Am 29.07.21 um 19:36 schrieb Andrew Gallagher:
> On 29/07/2021 17:52, Rainer Fiebig wrote:
>>
>> ~> openssl x509 -text </etc/ssl/certs/DST_Root_CA_X3.pem | grep "Not
>> After"
>> Not After : Sep 30 14:01:15 2021 GMT
>
> So the file exists, and appears to have the correct contents (the
> difference in checksum is probably whitespace or commentary, I wouldn't
> worry about it).
>
> I'm going to refer back to my earlier statement: "It looks like dirmngr
> isn't using the same set of CAs that curl is using".
Yes, that seems to be at the heart of the matter. Curl is built with
this ./configure switch:
--with-ca-path=/etc/ssl/certs
and so it finds the correct certificate.
There's no such switch for gnupg. So I guess dirmngr looks in /etc/pki
for the certs? And maybe the DST_Root_CA_X3 (in "ca-bundle.crt) there is
different (outdated?) from the one in /etc/ssl/certs.
>
> If you built gnupg from its default configuration, it does not
> automatically look in /etc/ssl/certs for CA certificates. You may want
> to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so
> that dirmngr looks in the Mozilla certificate library.
>
The manpage for dirmngr says that the certificates in
/etc/gnupg/trusted-certs are expected to be in .der or .crt encoding.
Those in /etc/ssl are .pem, though.
I created a symlink /etc/gnupg/trusted-certs -> /etc/ssl/certs/ but gpg
--search-keys still fails, probably due to the .pem encoding.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
