SUMMARY *** Keyserver added to settings has no effect *** STEPS TO REPRODUCE 1. Go to Settings - Configure Kleopatra - Directory services 2. Add Keyservers to OpenPGP Keyserver field: hkps://pgp.mailbox.org, hkps://pool.sks-keyservers.net 3. Apply, close out Kleopatra and Kmail 4. Open Kmail and navigate to signed email received from Mailbox.org OBSERVED RESULT Kmail recognises that it is a GPG signed email but presents the following: Message was signed on 23/7/22 2:21 AM with unknown key 0x6F823A8C655EDCC6. The validity of the signature cannot be verified. Status: No public key to verify the signature EXPECTED RESULT I expect Kmail to use Kleopatra and the added keyserver from Mailbox.org to automatically verify the signature. nb. In Kmail security both attempt decryption and automatic import are ticked on. Thanks. SOFTWARE/OS VERSIONS Operating System: Kubuntu 22.04 KDE Plasma Version: 5.24.6 KDE Frameworks Version: 5.95.0 Qt Version: 5.15.3 Kernel Version: 5.15.0-41-generic (64-bit) Graphics Platform: X11 Processors: 8 × Intel® Core™ i7-7820HQ CPU @ 2.90GHz Memory: 31.2 GiB of RAM Graphics Processor: Mesa Intel® HD Graphics 630 ADDITIONAL INFORMATION
Manually adding: auto-key-locate keyserver keyserver-URL hkps://pgp.mailbox.org into the gpg.conf file appears to work in getting the signature to verify but then when opening Kleopatra it presents itself in setup mode. All certificates are gone. Removing/commenting the auto-key-locate line returns Kleopatra to the previous state with certs showing again.
It would seem Kleopatra lookup is not working at all. Using the command line, hkps://keys.openpgp.org and hkps://pgp.mailbox.org work - but hkps://pool.sks-keyservers.net does not. The Kleopatra lookup returns nothing. gpg2 --keyserver=hkps://keys.openpgp.org --search noreply@mailbox.org gpg: enabled debug flags: memstat gpg: data source: https://keys.openpgp.org:443 (1) noreply mailbox.org <noreply@mailbox.org> 4096 bit RSA key 6F823A8C655EDCC6, created: 2021-02-03 Keys 1-1 of 1 for "noreply@mailbox.org". Enter number(s), N)ext, or Q)uit > q gpg: error searching keyserver: Operation cancelled gpg: keyserver search failed: Operation cancelled gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0 gpg: secmem usage: 0/65536 bytes in 0 blocks anarcho@LuNoHo:~$gpg2 --keyserver=hkps://pool.sks-keyservers.net --search noreply@mailbox.org gpg: enabled debug flags: memstat gpg: error searching keyserver: Server indicated a failure gpg: keyserver search failed: Server indicated a failure gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0 gpg: secmem usage: 0/65536 bytes in 0 blocks anarcho@LuNoHo:~$gpg2 --keyserver=hkps://pgp.mailbox.org --search noreply@mailbox.org gpg: enabled debug flags: memstat gpg: data source: https://pgp.mailbox.org:443 (1) "noreply mailbox.org <noreply@mailbox.org>" 4096 bit RSA key 6F823A8C655EDCC6, created: 2021-02-03, expires: 2024-01-28 (2) "Interner Account Interner Account <noreply@mailbox.org>" 2048 bit RSA key 15B67D7FA64946FE, created: 2019-05-08, expires: 2029-05-05 Keys 1-2 of 2 for "noreply@mailbox.org". Enter number(s), N)ext, or Q)uit > q gpg: error searching keyserver: Operation cancelled gpg: keyserver search failed: Operation cancelled gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0 gpg: secmem usage: 0/65536 bytes in 0 blocks anarcho@LuNoHo:~$
SOLVED? Maybe - sort of? After doing some RTFM I found this: "You can configure ..... only one OpenPGP server is allowed at any time." Is this still the case? After looking at an example that uses Enigma, I assumed more that one Keyserver could be added, but it would seem not. Could someone confirm that this is still a limitation? nb. I removed the additional Keyserver and have entered only: hkps://keys.openpgp.org After re-booting the Lookup now brings up entries - however I still get the following in Kmail: Message was signed on 23/7/22 2:21 AM with unknown key 0x6F823A8C655EDCC6. The validity of the signature cannot be verified. Status: No public key to verify the signature and with User-ids 'Not checked' in the lookup. I am assuming I can manually select and import the cert from here, however I was expecting automatic lookup and import after ticking on 'Automatically import keys and certificate' in Kmail security.
Moving to KMail because the original issue seems to be that the key that a message was signed with is not fetched automatically. This has nothing to do with Kleopatra (except that Kleopatra can be used to configure the GnuPG backend that is used by KMail).
You have to enable the option auto-key-retrieve for GnuPG. If you do not want to edit the GnuPG configuration files manually, then you can find this setting in the configuration dialog of Kleopatra under GnuPG System->OpenPGP->Options controlling key import and export. The option auto-key-locate controls automatic retrieval of keys needed for encryption. The option "Automatically import keys and certificate" most likely applies to keys attached to email messages, but I haven't really verified this. I'll close the report because this is very likely a setup issue on your side. "auto-key-retrieve" is disabled by default (in the GnuPG backend) because automatic lookup of keys obviously leaks information about your communication partners.
(In reply to Ingo Klöcker from comment #5) > You have to enable the option auto-key-retrieve for GnuPG. If you do not > want to edit the GnuPG configuration files manually, then you can find this > setting in the configuration dialog of Kleopatra under GnuPG > System->OpenPGP->Options controlling key import and export. > > The option auto-key-locate controls automatic retrieval of keys needed for > encryption. > > The option "Automatically import keys and certificate" most likely applies > to keys attached to email messages, but I haven't really verified this. > > I'll close the report because this is very likely a setup issue on your > side. "auto-key-retrieve" is disabled by default (in the GnuPG backend) > because automatic lookup of keys obviously leaks information about your > communication partners. Thanks Ingo. I do have (under -configuration for Keyservers) 'auto-key-retrieve' ticked on already. This makes no difference.