On Sat, 2021-07-31 at 22:16 +0200, Rainer Fiebig wrote:
> Am 31.07.21 um 21:00 schrieb Xi Ruoyao:
> > On Sat, 2021-07-31 at 19:56 +0200, Rainer Fiebig wrote:
> > > Am 31.07.21 um 17:40 schrieb Werner Koch:
> > > > On Thu, 29 Jul 2021 18:36, Andrew Gallagher said:
> > > >
> > > > > If you built gnupg from its default configuration, it does not
> > > > > automatically look in /etc/ssl/certs for CA certificates. You
> > > > > may
> > > > > want
> > > >
> > > > On Unix and unless gnupg was build with --with-default-trust-
> > > > store-
> > > > file
> > > > the following collections of certificates are used for TLS:
> > > >
> > > > { "/etc/ssl/ca-bundle.pem" },
> > > > { "/etc/ssl/certs/ca-certificates.crt" },
> > > > { "/etc/pki/tls/cert.pem" },
> > > > { "/usr/local/share/certs/ca-root-nss.crt" },
> > > > { "/etc/ssl/cert.pem" }
> > > >
> >
> > Hi Werner,
> >
> > Our "recommended" configuration in BLFS is: gnutls is built with
> > p11-kit
> > and --with-default-trust-store-pkcs11="pkcs11:", and gnupg is built
> > with
> > gnutls. So gnupg "should" use certificates from p11-kit trust store
> > I
> > think? And it works for me.
> >
> > I saw your discussion with "curl". In BLFS curl uses OpenSSL
> > instead of
> > GnuTLS, so they actually have different trust stores. GnuTLS (using
> > p11-kit) uses /etc/pki/anchors, OpenSSL uses /etc/ssl/certs.
> >
> > I remember once an unclean shutdown caused a similar issue on my
> > system
> > (/etc/pki/anchors is disrupted, and every program using GnuTLS just
> > started to distrust every certificate).
> >
> > Hi Rainer,
> >
> > Try "gnutls-cli keys.openpgp.org". If it does not get into "Simple
> > Client Mode" as expected, it means p11-kit trust store may be
> > disrupted.
> > Try "make-ca -f -g" to rebuild it.
> >
> > And check if your p11-kit was built with
> > -Dtrust_paths=/etc/pki/anchors as the BLFS book says. If not sure,
> > rebuild it. (I can also remember once I've mistyped the path, this
> > also
> > caused every program using GnuTLS started to distrust every
> > certificate.)
> >
> OK, issued "make-ca -f -g" and re-built gnupg *without* path_to_file.
> But the result then was again
>
> ~> gpg --search-keys E3FF2839C048B25C084DEBE9B26995E310250568
> gpg: error searching keyserver: No inquire callback in IPC
>
> So the only way to get this reliably working on my system seems to be
> building gnupg *with* path_to_file.
So gnutls-cli works but gpg (which should uses GnuTLS) does not? I'm
now puzzled as I can't reproduce it on my system at all.
As a last resort: which GPG version did you installed? And was GnuTLS
installed when you built it?
--
Xi Ruoyao <xry...@mengyan1223.wang>
School of Aerospace Science and Technology, Xidian University
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
