dirmngr: Wrong certificate error?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Aug 3 21:15:37 CEST 2016


On Wed 2016-08-03 13:53:17 -0400, Patrick Brunschwig wrote:
> Well yes, on Mac OS X, the system-level trust store of my self-compiled
> gnutls installation is empty. It's not surprising that gnutls can't read
> the root certificates from Apple's Keychain.

It is actually surprising to me.  Modern versions of GnuTLS make a point
of trying to integrate well with the local OS, to the point where it has
features on Windows that it doesn't have on other OSes because Windows
offers features in the crypto API that aren't on other OSes.

 http://gnutls.org/manual/gnutls.html#Application_002dspecific-keys

In particular, i'd expect that
gnutls_certificate_set_x509_system_trust() should Do the Right Thing.

 http://gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fset_005fx509_005fsystem_005ftrust

> I exported Apple's root certificates into my gnutls root store, and it
> works now correctly.

If there's a particular step that you took that you think GnuTLS should
be able to do automatically on OS X, i recommend opening a report here:

 https://gitlab.com/gnutls/gnutls

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160803/426f1f38/attachment.sig>


More information about the Gnupg-devel mailing list