Are gpg keyservers always unreliable?

Question

I've used gpg for minimal things for years now (pass, yadm, etc.) and one thing I consistently have noticed is slow response times from the keyservers (mit, ubuntu, etc) when accessed through the web portals (searching takes absolutely forever).

Recently yay seems to have been having trouble importing keys with a No Name error that people seem to frequently encounter and the solution is always to just manually import the key. This has happened twice in the past week for me, with 1password and spotify. I tried researching long term solutions instead of the manual import shortcut and one suggestion was set the keyserver manually in /etc/pacman.d/gnupg/gpg.conf but that didn't resolve the problem. I ran pacman-key --refresh-keys and it worked, but it seemed incredibly error prone. Here's a snapshot of the output toward the end:

==> ERROR: Could not update key: B9113D1ED21E1A55
gpg: error retrieving 'pete@muddygoat.org' via WKD: General error
gpg: error reading key: General error
gpg: error retrieving 'p.r.lewis@cs.bham.ac.uk' via WKD: General error
gpg: error reading key: General error
gpg: error retrieving 'prlewis@letterboxes.org' via WKD: General error
gpg: error reading key: General error
gpg: error retrieving 'plewis@aur.archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 6D1A9E70E19DAA50
gpg: error retrieving 'roman@archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 3A726C6170E80477
gpg: error retrieving 'schiv@archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 81AF739EC0711BF1
gpg: error retrieving 'speps@aur.archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: error retrieving 'speps@gmx.com' via WKD: No data
gpg: error reading key: No data
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: error retrieving 'speps@gmx.com' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: CF7037A4F27FB7DA
gpg: error retrieving 'l.jirkovsky@gmail.com' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 73B8ED52F1D357C1
gpg: error retrieving 'stephane@archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: EA6836E1AB441196
gpg: error retrieving 'gostrc@gmail.com' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 7FB1A3800C84C0A5
gpg: error retrieving 'danielmicay@gmail.com' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'security@grapheneos.org' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'security@attestation.app' via WKD: No data
gpg: error reading key: No data
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: error retrieving 'security@seamlessupdate.app' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'daniel.micay@grapheneos.org' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'daniel.micay@attestation.app' via WKD: No data
gpg: error reading key: No data
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: error retrieving 'daniel.micay@seamlessupdate.app' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: F9E712E59AF5F22A
gpg: error retrieving 'teg@jklm.no' via WKD: Connection refused
gpg: error reading key: Connection refused
gpg: error retrieving 'teg@pps.jussieu.fr' via WKD: No name
gpg: error reading key: No name
gpg: error retrieving 'tomegun@archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: C8880A6406361833
gpg: error retrieving 'timothy.redaelli@gmail.com' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: E711306E3C4F88BC
gpg: error retrieving 'atsutane@freethoughts.de' via WKD: General error
gpg: error reading key: General error
gpg: error retrieving 't.toepper@gmx.de' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'atsutane@freethoughts.de' via WKD: General error
gpg: error reading key: General error
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 39E4F17F295AFBF4
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: error retrieving 'vegai@iki.fi' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 097D629E437520BD
gpg: error retrieving 'xyne@archlinux.ca' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 5CED81B7C2E5C0D2
gpg: error retrieving 'baptiste@bitsofnetworks.org' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'baptiste@jonglez.org' via WKD: General error
gpg: error reading key: General error
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: 1F0CD4921ECAA030
gpg: key 4DC95B6D7BE9892E: "David Runge (Arch Linux Master Key) <dvzrv@master-key.archlinux.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
pub   ed25519 2021-04-26 [SC]
      2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E
uid           [  full  ] David Runge (Arch Linux Master Key) <dvzrv@master-key.archlinux.org>
sub   cv25519 2021-04-26 [E]
gpg: key 25EA6900D9EA5EBC: "George Rawlinson <george@rawlinson.net.nz>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
pub   ed25519 2016-11-03 [C]
      034D823DA2055BEE6A6BF0BB25EA6900D9EA5EBC
uid           [ unknown] George Rawlinson <george@rawlinson.net.nz>
uid           [  full  ] George Rawlinson <grawlinson@archlinux.org>
sub   ed25519 2016-11-03 [S]
sub   ed25519 2016-11-04 [A]
sub   cv25519 2016-11-04 [E]

Is this always the case with gpg and keyservers? Are manual imports just a part of life? Why are these keyservers so unstable?

Please note: the Arch wiki suggests the following possible problems:

• An outdated archlinux-keyring package.
• Incorrect date.
• Your ISP blocked the port used to import PGP keys.
• Your pacman cache contains copies of unsigned packages from previous attempts.
• dirmngr is not correctly configured
• you have not upgraded in a long time and gpg/pacman does not handle that well

But I upgrade daily, my ISP has not blocked any ports (I can manually import), and my date is correct. I'm pretty sure I even recently cleared my pacman and yay caches (which seems like people actually recommend against). It seems like it's a problem with the spottiness of the keyservers themselves.

Am I wrong that it's the keyservers? If not, why are they so spotty? If I am wrong, what can I do to improve my pacman/yay experience to make this smoother and eliminate these pain points.

Answer 1

It’s possible that you’re running into keyserver issues, at least for some of the keyservers.

WKD is by nature unreliable, or at least unpredictable: it requires support in each domain from which you try to fetch keys, so it’s more likely to fail than to succeed for any given set of user ids (email addresses) from a variety of domains (as is the case in your example). There are domains with large numbers of OpenPGP users which support WKD (including Debian, Gentoo, and the Linux kernel), and in such contexts WKD can be expected to work.

The SKS pool is deprecated and shouldn’t be used. See sks-keyservers gone. What to use instead? for possible replacements.

In my experience keys.openpgp.org is reliable, but limited since it only serves keys from users who have confirmed their keys with that service. The MIT keyserver has had spotty availability for a long time.

In practice, for most users who end up needing OpenPGP keys for package verification, the most reliable keyservers are distribution keyservers, for those distributions which maintain their own keyservers (e.g. Debian or Ubuntu). These are nearly always reachable and functional; depending on their purpose they may only have distribution-related keys, but it’s always worth trying them.