help
Damien Goutte-Gattat
dgouttegattat at incenp.org
Tue Feb 28 00:35:31 CET 2017
Hi,
On 02/27/2017 04:07 PM, rsvx at riseup.net wrote:
> I'll use my master key offline. Following this guidelines:
> https://incenp.org/notes/2015/using-an-offline-gnupg-master-key.html
>
> I also implemented the Appelbaum's config.(Riseup Best Practices) Will
> it work properly if the Master Key isn't on my machine?
It should.
Note, however, that Riseup's Best Practices [1] and proposed
configuration file [2] are partially obsolete, *especially* if you are
using GnuPG 2.1. Many of the proposed options and advices are not needed
anymore, as GnuPG already does The Right Thing.
> And the following faults are coming:
> gpg: keyserver option 'ca-cert-file' is obsolete; please use
> 'hkp-cacert' in dirmngr.conf
If you're using the sks-keyservers.net pool you no longer need to
provide GnuPG with the CA certificate file, as it is now bundled with
GnuPG (>= 2.1.11) and automatically used when needed. (And with GnuPG >=
2.1.16 you will no longer even need to explicity set the keyserver
option, as hkps.pool.sks-keyservers.net is already the default.)
> gpg: keyserver option 'no-try-dns-srv' is unknown
This option no longer exists, but I *think* that if you really want to,
you can disable SRV lookups by explicitly specifying a port number when
setting the keyserver, as in:
keyserver hkps.pool.sks-keyservers.net:443
Damien
--
[1] https://riseup.net/en/security/message-security/openpgp/best-practices
[2]
https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170228/1e2d231a/attachment.sig>
More information about the Gnupg-users
mailing list