gpgsm: not checking root certificate

Stephan Mueller smueller at
Fri Jul 30 09:27:03 CEST 2010

On Dienstag 27 Juli 2010 10:03:51 Werner Koch wrote:

Hi Werner,

> On Tue, 27 Jul 2010 09:15, smueller at said:
> > I am unsure about your last statement. When we consider --debug-no-
> > validation and add the fingerprint to trustlist.txt, then we neither 
> > a code change to gpgsm nor the MD2 hash.
> It was meant as
>  1) Use --debug-no-chain-validation with --import.  To work with that
>     root certificate the fingerprint needs to be put into trustlist.txt;
>     but it should be sufficient to do this after the import.
> or
>  2) Change the import code to look at the trustlist.txt.  The proposed
>     code changes would require that the user enters the fingerprint into
>     trustlist.txt before importing.
> > All I currently see is adding some information to the gpgsm man page
> > about how to handle root certificates based on MD2.
> That might be the easiest way to accomplish it.  Would you mind to test
> approach 1)?  I can then add this workaround to the docs.

Approach 1) works as expected. I am using the native Ubuntu Lucid gpg2 
packages without support for MD2:

$ gpgsm --import Class\ 1\ Public\ Primary\ Certification\ Authority.cer 
gpgsm: unknown hash algorithm `1.2.840.113549.1.1.2'
gpgsm: (Dies ist der MD2 Algorithmus)
gpgsm: self-signed certificate has a BAD signature: Allgemeiner Fehler
gpgsm: Grundlegende Zertifikatprüfungen fehlgeschlagen - nicht importiert
gpgsm: gesamte verarbeitete Anzahl: 1
gpgsm:           nicht importiert: 1

$ gpgsm --import --debug-no-chain-validation Class\ 1\ Public\ Primary\ 
Certification\ Authority.cer 
gpgsm: WARNING: bypassing basic certificate checks
gpgsm: gesamte verarbeitete Anzahl: 1
gpgsm:               importiert: 1

==> adding the following to trustlist.txt and giving gpg-agent a HUP:

# OU=Class 1 Public Primary Certification Authority
# O=VeriSign, Inc.
# C=US
90:AE:A2:69:85:FF:14:80:4C:43:49:52:EC:E9:60:84:77:AF:55:6F S relax

==> An email signed with a certificate based on the imported Verisign CA 
certificate could be verified successfully
> Salam-Shalom,
>    Werner


| Cui bono? |

More information about the Gnupg-devel mailing list