GnuPG 2.1.0: key too large, import stops

Daniel Kahn Gillmor dkg at
Tue Nov 25 04:24:24 CET 2014

On 11/24/2014 09:26 PM, Phil Pennock wrote:
> Is there a way to skip the import of that one key, continuing on, so
> that one unimportable key doesn't abort the entire keyring?

I agree that this would be desirable behavior.

> Ah, dirmngr.conf and the `keyserver-options ca-cert-file=...` from
> gnupg.conf is now ignored, okay.

shouldn't gnupg 2.1 at least raise a warning about that keyserver-option
being ignored, and recommend setting hkp-cacert in ~/.dirmngr.conf instead?

>  * the hkp-cacert filename *must* end `.pem` if the file is to be read
>    in PEM format; this appears to be an undocumented constraint

This appears to be documented in dirmngr.text, fwict:

       --hkp-cacert file
   Use the root certificates in file for verification  of  the  TLS
   certificates used with hkps (keyserver access over TLS).  If the
   file is in PEM format a suffix of .pem  is  expected  for  file.
   This  option  may  be given multiple times to add more root cer‐

(though i admit that when i stumbled across this recently i didn't
notice it my first couple passes through "man dirmngr" either)

>  * there's no logging or handling for showing why hkps: is failing if
>    GnuPG was built without TLS support

I agree that this would also be a nice thing to have -- what
error-reporting mechanisms are possible between dirmngr and gnupg 2.1?

> And the last point is the critical one: because curl is not being used
> anymore and GnuTLS must be available, there's a regression in default
> behaviour from the configure command-line given the dependent libraries;
> this one isn't anyone's fault, but I think that there probably needs to
> be clearer communication to OS packagers that they now need to make sure
> that GnuTLS is available.

fwiw, i updated the build-deps of gnupg 2.1.0 to include gnutls
specifically because of this change.  I think it's the right way to go.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141124/40ce76cb/attachment-0001.sig>

More information about the Gnupg-devel mailing list