gpgsm not asking dirmngr for trusted root ca

Bernhard Reiter bernhard at intevation.de
Mon Jun 28 14:35:45 CEST 2010 

If dirmngr trusts a root ca, wouldn't it be cool
if the gpgsm (or gpg-agent) could also use that information?

While doing some tests today, I stumbled over the issue
and that it is way to hard to maintain an installation wide root ca list.

I suggest that
a) "include-default" for the personal trustlist.txt is the default.
    So we might need to come up with "
b) "include-default" somehow also uses the dirmngr trusted-certs/.
c) gpg-agent should also use GNUPGHOME (at least for me it does not seem to do 
it. But I might have make a mistake.)
d) The documentation is fixed
   info gpgsm Installation
still has  

| XXX decribe how to maintain trustlist.txt and
| /etc/gnupg/trustlist.txt.

For reference, here is my test:

I was picking Intevation's root ca.
curl https://ssl.intevation.de/Intevation-Root-CA-2010.crt | openssl 
x509 -outform der >Intevation-Root-CA-2010.der
and I put this into /etc/dirmngr/trusted-certs/ and restarted dirmngr
and gave gpg-agent a SIGHUP kick.

The dirmngr log shows I was successful:
2010-06-28 13:11:57 dirmngr[2444.0] dirmngr 1.0.4-svn0 stopped
2010-06-28 13:11:58 dirmngr[7602.0] Vertrauenswürdiges Zertifikat 
`/etc/dirmngr/trusted-certs/Intevation-Root-CA-2010.der' wurde geladen

Now I did import my personal certificate and the intermediate cert
and tried to encrypt something and was surprised to being asked:

  cd tmp
  mkdir dot.gnupg
  LANG=en_us GNUPGHOME=~/tmp/dot.gnupg eval `gpg-agent --daemon`
  LANG=en_us GNUPGHOME=~/tmp/dot.gnupg gpgsm --list-keys
  #gpgsm: keybox `/home/bernhard/tmp/dot.gnupg/pubring.kbx' created
  
  LANG=en_us GNUPGHOME=~/tmp/dot.gnupg dirmngr-client --ping
  #dirmngr-client: a dirmngr daemon is up and running
  LANG=en_us GNUPGHOME=~/tmp/dot.gnupg gpgsm --prefer-system-dirmngr \
    --import intevation-email-ca-2010.pem
  #gpgsm: total number processed: 1
  #gpgsm:               imported: 1
  LANG=en_us GNUPGHOME=~/tmp/dot.gnupg gpgsm --prefer-system-dirmngr \
    --import 06.pem
  #gpgsm: total number processed: 1
  #gpgsm:               imported: 1

  LANG=en_us GNUPGHOME=~/tmp/dot.gnupg gpgsm --prefer-system-dirmngr \
    -e -r 7B:EA:F9:D6:5B:5F:4A:D9:73:4A:56:07:48:F7:6C:04:88:8E:03:73
  #gpgsm: root certificate is not marked trusted

And now I get the pinentry dialog asking me for the root ca
and the answer gets into my personal trustlist.txt.

One way to spare users that question is using adding 
  11:B9:1B:31:EE:09:E0:84:4D:25:4E:58:7A:65:CE:51:84:F3:6B:70 S
to /etc/gnupg/trustlist.txt
And "include-default" to ~/.gnupg/trustlist.txt.
Yes, ~/tmp/dot.gnupg/trustlist.txt did not work.

dpkg -s gnupg2 dirmngr
Package: gnupg2
Architecture: i386
Version: 2.0.15-0kk1

Package: dirmngr
Version: 1.0.3.svn323-0kk1




-- 
Managing Director - Owner: www.intevation.net       (Free Software Company)
Deputy Coordinator Germany: fsfe.org. Board member: www.kolabsys.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: intevation-email-ca-2010.pem
Type: application/x-x509-ca-cert
Size: 8051 bytes
Desc: not available
URL: </pipermail/attachments/20100628/16caae38/attachment.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 06.pem
Type: application/x-x509-ca-cert
Size: 6377 bytes
Desc: not available
URL: </pipermail/attachments/20100628/16caae38/attachment-0001.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20100628/16caae38/attachment.pgp>

More information about the Gnupg-devel mailing list