On 7/15/17, René Berber wrote: > On 7/15/2017 1:40 PM, Lee wrote: > > [snip] >> in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or >> at least over an encrypted channel. But what file should I be using >> as the ca-cert file? > > You should be using the "system" files. > > On Cygwin that means installing the ca-certificates package (currently > version 2.14-1). They are installed in a location where the SSL package > expects them, you don't have to go look for them, and shouldn't need to > specify its location (a directory) on your gpg.conf
Where does the ca-certificates package put the certs? gpg didn't find them :( $ cygcheck -c ca-certificates Cygwin Package Information Package Version Status ca-certificates 2.14-1 OK >> $ grep "^keyserver" ~/.gnupg/gpg.conf >> keyserver hkps://pgp.mit.edu/ >> keyserver-options check-cert=on >> keyserver-options ca-cert-file=/etc/pki/tls/cert.pem > > Wrong cert actually, I don't know why you say it worked. Because it did work. I didn't have the public key needed to verify the package, so gpg --verify would complain about gpg: Can't check signature: public key not found gpg --auto-key-locate keyserver --keyserver-options auto-key-retrieve --verify ... would complain about various things - I didn't save any of the error msgs until I finally hit on the combination of keyserver hkps://pgp.mit.edu/ keyserver-options ca-cert-file=/etc/pki/tls/cert.pem in my gpg.conf, at which point gpg verified the file. and I no longer have the 'public key not found' problem: $ gpg --verify BIND9.9.10-P1.x64.zip.asc gpg: assuming signed data in `BIND9.9.10-P1.x64.zip' gpg: Signature made Mon, Jun 5, 2017 2:31:57 PM EDT gpg: using RSA key 0xF1B11BF05CF02E57 gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2017-2018) <codes...@isc.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57 > The cert that should have matched is the one used by the key server, not > by you. I'm guessing the "keyserver-options ca-cert-file=" needs to be pointing at the ca-certificate package root store - but damnifiknow where it is :( Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
