[PATCH 1/3] dirmngr: register hkp-cacert even if the file doesn't exist yet

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 28 00:30:57 CEST 2016

* dirmngr/dirmngr.c (parse_readable_options): if we're unable to turn
  an argument for hkp-cacert into an absolute filename, terminate
* dirmngr/http.c (http_register_tls_ca): show a warning if file is not
  immediately accessible, but register it anyway.


Without this changeset, the condition of the filesystem when dirmngr
is initialized will have an effect on later activities of dirmngr.

For example, if a file identified by a hkp-cacert directive doesn't
exist when dirmngr starts, dirmngr will behave as though it simply
didn't have the hkp-cacert directive set at all, even if the file
should appear later.

dirmngr currently behaves differently if no hkp-cacert directives have
been set then it does when at least one hkp-cacert directive has been
set.  For example, its choice of CA cert for
hkps://hkps.pool.sks-keyservers.net depends on whether a TLS CA file
has been registered.  That behavior shouldn't additionally depend on
the state of the filesystem at the time of dirmngr launch.

Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
 dirmngr/dirmngr.c | 12 +++---------
 dirmngr/http.c    |  5 +++++
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 07cbed9..d15b9e5 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -601,15 +601,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
         char *tmpname;
-        /* Do tilde expansion and print a warning if the file can't be
-           accessed.  */
-        tmpname = make_absfilename_try (pargs->r.ret_str, NULL);
-        if (!tmpname || access (tmpname, F_OK))
-          log_info (_("can't access '%s': %s\n"),
-                    tmpname? tmpname : pargs->r.ret_str,
-                    gpg_strerror (gpg_error_from_syserror()));
-        else
-          http_register_tls_ca (tmpname);
+        /* Do tilde expansion and make path absolute.  */
+        tmpname = make_absfilename (pargs->r.ret_str, NULL);
+        http_register_tls_ca (tmpname);
         xfree (tmpname);
diff --git a/dirmngr/http.c b/dirmngr/http.c
index ac8238c..b767c15 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -492,6 +492,11 @@ http_register_tls_ca (const char *fname)
+      /* Warn if we can't access right now, but register it anyway in
+         case it becomes accessible later */
+      if (access (fname, F_OK))
+        log_info (_("can't access '%s': %s\n"), fname,
+                  gpg_strerror (gpg_error_from_syserror()));
       sl = add_to_strlist (&tls_ca_certlist, fname);
       if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem"))
         sl->flags = 1;

More information about the Gnupg-devel mailing list