It seems a bit silly to be downloading pgp keys 'in the clear', so after a bit of searching I think I want keyserver hkps://whatever in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or at least over an encrypted channel. But what file should I be using as the ca-cert file?
What I ended up doing is $ cd /etc $ find . -name \*pem ./pki/ca-trust/extracted/pem ./pki/ca-trust/extracted/pem/email-ca-bundle.pem ./pki/ca-trust/extracted/pem/objsign-ca-bundle.pem ./pki/ca-trust/extracted/pem/tls-ca-bundle.pem ./pki/tls/cert.pem and trying each file until I finally got one that worked: $ grep "^keyserver" ~/.gnupg/gpg.conf keyserver hkps://pgp.mit.edu/ keyserver-options check-cert=on keyserver-options ca-cert-file=/etc/pki/tls/cert.pem $ gpg --auto-key-locate keyserver --keyserver-options auto-key-retrieve --verify BIND9.9.10-P1.x64.zip.asc gpg: assuming signed data in `BIND9.9.10-P1.x64.zip' gpg: Signature made Mon, Jun 5, 2017 2:31:57 PM EDT gpg: using RSA key 0xF1B11BF05CF02E57 gpg: requesting key 0xF1B11BF05CF02E57 from hkps server pgp.mit.edu gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium, Inc. (Signing key, 2017-2018) <codes...@isc.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2017-2018) <codes...@isc.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57 Is there a better/more-correct file to use for the ca-cert-file= parameter? How hard would it be to add hkps:// usage examples to the default gpg.conf file? Thanks, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
