System wide dirmngr configuration with Gnupg 2.1

Andre Heinecke aheinecke at intevation.de
Thu Jan 29 17:54:29 CET 2015 

Hi,

On Monday, January 26, 2015 12:17:25 PM Andre Heinecke wrote:
> > This is is a pretty common configuration pattern for other (non-gnupg)
> > tools.  In fact, i've often wished for it for gnupg itself, so that
> > sysadmins could tweak a generic /etc/gnupg/gpg.conf for all their users.
> > Is there a specific reason why gpg doesn't support this configuration
> > pattern?
> 
> Werner? Could you comment on this?

I'd still be interested why not. It could be overriden imho when --homedir or 
GNUPGHOME is set explicitly to still allow "clean" configurations.

> Right. I think this is the best approach at least for trusted CA's. As it's
> standard practice to have them defined on a system level first and then
> merge those with the users choices.

Actually the trustlist.txt format allows for this as it merges the 
trustlist.txt from /etc/gnupg/ with the one in the home dir.

I misunderstood the issue here. It turns out that the certificates under
trusted-certs are not actually trusted certs so it's apperently not a problem 
that the sysconfig trusted-certs are ignored with gnupg2.1.

I assumed that they were needed because our internal procedure for adding a 
Root certificate was to add the fingerprint to /etc/gnupg/trustlist.txt and the 
certificate itself to /etc/dirmngr/trusted-certs that this was somehow needed. 
Yet during testing I noticed now that it is not required to have a trusted-
certificate in the trusted-certs folder at all.

<to quote dirmngrs manpage about the trusted-certs dir>
This  directory  should  be  filled with certificates of Root CAs you are 
trusting in checking the CRLS and signing OCSP Reponses.  
</end quote>

But still I get a valid signature if I just add my root CA's fingerprint to the 
trustlist.txt even with CRL checks enabled.

Sorry for my confusion but at least the name "trusted-certs" is a bit 
suboptimal if those certificates are not involved in trust decisions. ;-)

I still don't really understand  the purpose of the trusted-certs directory 
and would be grateful for an explanation. I currently think that it is there 
to allow cases where CRL's are signed by certificates that are not in a trusted 
in chains rooted in certificates from the trustlist.txt file. But in that case 
the second Sentence in the manual for the trusted-certs directory does not 
make much sense: "Usually these are the same certificates you use with the 
applications making use of dirmngr." By which I think the root ca's from the 
trustlist.txt are meant.


Best regards,
Andre
-- 
Andre Heinecke |  ++49-541-335083-262  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150129/347bcba0/attachment-0001.sig>

More information about the Gnupg-devel mailing list