System wide dirmngr configuration with Gnupg 2.1

Daniel Kahn Gillmor dkg at
Fri Jan 23 18:19:55 CET 2015

On Fri 2015-01-23 05:14:22 -0500, Andre Heinecke wrote:
> Yes, I agree with you there. I don't want to force users to this configuration. 
> Users that have a reason could still start a dirmngr with --homedir ~/.gnupg.

except that it's automatically launched, as you pointed out :/

> But maybe it really would be better to have dirmngr read the trusted-certs 
> from the sysconfig dir and also from the homedir. 
> Like:
> If --homedir is not explicitly set: Read trusted-certs / config from sysconfig 
> dir. Afterwards read trusted-certs / config from homedir and prefer the values 
> from the homedir. This would be more similar to freedesktops config_dirs / 
> config_home handling. 

This is is a pretty common configuration pattern for other (non-gnupg)
tools.  In fact, i've often wished for it for gnupg itself, so that
sysadmins could tweak a generic /etc/gnupg/gpg.conf for all their users.
Is there a specific reason why gpg doesn't support this configuration

>>  ln -s /run/gnupg/S.dirmngr ~/.gnupg/S.dirmngr
>> Would that solve your use case?
> Not really.
>  a) I'm not sure if werner plans to support the system-wide mode forever. 

The main difference of the system mode is its use of a modified/split
directory layout that meets the LFS requirements, right?

Couldn't this also be done with:

 mkdir -p /var/lib/gnupg/extra-certs /etc/gnupg /var/cache/gnupg/crls.d /var/run/gnupg
 ln -s /var/cache/gnupg/crls.d  /etc/gnupg/dirmngr.conf /var/run/gnupg/S.dirmngr /var/lib/gnupg/

launching dirmngr instead as a system service with:

 dirmngr --homedir=/var/lib/gnupg

That could allow us to remove the system mode entirely and have the same
effect, i think.

> And I would not like to stray away from debian packaging so far as to
> still keep dirmngr started centrally as a service.

The current plan for the debian packaging is to remove dirmngr as a
system service after the release of jessie.  I'd be happy to add a new
binary package that sets up a system service using the above
configuration, if you want to help make sure it works for you, though.

>  b) The default should be the system wide config (if it exists) as this is for 
> the users that don't know what a dirmngr is. Those who know / care should be 
> able to overrule it.

Sure, but to do this approach properly, we should support the
chained/overriden pattern you describe above, since it's a reasonable,
established practice.


More information about the Gnupg-devel mailing list