[PATCH GNUPG] sm: Search for qualified.txt at sysconfdir first
Alon Bar-Lev
alon.barlev at gmail.com
Fri Sep 1 08:24:49 CEST 2017
* sm/qualified.c (read_list): Search for qualified.txt in sysconfdir and
fallback to datadir.
* doc/gpgsm.texi (qualified.txt): Document behavior.
--
The qualified.txt may be modified by the Administrator, hence this
artifact is a configuration. A product may provide sane defaults,
however, it should be possible for the Administrator to manage
configuration at sysconfdir.
The qualified.txt at sysconfdir takes precedence over the one in
datadir.
Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>
---
doc/gpgsm.texi | 14 +++++++-------
sm/qualified.c | 23 ++++++++++++++++++++---
2 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 5d79ce5..a1a9ea7 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -845,13 +845,13 @@ Note that even if a certificate is listed in this file, this does not
mean that the certificate is trusted; in general the certificates listed
in this file need to be listed also in @file{trustlist.txt}.
-This is a global file an installed in the data directory
-(e.g. @file{@value{DATADIR}/qualified.txt}). GnuPG installs a suitable
-file with root certificates as used in Germany. As new Root-CA
-certificates may be issued over time, these entries may need to be
-updated; new distributions of this software should come with an updated
-list but it is still the responsibility of the Administrator to check
-that this list is correct.
+This is a global file searched in the sysconf first and then in the data
+directory (e.g. @file{@value{SYSCONFDIR}/qualified.txt}
+ at file{@value{DATADIR}/qualified.txt}). GnuPG installs a suitable file with
+root certificates as used in Germany. As new Root-CA certificates may be
+issued over time, these entries may need to be updated; new distributions
+of this software should come with an updated list but it is still the
+responsibility of the Administrator to check that this list is correct.
Every time @command{gpgsm} uses a certificate for signing or verification
this file will be consulted to check whether the certificate under
diff --git a/sm/qualified.c b/sm/qualified.c
index 564e779..fe5567a 100644
--- a/sm/qualified.c
+++ b/sm/qualified.c
@@ -52,20 +52,37 @@ read_list (char *key, char *country, int *lnr)
gpg_error_t err;
int c, i, j;
char *p, line[256];
+ char *listname_candidate;
*key = 0;
*country = 0;
if (!listname)
{
- listname = make_filename (gnupg_datadir (), "qualified.txt", NULL);
- listfp = fopen (listname, "r");
+ listname_candidate = make_filename (gnupg_sysconfdir (), "qualified.txt", NULL);
+ listfp = fopen (listname_candidate, "r");
if (!listfp && errno != ENOENT)
{
+ xfree (listname_candidate);
err = gpg_error_from_syserror ();
- log_error (_("can't open '%s': %s\n"), listname, gpg_strerror (err));
+ log_error (_("can't open '%s': %s\n"), listname_candidate, gpg_strerror (err));
return err;
}
+
+ if (!listfp)
+ {
+ listname_candidate = make_filename (gnupg_datadir (), "qualified.txt", NULL);
+ listfp = fopen (listname_candidate, "r");
+ if (!listfp && errno != ENOENT)
+ {
+ xfree (listname_candidate);
+ err = gpg_error_from_syserror ();
+ log_error (_("can't open '%s': %s\n"), listname_candidate, gpg_strerror (err));
+ return err;
+ }
+ }
+
+ listname = listname_candidate;
}
if (!listfp)
--
2.13.5
More information about the Gnupg-devel
mailing list