Solvedstreisand Server creation blocked by GPG key import

Expected behavior:

Complete install of services on DigitalOcean.

Actual Behavior:

Stalls during GPG key refresh

- name: "Refresh the Streisand GPG keyring with keyserver information"

Manually running GPG refresh on target host shows following error of signatures being too large for keyring.

# gpg2 --no-default-keyring --keyring /root/.gnupg/streisand/pubring.gpg --keyserver-options timeout=120 --refresh
gpg: refreshing 10 keys from hkps://hkps.pool.sks-keyservers.net
gpg: key 4D4D5458: "Corban Raun <corban@raunco.co>" not changed
gpg: key F67DA905: "Jay Carlson <nop@nop.com>" not changed
gpg: key A7A356D6: "Joshua Lund <josh@joshlund.com>" not changed
gpg: key BF0F6049: "Daniel McCarney <daniel@binaryparadox.net>" not changed
gpg: key DD3AAAA3: "Michał Trojnara <Michal.Trojnara@stunnel.org>" not changed
gpg: key B43434E4: "PuTTY Releases <putty@projects.tartarus.org>" not changed
gpg: error writing keyring '/root/.gnupg/streisand/pubring.gpg': Provided object is too large
gpg: key 93298290: "Tor Browser Developers (signing key) <torbrowser@torproject.org>" 100103 new signatures
gpg: key 93298290: "Tor Browser Developers (signing key) <torbrowser@torproject.org>" 1 new subkey
gpg: key 96865171: "Nikos Mavrogiannopoulos <nmav@gnutls.org>" 22 new signatures
gpg: key 7F343FA7: "Nikos Mavrogiannopoulos <nmav@redhat.com>" not changed
gpg: key 2F2B01E7: "OpenVPN - Security Mailing List <security@openvpn.net>" 39 new signatures
gpg: key 2F2B01E7: "OpenVPN - Security Mailing List <security@openvpn.net>" 2 new subkeys
gpg: Total number processed: 10
gpg:              unchanged: 7
gpg:            new subkeys: 3
gpg:         new signatures: 100164
gpg:           not imported: 1

Steps to Reproduce:

  1. Start Streisand script (run on my own device or via localhost advanced install)
  2. Enable all services and fill out information for Let's Encrypt cert.
  3. During GPG key refresh, output shared above is observed in Ansible errors.

Ansible Information

  • Ansible version: 2.8.0
  • Ansible system: Linux
  • Host OS: Fedora
  • Host OS version: 30
  • Python interpreter: python
  • Python version: 2.7.16

Streisand Information

  • Streisand Git revision: dae1832
  • Streisand Git clone has untracked changes: no
  • Genesis role: genesis-digitalocean
  • Custom SSH key: False

Enabled Roles

  • Shadowsocks enabled: True
  • Wireguard enabled: True
  • OpenVPN enabled: True
  • stunnel enabled: True
  • Tor enabled: True
  • Openconnect enabled: True
  • TinyProxy enabled: True
  • SSH forward user enabled: True
  • Configured number of VPN clients: 5
13 Answers

✔️Accepted Answer

Here's what worked for me (git patch file included below). I tested this by enabling all Streisand features/services (including Tor). I put the changes into a git patch file which you can grab from the gist URL below, and apply with git am < 0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patch:

https://gist.github.com/nickgnazzo/e7204e35c281e30c8fbdde08f72af1c4#file-0001-move-to-mozilla-gpg-keyserver-fix-a-few-gpg-verifica-patch

The tl;dr steps:

  1. cd /path/to/Streisand/repo
  2. curl -O https://gist.githubusercontent.com/nickgnazzo/e7204e35c281e30c8fbdde08f72af1c4/raw/b9e4066c85e315774134d8721d916022d15e718e/0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patch
  3. git am < 0001-Move-to-Mozilla-GPG-Keyserver-fix-a-few-GPG-verifica.patch
  4. Re-run your Streisand script.

Summary of changes made:

  • Change GPG keyserver to hkps://gpg.mozilla.org
    • For whatever reason, this keyserver doesn't seem affected by the key poisoning attack (yet). I think using this keyserver is likely only a temporary workaround. It might not be part of the SKS Keyserver Pool, but could still be vulnerable to the poisoning attack.
    • Unfortunately, using the new keys.openpgp.org (which has some mitigations against the SKS Keyserver attack) won't work yet. There's an issue causing gpg2 to fail to refresh keys when no "user ID" information is available. The problem here's two-fold, keys.openpgp.org requires email verification in order to allow publishing keys with their email address attached, and gpg2 refuses to process keys that have no user ID when refreshing. So by default, if you don't opt-in/verify your email address with OpenPGP, they won't publish the email associated with a public key (so when you run gpg2 refresh, you get the public keys without any user ID info), and then gpg2 refuses to process/import the keys. Meaning in order for this to work, you either have to wait for every key owner in Streisand's keyring to verfiy their email/identity with OpenPGP, or wait for GnuPG to fix the issue with the gpg2 client (or some other workaround I haven't thought of). The people running the OpenPGP keyserver are "working with" the GnuPG maintainers to address the problem (they mention it here).
      • If you try using keys.openpgp.org yourself, you'll likely see this error somewhere when Streisand runs gpg2 refresh: gpg: key XXXXXXXXXXXXXXXX: no user ID
  • Add Mozilla Keyserver Root CA to dirmngr (using "hkp-cacert" option)
    • Since we want to use hkps, we have to tell dirmngr to trust Mozilla's Root CA to verify TLS. This is currently an Amazon Root CA, which is cross-signed by Starfield. So I just pointed dirmngr to the Starfield PEM file located in /etc/ssl/certs which should be available by default.
  • Modify GPG Key ID used to verify Tor download signatures
    • Apparently the Key ID used to sign Tor downloads has changed recently. From what I can tell, the old key ID used by Streisand was C3C07136 (which seems to be Georg Koppen's pubkey), but they have switched to using the pubkey with user ID "The Tor Browser Developers" (D9FF06E2). Both of these key IDs are on Tor's signing keys page.
    • I needed to make this change for the "Verify" step of the Download/Mirror Tor Browser task to work. Otherwise, the signatures would technically show as "Good", but Streisand was looking for the old key ID in the verification command output to test if the verify worked, and thought it was failing.
  • Modify GPG Key ID used to verify OpenVPN download signatures
    • Same deal as the Tor GPG change I mentioned above, the OpenVPN signing key in Streisand seems to also be outdated. I changed this from AF131CAE to 5ACFEAC6 within Streisand's variables and that made the verification pass for me.
    • Source of new key ID can be found on OpenVPN's page. It is technically a subkey of the key found on that page (I was able to find the new subkey 5ACFEAC6 in a few keyservers).
    • This seems like it's being tracked in a few other issues on Streisand's Github.
  • Add new PuTTY Signing Key to Streisand's "Bootstrap GPG Keys"
    • Since the new Key ID used for PuTTY signatures is a new standalone key (and not a subkey of the current master key), I had to add it to Streisand's "Bootstrap GPG Key" setup tasks in order to get the PuTTY verification to work. Since it's not a subkey of the current signing key, it won't be downloaded when we run gpg refresh.
    • These keys live under playbooks/roles/gpg/files/ and are imported using the variable streisand_bootstrap_gpg_keys (referenced by another task).
  • Modify PuTTY Key ID used to verify PuTTY download signatures
    • Change key ID from B43434E4 to 4AE8DA82 within Streisand variables.
    • Source of new key ID can be found here
    • Seems this is being tracked in another issue.

Other Answers:

also seeing this on a non-DO host, trying several different keyservers

More Issues: