gpgsm: not checking root certificate

Werner Koch wk at
Tue Jul 27 08:57:01 CEST 2010

On Mon, 26 Jul 2010 09:26, smueller at said:

> Do you think of something like the attached patches (they are not tested yet)?

Yes, that was my idea.  However, while looking at the code I realized
that we don't check the root certificate if it is already trusted
(i.e. listed in trustlist.txt).  The check is only done for
not-yet-trusted certificates, so that the user can get some info on the

The problem you encounter is due to the import function which calls
gpgsm_basic_cert_check() for each certificate.  There are two ways to
avoid this:

  gpgsm --import --debug-no-chain-validation ROOTCERT

or change the code in gpgsm_basic_cert_check to look at the
trustlist.txt first.  Thus if you put the fingerprint of the root
certificate into trustlist.txt before importing the certificate, it
should work fine.

Given the required changes I think that adding MD2 to libgcrypt would be



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list