keyserver timed out when trying to add a GPG public key

Question

I am trying to add a public key for installing a program with CPG. But I am pretty new to this but every command I found gave me the same error:

gpg --keyserver keyserver.ubuntu.com --recv-keys 94558F59
gpg: requesting key 94558F59 from hkp server keyserver.ubuntu.com
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

How is this possible it seems that the I am behind some kind of blockade which makes it impossible to establish a connection to the key server. I looked into many OP questions and tried all commands I could find but nothing worked. Anyone had this problem before?

Have you tried using another keyserver? hkp://subkeys.pgp.net or hkp://pgp.mit.edu:11371 — jasonwryan, May 15 '13 at 08:58
@jasonwryan Ive tried the pgp.mit.edu but without hkp:// is the use of that important? i dont believe so but its worth trying for me — Sander Van der Zeeuw, May 15 '13 at 09:01
@jasonwryan I still got ?: pgp.mit.edu: Connection timed out gpgkeys: HTTP fetch error 7: couldn't connect: Connection timed out gpg: no valid OpenPGP data found. gpg: Total number processed: 0 — Sander Van der Zeeuw, May 15 '13 at 09:09
gpg --keyserver hkp://pgp.mit.edu --recv-keys 94558F59 worked for me... — jasonwryan, May 15 '13 at 09:20
Did you try with the alternate port? If so, then you may need to open a port yourself or talk to your sysadmin... — jasonwryan, May 15 '13 at 09:32
In my case was a proxy issue, solved setting the environment variables and sudo -E. — Pablo A, May 09 '18 at 06:42
If firewall is a problem, just specify the port (probably 80 isn't blocked)
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ###### — FabricioFCarv, Sep 30 '21 at 14:06

score 160 · Accepted Answer · edited Mar 14 '22 at 19:09

160

This is usually caused by your firewall blocking the port 11371. You could unblock the port in your firewall. In case you don't have access to the firewall you could:

Force it to use port 80 instead of 11371

$ sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 94558F59

-or alternatively omitting the port-

$ sudo gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 94558F59

Alternatively

Find and open the key from the key server.
Copy it's contents into a text file.
Go to System Tool > Preferences > Software Sources > Authentication > Add key, and select the text file created. Ubuntu 14.04 and later try: Software Center -> Edit -> Software Sources -> Authentication -> Import key file

edited Mar 14 '22 at 19:09

slm

369,824

answered Jan 23 '14 at 14:07

tutak

1,716

7

gpg --import key.txt if you need to import via command line FYI. – Banjer Nov 04 '14 at 18:28
1

https://sks-keyservers.net/i/ to download the key FYI – Lakshmi Narayanan Aug 17 '15 at 20:01
3

upvote for alternative way! On Ubuntu 14.04 and later, it's added from Software Center -> Edit -> Software Sources -> Authentication -> Import key file – Roy Ling Nov 10 '15 at 01:36
This fixed my issue w/ install the keys for rvm. The following call was hanging for me: requesting key D39DC0E3 from hkp server keys.gnupg.net – mdgrech Jun 08 '16 at 17:58
8

"Find and open the key from the key server." What nobody mentions is how that's done. In my case, the key in question is on gpg.mit.edu. Okay, easy, just go to http://pgp.mit.edu and paste the key into the Search String field! Wrong. You must know the magic secret: prepend the key with 0x. If the key is 0F571F6C, you must search for 0x0F571F6C, which is in no way obvious. – Ben Johnson Jul 13 '16 at 21:18
you are the man!! blocked port was my problem. – OhadR Dec 04 '16 at 22:21
I am trying for hkp://keyserver.ubuntu.com:80 & hkp://p80.pool.sks-keyservers.net:80 but still this error. Why? – Rajeev Ranjan Jun 11 '18 at 08:36
hkp:// was missing from my URL... That resolved my issue. sudo apt-key adv --keyserver keyserver.ubuntu.com:80 --recv-keys $INSTALL_KEY – GTodorov Feb 06 '21 at 23:40

score 26 · Answer 2 · edited Mar 14 '22 at 19:08

26

$ sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys SOMEKEY

edited Mar 14 '22 at 19:08

slm

369,824

answered Nov 06 '13 at 18:49

Victor Pudeyev

412

9

sudo is not necessary and, other than that, this answer adds nothing to the poster's problem... – jasonwryan Nov 06 '13 at 19:45
4

I was working on this just an hour ago, and adding this line solved the problem for me. There is the difference that I specify port 80 explicitly. I also specify the protocol explicitly. You may be right that sudo is not needed, but my answer does ad a bit of relevant info, don't you think? Oh and, your answer is also correct. – Victor Pudeyev Nov 06 '13 at 20:31
6

Remove the sudo and the answer is correct. – jasonwryan Nov 06 '13 at 20:55
I just checked, and sudo is necessary. Sorry. – Victor Pudeyev Nov 06 '13 at 22:32
4

Necessary to recieve keys from a public keyserver? I don't think so... – jasonwryan Nov 07 '13 at 01:57
1

sudo is only necessary if you're using apt-key. It is definitely not necessary for gpg unless you're trying to update your root keyring. There's nothing special about gpg that requires root. – internetdotcom Mar 04 '15 at 15:01
sudo is not necessary. Heck, if it were, you'd need to sudo every time you get an email with a new key, that's stupid.
There's probably something very broken with your setup (maybe root owns your gpg keyring, since you've been using sudo before). – WhyNotHugo Jun 10 '15 at 17:13
2

Adding the hkp:// as noted in this answer does work for me. – barryhunter Apr 21 '16 at 12:11
This is the right answer, I was missing the "hkp:" protocol. – ATOzTOA Oct 07 '16 at 15:42
The combination of hkp:// prefix and port :80 suffix receive keys properly - missing either and the timeout problem stays. (no sudo needed though, as noted above) – Bonlenfum Jan 31 '17 at 11:15

score 13 · Answer 3 · edited Mar 14 '22 at 19:14

13

I encountered same problem when I was trying to add a GPG key behind a proxy. The solution to my problem was to add the --keyserver-options in the command:

$ sudo apt-key adv \
     --keyserver-options http-proxy=http://USER:PASSWORD@PROXY_URL:PORT/ \
     --keyserver keyserver.ubuntu.com --recv-keys GPG_KEY

edited Mar 14 '22 at 19:14

slm

369,824

answered Jul 19 '16 at 00:39

Alex.Bai

131

1

I ended up having to do this even though I already had http_proxy and https_proxy settings in my environment. – thayne Dec 08 '21 at 21:50

score 9 · Answer 4 · edited Nov 08 '17 at 22:20

9

This worked for me:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv-keys AKEYXXX

edited Nov 08 '17 at 22:20

Lelouch Lamperouge

7,039
3
15
11

answered May 09 '14 at 17:18

eltoro56

91
1
2

Removing the port was the solution for me. Thanks. – rotimi-best Feb 07 '20 at 15:12

score 4 · Answer 5 · edited Mar 14 '22 at 19:13

4

Try getting your key from another server (worked for me):

$ sudo gpg --keyserver hkp://keys.gnupg.net --recv-keys 94558F59

or

$ sudo gpg --keyserver hkp://pgp.mit.edu --recv-keys 94558F59

edited Mar 14 '22 at 19:13

slm

369,824

answered Aug 15 '15 at 15:17

installero

140

score 2 · Answer 6 · edited Mar 14 '22 at 19:14

2

I fixed my problem by running the following command:

$ sudo apt-key adv \
   --keyserver hkp://p80.pool.sks-keyservers.net:80 \
   --recv-keys *somekey*

edited Mar 14 '22 at 19:14

slm

369,824

answered Jan 21 '18 at 19:40

Hadi Rasekh

121

score 2 · Answer 7 · edited Mar 14 '22 at 19:15

The accepted answer is excellent and after almost 8 year (a long time in security and cryptography), it still works. I thought I’d suggest another alternative that offers greater privacy and security:

Use HKPS (HKP over TLS)

This encrypts the connection to the keyserver and helps prevent man-in-the-middle attacks. Also, TCP Port 443 is just as unlikely to be blocked by a corporate firewall as Port 80 (unlike Port 11371).

$ sudo gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 94558F59

Note: the URIs, https://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com, hkps://keyserver.ubuntu.com:443 are all equivalent.

Configuring this as the default server

Since the release of GnuPG 2.1.9 (2015-10-09), the --keyserver option for gpg has been deprecated and users are recommended to “use the --keyserver in dirmngr.conf instead”. The user’s default keyserver can be configured permanently by editing ~/.gnupg/dirmngr.conf:

keyserver hkps://keyserver.ubuntu.com

If the dirmngr daemon is already running, you’ll need to run gpgconf --reload dirmngr for the new configuration to take effect.

System default keyservers

Currently (since versions 2.2.29 and 2.3.2, released in July/August 2021), the GnuPG project has keyserver.ubuntu.com configured as its default keyserver if none is specified by the user while Debian (and Ubuntu) packages of gnupg2 have configured hkps://keys.openpgp.org as the default keyserver since gnupg2 2.2.17-1 (released in 2019).

Note: other answers suggest using SKS keyserver pools. Unfortunately, these have suffered privacy and abuse problems and, as of June 2021, are no longer operating.

score 0 · Answer 8 · edited May 28 '14 at 20:20

I'm seeing this on one of two identical boxes running ansible deployments against an ubuntu 14.04 image. In fact, it had previously worked for app-infra-1 but at some point it began to fail. The fact that it succeeded on app-infra-2 freshly recreated suggests it is a corruption on app-infra-1 or a bug in the detection and reporting of apt-key adv.

I tried deleting the key using apt-key del but I continue to get the same error.

changed: [app-infra-2] => {"changed": true, "item": "", "repo": "ppa:webupd8team/java", "state": "present"}
failed: [app-infra-1] => {"cmd": "apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7B2C3B0889BF5709A105D03AC2518248EEA14886", "failed": true, "item": "", "rc": 2}
stderr: gpg: requesting key EEA14886 from hkp server keyserver.ubuntu.com
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

stdout: Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.2zqQuFdBjg --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/puppetlabs-keyring.gpg --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7B2C3B0889BF5709A105D03AC2518248EEA14886

msg: gpg: requesting key EEA14886 from hkp server keyserver.ubuntu.com
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

In the end, since it's a vm, my solution was to re-build it with vagrant.

score 0 · Answer 9 · edited Nov 16 '15 at 10:05

0

For me it was required to add ENV statements into my docker file. E.g.

ENV  http_proxy "http://[yourproxy]:[port]/"
ENV  https_proxy "http://[yourproxy]:[port]/"

edited Nov 16 '15 at 10:05

Sparhawk

19,941

answered Nov 16 '15 at 09:41

TExaaS-Bikepro

1

keyserver timed out when trying to add a GPG public key

9 Answers9

Use HKPS (HKP over TLS)

Configuring this as the default server

System default keyservers

Linked