tianon / pgp-happy-eyeballs Goto Github PK

33.0 5.0 5.0 33 KB

DEPRECATED; like "happy eyeballs" (ipv4/ipv6), but for flaky PGP gossip servers

License: MIT License

Go 62.73% Shell 32.79% Dockerfile 4.48%

pgp-happy-eyeballs's Introduction

DEPRECATED

See #4 for some discussion around why this tool is no longer actively maintained (nor recommended for use).

The TL;DR is that the SKS network is mostly too decentralized now to track well with a naive approach like that of this tool.

PGP "Happy Eyeballs"

PGP keyservers are flaky:

This tool was intended to sit in front of clients to keyservers (most easily via DNS or transparent traffic hijacking) and "multiplex" requests across several servers simultaneously, returning the fastest successful result.

Note: if you're looking at this tool, you should seriously consider using the hkps://keys.openpgp.org server / "Hagrid" instead! (It's a refreshingly modern take on OpenPGP infrastructure in general.)

Barring that, I would recommend sticking with a single stable server like hkps://keyserver.ubuntu.com.

How to Use

The easiest/intended way to use this (and the way Tianon used it) is to hijack your personal DNS requests and redirect relevant domains to a running instance of it. The hard part of that is doing so in a way that also affects any Docker instances and works in a way that other Docker instances can hit the running instance of pgp-happy-eyeballs successfully.

See rawdns for the tool Tianon uses; example configuration snippet:

...
	"ha.pool.sks-keyservers.net.": {
		"type": "static",
		"cnames": [
			"pgp-happy-eyeballs.docker"
		],
		"nameservers": [
			"127.0.0.1"
		]
	},
...

See also the hack-my-builds.sh script which was intended for use in disposable CI environments such as those provided by Travis CI (see docker-library/php#666 and the linked PRs for implementation examples).

Known Issues

using gpg --send-keys doesn't work, among other things (our server hijacking is a tad too aggressive -- should probably only perform our aggressive logic for .../pks/lookup?op=get... requests and pass everything else through as-is as a standard transparent proxy)

"Happy Eyeballs" ?

See RFC 6555.

pgp-happy-eyeballs's People

Contributors

Stargazers

Watchers

Forkers

tetrationanalytics teohhanhui keeganwitt maxpeal jon5477

pgp-happy-eyeballs's Issues

Stale servers

Some servers in the list work fine, others are unresponsive ("connection timed out" or "no data"), and others have an outdated key (even a month later 😞). These outdated keyservers are sometimes fastest and so the client gets served the outdated key.

When there were issues back on January 24 with ros image builds in GitHub actions, I had assumed it was just gossip lag. But it is still an issue on their latest PR.

$ # choosing a set of servers that happen to display all states
root@690deddaab77:/# for serv in keyserver.maxweiss.io keyserver.snt.utwente.nl keyserver.spline.inf.fu-berlin.de keys.i2p-projekt.de; do export GNUPGHOME="$(mktemp -d)"; echo "$serv":; gpg --batch --keyserver "hkp://$serv" --recv-keys 'C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654'; gpg --fingerprint; gpgconf --kill all; sleep 1; rm -rf "$GNUPGHOME"; done
keyserver.maxweiss.io:
gpg: keybox '/tmp/tmp.ptqzBy0GKt/pubring.kbx' created
gpg: /tmp/tmp.ptqzBy0GKt/trustdb.gpg: trustdb created
gpg: key F42ED6FBAB17C654: public key "Open Robotics <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
/tmp/tmp.ptqzBy0GKt/pubring.kbx
-------------------------------
pub   rsa4096 2019-05-30 [SC] [expires: 2025-06-01]
      C1CF 6E31 E6BA DE88 68B1  72B4 F42E D6FB AB17 C654
uid           [ unknown] Open Robotics <[email protected]>

keyserver.snt.utwente.nl:
gpg: keybox '/tmp/tmp.0pFeCCtLjq/pubring.kbx' created
gpg: keyserver receive failed: Connection timed out
gpg: /tmp/tmp.0pFeCCtLjq/trustdb.gpg: trustdb created
keyserver.spline.inf.fu-berlin.de:
gpg: keybox '/tmp/tmp.PRub9GpThs/pubring.kbx' created
gpg: keyserver receive failed: No data
gpg: /tmp/tmp.PRub9GpThs/trustdb.gpg: trustdb created
keys.i2p-projekt.de:
gpg: keybox '/tmp/tmp.zVYOoe9F0Q/pubring.kbx' created
gpg: /tmp/tmp.zVYOoe9F0Q/trustdb.gpg: trustdb created
gpg: key F42ED6FBAB17C654: public key "Open Robotics <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
/tmp/tmp.zVYOoe9F0Q/pubring.kbx
-------------------------------
pub   rsa4096 2019-05-30 [SC] [expired: 2021-05-29]
      C1CF 6E31 E6BA DE88 68B1  72B4 F42E D6FB AB17 C654
uid           [ expired] Open Robotics <[email protected]>

While pgp-happy-eyeballs works great to ignore unresponsive servers 👍, it would be nice to have a way to improve the server list in order to use only "up-to-date" keyservers.

Workaround for users relying on pgp-happy-eyeballs and needing up-to-date keys is that they should use keyserver.ubuntu.com or keys.openpgp.org directly (both are very stable and can be fetched over tls if desired). In order to fetch from keys.openpgp.org, the key's email address must be verified there.

Add "Usage" section to README

I'm having a hard time making this work, and I think I would benefit greatly from having a "Usage" section in the README. Ideally with both Docker-based and non-Docker-based examples. Thanks!

tianon / pgp-happy-eyeballs Goto Github PK

pgp-happy-eyeballs's Introduction

DEPRECATED

PGP "Happy Eyeballs"

How to Use

Known Issues

"Happy Eyeballs" ?

pgp-happy-eyeballs's People

Contributors

Stargazers

Watchers

Forkers

pgp-happy-eyeballs's Issues

Stale servers

Add "Usage" section to README

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent