System wide dirmngr configuration with Gnupg 2.1
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jan 22 20:23:11 CET 2015
On Thu 2015-01-22 12:14:09 -0500, Andre Heinecke wrote:
> To summarize my last mail: As an organization that uses S/MIME we need to
> centrally configure the trusted Root CA's for GnuPG and the ldap server used in
> dirmngr for certificate retrieval.
>
> This worked for us with GnuPG 2.0.x by configuring these in /etc/dirmngr/ but
> with GnuPG 2.1 it appears no longer possible if we don't want to stick with
> the old system deamon mode.
>
> I've wrote the attached small Patch to use the system-wide configuration by
> default if /etc/gnupg/dirmngr.conf exists and is readable.
>
> I don't think it will be a problem with legacy systems as the dirmngr.conf was
> located under /etc/dirmngr/dirmngr.conf in previous versions.
I generally don't like the idea that system configuration overrides user
configuration; in principle, the other way around is usually preferable:
* the system administrator sets the defaults
* the user can customize if they need to.
So this proposal seems backward to me.
I see the trouble you have, though, since dirmngr is being automatically
launched.
What if you just set up the system-wide dirmngr daemon listening on a
unix-domain socket like /run/gnupg/S.dirmngr, and then for users who
want to use it, do:
ln -s /run/gnupg/S.dirmngr ~/.gnupg/S.dirmngr
Would that solve your use case?
--dkg
More information about the Gnupg-devel
mailing list