Web lists-archives.com

gpg ca-cert-file=[which file???]




It seems a bit silly to be downloading pgp keys 'in the clear', so
after a bit of searching I think I want
  keyserver hkps://whatever
in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
at least over an encrypted channel.  But what file should I be using
as the ca-cert file?

What I ended up doing is
$ cd /etc
$ find . -name \*pem
./pki/ca-trust/extracted/pem
./pki/ca-trust/extracted/pem/email-ca-bundle.pem
./pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
./pki/ca-trust/extracted/pem/tls-ca-bundle.pem
./pki/tls/cert.pem

and trying each file until I finally got one that worked:
$ grep "^keyserver" ~/.gnupg/gpg.conf
keyserver hkps://pgp.mit.edu/
keyserver-options check-cert=on
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify BIND9.9.10-P1.x64.zip.asc
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: requesting key 0xF1B11BF05CF02E57 from hkps server pgp.mit.edu
gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium,
Inc. (Signing key, 2017-2018) <codesign@xxxxxxx>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign@xxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57


Is there a better/more-correct file to use for the ca-cert-file= parameter?

How hard would it be to add hkps:// usage examples to the default gpg.conf file?

Thanks,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple