[pkg-gnupg-maint] Bug#800648: Bug#800648: Acknowledgement (dirmngr: hkps/ssl support broken)

Werner Koch wk at gnupg.org
Fri Oct 2 10:52:34 UTC 2015

On Fri,  2 Oct 2015 07:43, phil at ipom.com said:

> dirmngr[6336.0]: setting CA from file
> '/usr/local/share/ca-certificates/sks-keyservers.netCA.crt' failed: ASN1
> parser: Error in TAG.

GNUTLS does not autodetect that format of the certificate thus GnupG
uses the suffix as hint on what to do:

        rc = gnutls_certificate_set_x509_trust_file
          (sess->certcred, sl->d,
           (sl->flags & 1)? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER);
        if (rc < 0)
          log_info ("setting CA from file '%s' failed: %s\n",
                    sl->d, gnutls_strerror (rc));

The flag tested above is set iff the suffix is ".pem".

> The docs say it should be in PEM format, which it is:

"man dirmngr" shows this:

     --hkp-cacert file

       Use the root certificates in file for verification of the TLS
       certificates used with hkps (keyserver access over TLS).  If the
       file is in PEM format a suffix of .pem is expected for file.
       This option may be given multiple times to add more root

Thus I can see no bug here.  The detection could be better, though.  I
will track this in https://bugs.gnupg.org/gnupg/issue2119



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the pkg-gnupg-maint mailing list