GnuPG 2.1.0: key too large, import stops
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Nov 25 04:24:24 CET 2014
On 11/24/2014 09:26 PM, Phil Pennock wrote:
> Is there a way to skip the import of that one key, continuing on, so
> that one unimportable key doesn't abort the entire keyring?
I agree that this would be desirable behavior.
> Ah, dirmngr.conf and the `keyserver-options ca-cert-file=...` from
> gnupg.conf is now ignored, okay.
shouldn't gnupg 2.1 at least raise a warning about that keyserver-option
being ignored, and recommend setting hkp-cacert in ~/.dirmngr.conf instead?
> * the hkp-cacert filename *must* end `.pem` if the file is to be read
> in PEM format; this appears to be an undocumented constraint
This appears to be documented in dirmngr.text, fwict:
Use the root certificates in file for verification of the TLS
certificates used with hkps (keyserver access over TLS). If the
file is in PEM format a suffix of .pem is expected for file.
This option may be given multiple times to add more root cer‐
(though i admit that when i stumbled across this recently i didn't
notice it my first couple passes through "man dirmngr" either)
> * there's no logging or handling for showing why hkps: is failing if
> GnuPG was built without TLS support
I agree that this would also be a nice thing to have -- what
error-reporting mechanisms are possible between dirmngr and gnupg 2.1?
> And the last point is the critical one: because curl is not being used
> anymore and GnuTLS must be available, there's a regression in default
> behaviour from the configure command-line given the dependent libraries;
> this one isn't anyone's fault, but I think that there probably needs to
> be clearer communication to OS packagers that they now need to make sure
> that GnuTLS is available.
fwiw, i updated the build-deps of gnupg 2.1.0 to include gnutls
specifically because of this change. I think it's the right way to go.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel