Launchpad could not import my OpenPGP key

Asked by Wim Lewis on 2011-08-31

I'm unable to import my key to Launchpad. I enter its fingerprint, click "Import Key", and get the error message ("Launchpad could not import your OpenPGP key. Did you enter your complete fingerprint correctly? [etc]").

My key is on the ubuntu keyserver:
  http://keyserver.ubuntu.com:11371/pks/lookup?op=index&search=0x5F149CDF27F772C1

I've tried the fingerprint with no spaces (0C0D10D5FC73D1352646429EDC6E0A88) and various spaces, as well as the key ID, with no luck.

Several other people have had this problem due to the ubuntu->launchpad synchronization being slow, so I waited a couple of days, but Launchpad still won't import it.

Related items:
  Faq 79: https://answers.launchpad.net/launchpad/+faq/79
  Similar unresolved question: https://answers.launchpad.net/launchpad/+question/28068
  Similar answered question: https://answers.launchpad.net/launchpad/+question/145328
  Bug describing this problem, but marked 'invalid': https://bugs.launchpad.net/launchpad/+bug/514074

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
Canonical Launchpad Engineering Edit question
Last query:
2012-03-21
Last reply:
2012-03-21
Whiteboard:
2011-09-28 thedac: Assigning back to Canonical Launchpad Engineering. LOSAs need more guidance on this issue. Where does the "internal" keyserver live. What mechanism syncs? etc.
Max Bowsher (maxb) said : #1

LOSAs, please could you look into whether there is a problem with the sync from keyserver.ubuntu.com to the internal keyserver?

Also note that this key is a version 3 PGP key (i.e. very old, PGP 2.6.x compatible), and so its key-id is *not* the suffix of the fingerprint as for v4 keys.

Brad Crittenden (bac) said : #3

Hi,

As mentioned towards the end of the report for https://bugs.launchpad.net/launchpad/+bug/514074 , the problem (in that case) was there are multiple keyservers at keyserver.ubuntu.com for load balancing and they were not synchronizing with one another. It is possible that this is the case now.

I will ask the admins to take a look at the keyservers.

Wim Lewis (wiml) said : #4

Ah, my reading of 514704 was that there was a single (hidden) Launchpad keyserver which would occasionally stop synchronizing with Ubuntu's. (nslookup only returns one ip address for keyserver.ubuntu.com for me anyway, 91.189.89.49, from all 3 Canonical nameservers.) I dug around a little in the Launchpad sources and from http://bazaar.launchpad.net/~launchpad-pqm/launchpad/devel/view/head:/lib/lp/registry/browser/person.py and http://bazaar.launchpad.net/~launchpad-pqm/launchpad/devel/view/head:/lib/canonical/launchpad/utilities/gpghandler.py it looks like the internal keyserver is specified in the [gpghandler] section of the site's config. Regardless, is there some reason Launchpad uses such an unreliable keyserver? Why can't it get keys directly from keyserver.ubuntu.com or some other maintained keyserver?

Brad Crittenden (bac) said : #5

First, let me say the admins have bounced the keyservers at keyserver.ubuntu.com. It would be helpful if you could report if you are currently still seeing the problem.

Wim, you are correct in what you report from looking at the code that there is an internal keyserver that we maintain in our data center to eliminate the need to hit the public server all of the time.

In the code used for importing GPG keys that internal server is not in play. If you look at the code for browser/person.py you'll see:

   def keyserver_url(self):
        assert self.fingerprint
        return getUtility(
            IGPGHandler).getURLForKeyInServer(self.fingerprint, public=True)

If you trace that back to gpghandler.py you'll see the parameter public=True causes the request to go directly to the public key server not the internal one.

In the past when we've seen import problems (such as described in bug 514704) it was shown to be the public keyservers not synchronizing.

Also, the fact you only see one IP address for the keyserver is not an indication that there is only one true instance. The Wikipedia article on load balancing is quite good.

Wim Lewis (wiml) said : #6

My key is still on the Ubuntu keyserver as far as I can tell (it's visible at http://keyserver.ubuntu.com:11371/pks/lookup?search=0x5F149CDF27F772C1 ) and still fails to import. Hopefully six months is enough time for the keyservers to synchronize. I'm getting the same error message as before (no specific reason for the failure).

Brad Crittenden (bac) said : #7

Hi Wim,

Thanks for reporting that you are still having problems. I'm sorry that the actions we took a while back didn't solve your issue.

Further investigation shows that the key you are trying to import is a v3 key, which we do not support. Here is the query Launchpad uses to retrieve your key:

http://keyserver.ubuntu.com:11371/pks/lookup?search=0x0C0D10D5FC73D1352646429EDC6E0A88

If you open that URL you'll see the error response generated by the key server.

The issue was raised a long time ago (but I was unaware of it) as bug 4746.

In that discussion you'll see that we have made the decision not to support v3 keys as they are not as secure.

I am going to convert this question into a bug, though, as the error message you received was misleading.

P M (pmehta-g) said : #8

i am facing this same exact situation where my key is v4 and lookup works just fine,

http://keyserver.ubuntu.com:11371/pks/lookup?search=0xD0C672A0E9E359C640A56CB9EC84F8A9F0703405

it is possible that sync is broken again or something else in launchpad code is misbehaving

Can you help with this problem?

Provide an answer of your own, or ask Wim Lewis for more information if necessary.

To post a message you must log in.