> looking at the documentation for trustlist.txt in gpg-agent(1) (it seems > odd to have it documented there, since i thought gpg-agent was for > secret key material only, weird!), it looks like trustlist.txt has an > `include-default` option, which maybe defaults to > `/etc/gnupg/trustlist.txt` on debian (i haven't done much testing!)
Looking at the manual [1] it seems like a potentially more clean way to do this might be to synchronize or symlink the trusted ca-certificates with the directory /etc/gnupg/trusted-certs/; maybe that's what the option refers to: > This directory should be filled with certificates of Root CAs you are > trusting in checking the CRLs and signing OCSP Responses. > > Usually these are the same certificates you use with the applications > making use of dirmngr. It is expected that each of these certificate > files contain exactly one DER encoded certificate in a file with the > suffix .crt or .der. dirmngr reads those certificates on startup and > when given a SIGHUP. Certificates which are not readable or do not make > up a proper X.509 certificate are ignored; see the log file for > details. > > Applications using dirmngr (e.g. gpgsm) can request these certificates > to complete a trust chain in the same way as with the extra-certs > directory (see below). > > Note that for OCSP responses the certificate specified using the option > --ocsp-signer is always considered valid to sign OCSP requests. Another drawback to the before proposed solution, which would work only on keyring creation, may be when a CA gets deleted from ca-certificates, but sticks around as trusted for a user. Irregardless either would be an improvement over blindly choosing "Correct." > I'm one of the debian maintainers for gnupg, and i admit that i haven't > put a lot of work into the gpgsm system integration. Off-topic, but is the Bash completion support from upstream or downstream? gpgsm doesn't support it, which makes mixing up gpg/gpgsm arguments more cumbersome. [1] https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Configuration.html
smime.p7s
Description: S/MIME cryptographic signature
