-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/25/2013 11:10 PM, Daniel Kahn Gillmor wrote: | On 02/25/2013 10:43 PM, Doug Barton wrote: |> The Best Practices page you posted above actually suggests: |> |> keyserver hkps://hkps.pool.sks-keyservers.net |> keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem |> |> That worked for me, although I was a bit disappointed that placing the |> cert at /etc/ssl/certs/ca.hkps.pool.sks-keyservers.net.cert didn't work |> like all the docs said it should. | | which docs suggested that should work?
lots, this one for example: https://help.ubuntu.com/community/GnuTLS | what operating system are you expecting it to work for? Ubuntu. | if you're using debian or a debian-derived system like mint or ubuntu, | and you want to add a CA to the "system trusted root store", you | actually want to add the file with a .crt extension (not .cert) to | /usr/local/share/ca-certificates/ and then run "update-ca-certificates" | as the superuser. | | Please read: | | /usr/share/doc/ca-certificates/README.Debian | | on your local system for more details. Thanks. :) |> Does anyone know where/how to place the cert file on the system so that |> it can be called by demand, rather than having to specify it in the |> gpg.conf? | | gpg's keyserver-option ca-cert-file's default for hkps is dependent on | the TLS library libcurl linked to from libcurl in the handler in | /usr/lib/gnupg/gpgkeys_hkp. on debian systems right now, this is | libgnutls26, which currently has no default root CAs. | | newer versions of gnutls have a standard default root CA set that maps | to the system provided above by ca-certificates. | | If and when gnupg-curl builds against libgnutls28-dev (the next major | API change in gnutls), it should adopt those changes. So it sounds like what you're saying is that there is no hope for a system-wide solution for hkps? I can live with the gpg.conf option, I was mostly sort of curious about adding certs to my system since I have other uses for that ability down the road. Thanks again, Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQEcBAEBCAAGBQJRLGQRAAoJEFzGhvEaGryETSMH/j5JXo0N6CyM2vkWj68Yjtut I37V1miuj8CgYocmxfVAmy9N0zhA2+Svt0fc/VwC/NvLpdEAyz93qJ9i7wuEMBTF sgXhX0Ou9x+rni602bjAzhfCnn7gpO+co7yRGy8N4wPcgSIDpGVdAFfxIY1j2+ml sTjQMVtNslOofAxBEuvalyEW3j4xY1rykXDhGAOJ5/JDm/1a9MXrTP/6cfhH0/IS xlbe6qH0YMChTqGS9+T/y7SSZ+0lr6glA1HaIwk2msbMJbFLluNXSwWUcuyuQT/5 CQPwVAMuaeXu+g8CGWa17jK6CrUoudz8BVI9gUyRLHbmcA1g1bG7Vw0j1o1rR2Q= =7l1x -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
