Questions about OpenPGP best practices
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Feb 26 08:10:58 CET 2013
On 02/25/2013 10:43 PM, Doug Barton wrote:
> The Best Practices page you posted above actually suggests:
>
> keyserver hkps://hkps.pool.sks-keyservers.net
> keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
>
> That worked for me, although I was a bit disappointed that placing the
> cert at /etc/ssl/certs/ca.hkps.pool.sks-keyservers.net.cert didn't work
> like all the docs said it should.
which docs suggested that should work? what operating system are you
expecting it to work for?
if you're using debian or a debian-derived system like mint or ubuntu,
and you want to add a CA to the "system trusted root store", you
actually want to add the file with a .crt extension (not .cert) to
/usr/local/share/ca-certificates/ and then run "update-ca-certificates"
as the superuser.
Please read:
/usr/share/doc/ca-certificates/README.Debian
on your local system for more details.
> Does anyone know where/how to place the cert file on the system so that
> it can be called by demand, rather than having to specify it in the
> gpg.conf?
gpg's keyserver-option ca-cert-file's default for hkps is dependent on
the TLS library libcurl linked to from libcurl in the handler in
/usr/lib/gnupg/gpgkeys_hkp. on debian systems right now, this is
libgnutls26, which currently has no default root CAs.
newer versions of gnutls have a standard default root CA set that maps
to the system provided above by ca-certificates.
If and when gnupg-curl builds against libgnutls28-dev (the next major
API change in gnutls), it should adopt those changes.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130225/6a6e4520/attachment.pgp>
More information about the Gnupg-users
mailing list