[pkg-gnupg-maint] Bug#888025: how to integrate ca-certificates with gpgsm (for email s/mime signature verification)

John Scott jscott at posteo.net
Mon Jun 29 22:51:31 BST 2020

> looking at the documentation for trustlist.txt in gpg-agent(1) (it seems
> odd to have it documented there, since i thought gpg-agent was for
> secret key material only, weird!), it looks like trustlist.txt has an
> `include-default` option, which maybe defaults to
> `/etc/gnupg/trustlist.txt` on debian (i haven't done much testing!)

Looking at the manual [1] it seems like a potentially more clean way to do 
this might be to synchronize or symlink the trusted ca-certificates with the 
directory /etc/gnupg/trusted-certs/; maybe that's what the option refers to:
>     This directory should be filled with certificates of Root CAs you are
>     trusting in checking the CRLs and signing OCSP Responses.
>     Usually these are the same certificates you use with the applications
>     making use of dirmngr. It is expected that each of these certificate
>     files contain exactly one DER encoded certificate in a file with the
>     suffix .crt or .der. dirmngr reads those certificates on startup and
>     when given a SIGHUP. Certificates which are not readable or do not make
>     up a proper X.509 certificate are ignored; see the log file for
>     details.
>     Applications using dirmngr (e.g. gpgsm) can request these certificates
>     to complete a trust chain in the same way as with the extra-certs
>     directory (see below).
>     Note that for OCSP responses the certificate specified using the option
>     --ocsp-signer is always considered valid to sign OCSP requests.

Another drawback to the before proposed solution, which would work only on 
keyring creation, may be when a CA gets deleted from ca-certificates, but 
sticks around as trusted for a user. Irregardless either would be an 
improvement over blindly choosing "Correct."

> I'm one of the debian maintainers for gnupg, and i admit that i haven't
> put a lot of work into the gpgsm system integration.
Off-topic, but is the Bash completion support from upstream or downstream? 
gpgsm doesn't support it, which makes mixing up gpg/gpgsm arguments more 

[1] https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Configuration.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2077 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20200629/c743f52f/attachment.bin>

More information about the pkg-gnupg-maint mailing list