gpgsm not asking dirmngr for trusted root ca

Werner Koch wk at gnupg.org
Wed Jun 30 07:31:48 CEST 2010 

Bernhard Reiter <bernhard at intevation.de> writes:

> If dirmngr trusts a root ca, wouldn't it be cool
> if the gpgsm (or gpg-agent) could also use that information?

On a single user machine, yes.  On a multi-user system a user may chose
different trust anchors and thus it should only be an option.

We have not implemented this in the past because Dirmngr and GnuPG are
separate projects.  That has changed 2 weeks ago: I merged Dirmngr into
GnuPG 2.1 and this will make it easier to do something about it.  There
are a lot of other changes pending for GnuPG 2.1 and a review of
trustlist.txt seems to be necessary.

> a) "include-default" for the personal trustlist.txt is the default.
>     So we might need to come up with "
> b) "include-default" somehow also uses the dirmngr trusted-certs/.

I am thinking of an option like "include-dirmngr-trusted-certs" for
trustlist.txt or better for the global trustlist.  Dirmngr needs to
maintain its own list of trusted root certificates because it is a
system service and has no access to the user setting.

The situation is actually a bit wishy-washy: Dirmngr as a system
services trusts its list of trust anchors whereas gpgsm trusts its own
list.  But for revocation checks gpgsm implicitly trusts Dirmngr's idea
of valid certificates.  We can't change the later because the validity
of a CRL is computed while loading it and not at the time a user
(i.e. gpgsm) asks for the revocation status.

> c) gpg-agent should also use GNUPGHOME (at least for me it does not seem to do 
> it. But I might have make a mistake.)

Your fault ;-).  I use

  GNUPGHOME=$(pwd) ./gpg-agent --daemon sh

all the day to test gpg-agent.  Take care: If you use bash and you are
using --write-env-file in your gpg-agent.conf the shell will probably
setup the environment variables to the standard gpg-agent (due to the
bashrc).

> d) The documentation is fixed
>    info gpgsm Installation
> still has  
>
> | XXX decribe how to maintain trustlist.txt and

As well as the missing introduction chapter :-(


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list