dirmngr trusted authorities

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jul 18 16:29:00 CEST 2016

hi GnuPG folks--

according to its docs, dirmngr appears to look for X.509 certs as
DER-encoded files named *.crt or *.der in /etc/gnupg/trusted-certs/ (for
root authorities) and /etc/gnupg/extra-certs/ (for common intermediate

however, in http_session_new() in dirmngr/http.c, it appears to also use
gnutls_certificate_set_x509_system_trust() in some cases (though i
haven't been able to follow the code well enough to understand
specifically when).

It seems awkward and potentially confusing to the user to have these two
distinct validation schemes.

I'd suggest that if the user doesn't supply any hkp-cacert config
either on the command line or in dirmngr.conf (and they're not using
the magic string hkps://hkps.pool.sks-keyservers.net/) and they've
specified hkps, then it seems like using the gnutls's system_trust would
be a reasonable default.

If someone wants to explicitly not use the system trust, then they could
set hkp-cacert to the empty string.

Is there a way that we can simplify this for the user?


More information about the Gnupg-devel mailing list