System wide dirmngr configuration with Gnupg 2.1
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jan 23 18:19:55 CET 2015
On Fri 2015-01-23 05:14:22 -0500, Andre Heinecke wrote:
> Yes, I agree with you there. I don't want to force users to this configuration.
> Users that have a reason could still start a dirmngr with --homedir ~/.gnupg.
except that it's automatically launched, as you pointed out :/
> But maybe it really would be better to have dirmngr read the trusted-certs
> from the sysconfig dir and also from the homedir.
> If --homedir is not explicitly set: Read trusted-certs / config from sysconfig
> dir. Afterwards read trusted-certs / config from homedir and prefer the values
> from the homedir. This would be more similar to freedesktops config_dirs /
> config_home handling.
This is is a pretty common configuration pattern for other (non-gnupg)
tools. In fact, i've often wished for it for gnupg itself, so that
sysadmins could tweak a generic /etc/gnupg/gpg.conf for all their users.
Is there a specific reason why gpg doesn't support this configuration
>> ln -s /run/gnupg/S.dirmngr ~/.gnupg/S.dirmngr
>> Would that solve your use case?
> Not really.
> a) I'm not sure if werner plans to support the system-wide mode forever.
The main difference of the system mode is its use of a modified/split
directory layout that meets the LFS requirements, right?
Couldn't this also be done with:
mkdir -p /var/lib/gnupg/extra-certs /etc/gnupg /var/cache/gnupg/crls.d /var/run/gnupg
ln -s /var/cache/gnupg/crls.d /etc/gnupg/dirmngr.conf /var/run/gnupg/S.dirmngr /var/lib/gnupg/
launching dirmngr instead as a system service with:
That could allow us to remove the system mode entirely and have the same
effect, i think.
> And I would not like to stray away from debian packaging so far as to
> still keep dirmngr started centrally as a service.
The current plan for the debian packaging is to remove dirmngr as a
system service after the release of jessie. I'd be happy to add a new
binary package that sets up a system service using the above
configuration, if you want to help make sure it works for you, though.
> b) The default should be the system wide config (if it exists) as this is for
> the users that don't know what a dirmngr is. Those who know / care should be
> able to overrule it.
Sure, but to do this approach properly, we should support the
chained/overriden pattern you describe above, since it's a reasonable,
More information about the Gnupg-devel