GPG tools & mailvelope keyserver

[dreamflasher]

How is one supposed to interact with the mailvelope keyserver via the gpg tools (command line). The usual command is:
gpg --keyserver hkps://keys.mailvelope.com --search-keys ...
if I use an email address which is uploaded on the mailvelope keyserver (eg. my own one) it doesn't find it. What am I doing wrong?

[toberndo]

For me
gpg --keyserver hkps://keys.mailvelope.com/ --search-keys thomas@mailvelope.com
works.

What do you get when you enter your email address in the key lookup https://keys.mailvelope.com/demo.html ?

[dreamflasher]

For me
gpg --keyserver hkps://keys.mailvelope.com/ --search-keys thomas@mailvelope.com
gives:
gpg: suche nach "thomas@mailvelope.com" auf hkps-Server keys.mailvelope.com
gpg: Schl▒ssel "thomas@mailvelope.com" wurde auf dem Schl▒sselserver nicht gefunden
The latter translates to "Key was not found on keyserver".
I'm on windows.
The demo pages yields my public key as expected.

[toberndo]

We currently only provide access with HKPS, which is not supported by GPG on Windows by default. A configuration option to use HKPS with GPG is described here: https://riseup.net/en/security/message-security/openpgp/best-practices#use-the-sks-keyserver-pool-instead-of-one-specific-server-with-secure-connections

[dreamflasher]

Ah that's very helpful and great to know! Where do I find the certificate CA (pem file) for hkps://keys.mailvelope.com/?

[toberndo]

Think it should be this one: https://www.amazontrust.com/repository/AmazonRootCA1.pem

[dreamflasher]

Thanks, so I tried putting it into the config file as explained in the article, but for easier debugging purposes it should also take the config in the command line that's why I am posting this here. I now have:
gpg --keyserver hkps://keys.mailvelope.com/ --keyserver-options ca-cert-file="AmazonRootCA1.pem" --search-keys thomas@mailvelope.com
(with the correct path to the cert file) and it's not working :( I also tried gpg2.

It works for the hkps server mentioned on riseup:

$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=sks-keyservers.netCA.pem --search-keys thomas@mailvelope.com
gpg: suche nach "thomas@mailvelope.com" auf hkps-Server hkps.pool.sks-keyservers.net
(1)     Mailvelope <info@mailvelope.com>
        Thomas Oberndörfer <thomas@mailvelope.com>
          4096 bit RSA key 79701934, erzeugt: 2015-03-12, verf▒llt: 2019-12-31
(2)     Thomas Oberndörfer <toberndo@yarkon.de>
        Thomas Oberndörfer <info@mailvelope.com>
        Thomas Oberndörfer <thomas@oberndoerfer.net>
          2048 bit RSA key 4A5CC77F, erzeugt: 2012-08-24, verf▒llt: 2016-08-31 (widerrufen)

So it might be the wrong certificate?

[dreamflasher]

Solved, it was the wrong certificate. One can obtain the correct certificate via the browser -- would be cool if you could provide a direct link to the pem file, I had to export the certificate and convert it to pem.

Here's the working/expected output:

$ gpg --keyserver hkps://keys.mailvelope.com/ --keyserver-options ca-cert-file=AmazonRootCA1-2.pem --search-keys thomas@mailvelope.com
gpg: suche nach "thomas@mailvelope.com" auf hkps-Server keys.mailvelope.com
(1)     Thomas Oberndörfer <thomas@mailvelope.com>
        Mailvelope <info@mailvelope.com>
          4096 bit RSA key 79701934, erzeugt: 2015-03-12

[toberndo]

Thanks for trying this out. Correct link to PEM file is: https://www.amazontrust.com/repository/R1-ServerCA1B.pem

[dreamflasher]

I can confirm, this is the correct PEM. Thank you very much!