dirmngr: Wrong certificate error?

Patrick Brunschwig patrick at enigmail.net
Wed Aug 3 22:15:41 CEST 2016

On 03.08.16 21:15, Daniel Kahn Gillmor wrote:
> On Wed 2016-08-03 13:53:17 -0400, Patrick Brunschwig wrote:
>> Well yes, on Mac OS X, the system-level trust store of my self-compiled
>> gnutls installation is empty. It's not surprising that gnutls can't read
>> the root certificates from Apple's Keychain.
> It is actually surprising to me.  Modern versions of GnuTLS make a point
> of trying to integrate well with the local OS, to the point where it has
> features on Windows that it doesn't have on other OSes because Windows
> offers features in the crypto API that aren't on other OSes.
>  http://gnutls.org/manual/gnutls.html#Application_002dspecific-keys
> In particular, i'd expect that
> gnutls_certificate_set_x509_system_trust() should Do the Right Thing.
>  http://gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fset_005fx509_005fsystem_005ftrust

It looks to me that only Windows is supported. At least, words like
Apple, Mac OS and similar don't appear in the docu.

>> I exported Apple's root certificates into my gnutls root store, and it
>> works now correctly.
> If there's a particular step that you took that you think GnuTLS should
> be able to do automatically on OS X, i recommend opening a report here:


Well, I'm sure there would be an API for it. I just used a command line
tool that is provided by Mac OS X, but I assume that integrating a
command line tool is not an ideal solution for a library.


More information about the Gnupg-devel mailing list