gpgsm: not checking root certificate
Stephan Mueller
smueller at chronox.de
Fri Jul 30 09:27:03 CEST 2010
On Dienstag 27 Juli 2010 10:03:51 Werner Koch wrote:
Hi Werner,
> On Tue, 27 Jul 2010 09:15, smueller at chronox.de said:
> > I am unsure about your last statement. When we consider --debug-no-
chain-
> > validation and add the fingerprint to trustlist.txt, then we neither
need
> > a code change to gpgsm nor the MD2 hash.
>
> It was meant as
>
> 1) Use --debug-no-chain-validation with --import. To work with that
> root certificate the fingerprint needs to be put into trustlist.txt;
> but it should be sufficient to do this after the import.
>
> or
>
> 2) Change the import code to look at the trustlist.txt. The proposed
> code changes would require that the user enters the fingerprint into
> trustlist.txt before importing.
>
> > All I currently see is adding some information to the gpgsm man page
> > about how to handle root certificates based on MD2.
>
> That might be the easiest way to accomplish it. Would you mind to test
> approach 1)? I can then add this workaround to the docs.
Approach 1) works as expected. I am using the native Ubuntu Lucid gpg2
packages without support for MD2:
$ gpgsm --import Class\ 1\ Public\ Primary\ Certification\ Authority.cer
gpgsm: unknown hash algorithm `1.2.840.113549.1.1.2'
gpgsm: (Dies ist der MD2 Algorithmus)
gpgsm: self-signed certificate has a BAD signature: Allgemeiner Fehler
gpgsm: Grundlegende Zertifikatprüfungen fehlgeschlagen - nicht importiert
gpgsm: gesamte verarbeitete Anzahl: 1
gpgsm: nicht importiert: 1
$ gpgsm --import --debug-no-chain-validation Class\ 1\ Public\ Primary\
Certification\ Authority.cer
gpgsm: WARNING: bypassing basic certificate checks
gpgsm: gesamte verarbeitete Anzahl: 1
gpgsm: importiert: 1
==> adding the following to trustlist.txt and giving gpg-agent a HUP:
# OU=Class 1 Public Primary Certification Authority
# O=VeriSign, Inc.
# C=US
90:AE:A2:69:85:FF:14:80:4C:43:49:52:EC:E9:60:84:77:AF:55:6F S relax
==> An email signed with a certificate based on the imported Verisign CA
certificate could be verified successfully
>
>
> Salam-Shalom,
>
> Werner
Ciao
Stephan
--
| Cui bono? |
More information about the Gnupg-devel
mailing list