System wide dirmngr configuration with Gnupg 2.1
Andre Heinecke
aheinecke at intevation.de
Thu Jan 29 17:54:29 CET 2015
Hi,
On Monday, January 26, 2015 12:17:25 PM Andre Heinecke wrote:
> > This is is a pretty common configuration pattern for other (non-gnupg)
> > tools. In fact, i've often wished for it for gnupg itself, so that
> > sysadmins could tweak a generic /etc/gnupg/gpg.conf for all their users.
> > Is there a specific reason why gpg doesn't support this configuration
> > pattern?
>
> Werner? Could you comment on this?
I'd still be interested why not. It could be overriden imho when --homedir or
GNUPGHOME is set explicitly to still allow "clean" configurations.
> Right. I think this is the best approach at least for trusted CA's. As it's
> standard practice to have them defined on a system level first and then
> merge those with the users choices.
Actually the trustlist.txt format allows for this as it merges the
trustlist.txt from /etc/gnupg/ with the one in the home dir.
I misunderstood the issue here. It turns out that the certificates under
trusted-certs are not actually trusted certs so it's apperently not a problem
that the sysconfig trusted-certs are ignored with gnupg2.1.
I assumed that they were needed because our internal procedure for adding a
Root certificate was to add the fingerprint to /etc/gnupg/trustlist.txt and the
certificate itself to /etc/dirmngr/trusted-certs that this was somehow needed.
Yet during testing I noticed now that it is not required to have a trusted-
certificate in the trusted-certs folder at all.
<to quote dirmngrs manpage about the trusted-certs dir>
This directory should be filled with certificates of Root CAs you are
trusting in checking the CRLS and signing OCSP Reponses.
</end quote>
But still I get a valid signature if I just add my root CA's fingerprint to the
trustlist.txt even with CRL checks enabled.
Sorry for my confusion but at least the name "trusted-certs" is a bit
suboptimal if those certificates are not involved in trust decisions. ;-)
I still don't really understand the purpose of the trusted-certs directory
and would be grateful for an explanation. I currently think that it is there
to allow cases where CRL's are signed by certificates that are not in a trusted
in chains rooted in certificates from the trustlist.txt file. But in that case
the second Sentence in the manual for the trusted-certs directory does not
make much sense: "Usually these are the same certificates you use with the
applications making use of dirmngr." By which I think the root ca's from the
trustlist.txt are meant.
Best regards,
Andre
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150129/347bcba0/attachment-0001.sig>
More information about the Gnupg-devel
mailing list