later 😞). These outdated keyservers are sometimes fastest and so the client gets served the outdated key.
When there were issues back on January 24 with ros image builds in GitHub actions, I had assumed it was just gossip lag. But it is still an issue on their latest PR.
$ # choosing a set of servers that happen to display all statesroot@690deddaab77:/# forservin keyserver.maxweiss.io keyserver.snt.utwente.nl keyserver.spline.inf.fu-berlin.de keys.i2p-projekt.de;doexport GNUPGHOME="$(mktemp -d)";echo"$serv":; gpg --batch --keyserver "hkp://$serv" --recv-keys 'C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654'; gpg --fingerprint; gpgconf --kill all; sleep 1; rm -rf "$GNUPGHOME";donekeyserver.maxweiss.io:gpg: keybox '/tmp/tmp.ptqzBy0GKt/pubring.kbx' createdgpg: /tmp/tmp.ptqzBy0GKt/trustdb.gpg: trustdb createdgpg: key F42ED6FBAB17C654: public key "Open Robotics <[email protected]>" importedgpg: Total number processed: 1gpg: imported: 1/tmp/tmp.ptqzBy0GKt/pubring.kbx-------------------------------pub rsa4096 2019-05-30 [SC] [expires: 2025-06-01] C1CF 6E31 E6BA DE88 68B1 72B4 F42E D6FB AB17 C654uid [ unknown] Open Robotics <[email protected]>keyserver.snt.utwente.nl:gpg: keybox '/tmp/tmp.0pFeCCtLjq/pubring.kbx' createdgpg: keyserver receive failed: Connection timed outgpg: /tmp/tmp.0pFeCCtLjq/trustdb.gpg: trustdb createdkeyserver.spline.inf.fu-berlin.de:gpg: keybox '/tmp/tmp.PRub9GpThs/pubring.kbx' createdgpg: keyserver receive failed: No datagpg: /tmp/tmp.PRub9GpThs/trustdb.gpg: trustdb createdkeys.i2p-projekt.de:gpg: keybox '/tmp/tmp.zVYOoe9F0Q/pubring.kbx' createdgpg: /tmp/tmp.zVYOoe9F0Q/trustdb.gpg: trustdb createdgpg: key F42ED6FBAB17C654: public key "Open Robotics <[email protected]>" importedgpg: Total number processed: 1gpg: imported: 1/tmp/tmp.zVYOoe9F0Q/pubring.kbx-------------------------------pub rsa4096 2019-05-30 [SC] [expired: 2021-05-29] C1CF 6E31 E6BA DE88 68B1 72B4 F42E D6FB AB17 C654uid [ expired] Open Robotics <[email protected]>
While pgp-happy-eyeballs works great to ignore unresponsive servers 👍, it would be nice to have a way to improve the server list in order to use only "up-to-date" keyservers.
Workaround for users relying on pgp-happy-eyeballs and needing up-to-date keys is that they should use keyserver.ubuntu.com or keys.openpgp.org directly (both are very stable and can be fetched over tls if desired). In order to fetch from keys.openpgp.org, the key's email address must be verified there.
The text was updated successfully, but these errors were encountered:
pgp-happy-eyeballs was designed for a time when SKS was relatively healthy, which really isn't the case anymore. The "gossip network" might still be alive and active, but finding a good, up-to-date list of "which servers should we consider as OK" is a very challenging problem that I don't think is worth solving.
Both hkps://keys.openpgp.org and hkps://keyserver.ubuntu.com are great, stable replacements that work well and solve the problem to the extent any of our image builds actually require. 🙈
Edit: to this end, I've added a deprecation notice in #5
Some servers in the list work fine, others are unresponsive ("connection timed out" or "no data"), and others have an outdated key (even a month later 😞). These outdated keyservers are sometimes fastest and so the client gets served the outdated key.
When there were issues back on January 24 with
ros
image builds in GitHub actions, I had assumed it was just gossip lag. But it is still an issue on their latest PR.While pgp-happy-eyeballs works great to ignore unresponsive servers 👍, it would be nice to have a way to improve the server list in order to use only "up-to-date" keyservers.
Workaround for users relying on pgp-happy-eyeballs and needing up-to-date keys is that they should use
keyserver.ubuntu.com
orkeys.openpgp.org
directly (both are very stable and can be fetched overtls
if desired). In order to fetch fromkeys.openpgp.org
, the key's email address must be verified there.The text was updated successfully, but these errors were encountered: