Mail Archives: cygwin/2017/07/15/14:41:28

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2017/07/15/14:41:28

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:from:date:message-id:subject:to

:content-type; q=dns; s=default; b=dcOLNEH59O1Z4TVT2EqdRca8WNVG/

vvgq6PfS4YzbllwDyyV3TJtlQ0u2TuG5t9SrwIBCoqkEBFnNJ3/Tv0R9/hylWAY6

+D3TWVWU/GHe9Wvzlz+15DXSC47Vx78s6Z9+UF4hOlCBKpc3n9vidn6P5TAJvO7M

YR+iT6d9+mVYxU=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:from:date:message-id:subject:to

:content-type; s=default; bh=9qhzxP0rFIt8zfYqrCfJG1tACoU=; b=mRM

8+EGE5wn1UfTfUuabO+tcEl7iT3srqEg3f2DvObQPJybISlJHnWJcckIzBP69Rcx

a4F3B8ix4k4cGL+uAEjTVEw2cvzzeB3KmmGS+9phkz8aj17twAGwBch9QOvq2sjW

6YRRJbhrow0anQ+Pi+LViUWdnlBaYtVBKcfVxALE=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Systems, downloading, Consortium, consortium

X-HELO: mail-vk0-f50.google.com

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=RlLEkY6bWfEkfmd8vQg2mGQYNVG0fu0qVqGNcOeiW+s=; b=BkVPDteFzISEF0LsGhMqGC2ndzZhx23Y2TFZ8jk/KwzPwElOPrSLE25/y7gzmTpKRE 5SAJx8hMusN5WTGf8PrSvasFX7Ew2mZ8RV+fWsdtqbzX9x3/PV08vGrfCIFlmKW+/b6S iaKfagdmlw/nFFDtZEb7yb4ymeEaEbwpgwsY9CkrbJPXaCCdIZv117lI53MDmzSg1/eO fSYu+7cLqKMFdGLZ7GqTqVzrJ433u3Sj6P/EKRbZMtV37JPEjCDktfaII1pWLG2cIhFl 0x2+U88rbCOSabPouwVXMyIyAE6gD4TODgO3clZveKfaMFNZdVK8K5oEpDbwkxxQ8LXx mMbw==

X-Gm-Message-State: AIVw113MjeJx7kE2V6VUXCtE04OzYiwD4LxFhMeubZNN6GEDEbNsVBQ0 dkboCDKj8PG1+pJJkoEN8WZj+iqj+g==

X-Received: by 10.31.58.206 with SMTP id h197mr6857382vka.23.1500144033959; Sat, 15 Jul 2017 11:40:33 -0700 (PDT)

MIME-Version: 1.0

From: Lee <ler762 AT gmail DOT com>

Date: Sat, 15 Jul 2017 14:40:33 -0400

Message-ID: <CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A@mail.gmail.com>

Subject: gpg ca-cert-file=[which file???]

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

It seems a bit silly to be downloading pgp keys 'in the clear', so
after a bit of searching I think I want
  keyserver hkps://whatever
in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
at least over an encrypted channel.  But what file should I be using
as the ca-cert file?

What I ended up doing is
$ cd /etc
$ find . -name \*pem
./pki/ca-trust/extracted/pem
./pki/ca-trust/extracted/pem/email-ca-bundle.pem
./pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
./pki/ca-trust/extracted/pem/tls-ca-bundle.pem
./pki/tls/cert.pem

and trying each file until I finally got one that worked:
$ grep "^keyserver" ~/.gnupg/gpg.conf
keyserver hkps://pgp.mit.edu/
keyserver-options check-cert=on
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify BIND9.9.10-P1.x64.zip.asc
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: requesting key 0xF1B11BF05CF02E57 from hkps server pgp.mit.edu
gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium,
Inc. (Signing key, 2017-2018) <codesign AT isc DOT org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign AT isc DOT org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57


Is there a better/more-correct file to use for the ca-cert-file= parameter?

How hard would it be to add hkps:// usage examples to the default gpg.conf file?

Thanks,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=dcOLNEH59O1Z4TVT2EqdRca8WNVG/
	vvgq6PfS4YzbllwDyyV3TJtlQ0u2TuG5t9SrwIBCoqkEBFnNJ3/Tv0R9/hylWAY6
	+D3TWVWU/GHe9Wvzlz+15DXSC47Vx78s6Z9+UF4hOlCBKpc3n9vidn6P5TAJvO7M
	YR+iT6d9+mVYxU=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; s=default; bh=9qhzxP0rFIt8zfYqrCfJG1tACoU=; b=mRM
	8+EGE5wn1UfTfUuabO+tcEl7iT3srqEg3f2DvObQPJybISlJHnWJcckIzBP69Rcx
	a4F3B8ix4k4cGL+uAEjTVEw2cvzzeB3KmmGS+9phkz8aj17twAGwBch9QOvq2sjW
	6YRRJbhrow0anQ+Pi+LViUWdnlBaYtVBKcfVxALE=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Systems, downloading, Consortium, consortium
X-HELO:	mail-vk0-f50.google.com
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=RlLEkY6bWfEkfmd8vQg2mGQYNVG0fu0qVqGNcOeiW+s=; b=BkVPDteFzISEF0LsGhMqGC2ndzZhx23Y2TFZ8jk/KwzPwElOPrSLE25/y7gzmTpKRE 5SAJx8hMusN5WTGf8PrSvasFX7Ew2mZ8RV+fWsdtqbzX9x3/PV08vGrfCIFlmKW+/b6S iaKfagdmlw/nFFDtZEb7yb4ymeEaEbwpgwsY9CkrbJPXaCCdIZv117lI53MDmzSg1/eO fSYu+7cLqKMFdGLZ7GqTqVzrJ433u3Sj6P/EKRbZMtV37JPEjCDktfaII1pWLG2cIhFl 0x2+U88rbCOSabPouwVXMyIyAE6gD4TODgO3clZveKfaMFNZdVK8K5oEpDbwkxxQ8LXx mMbw==
X-Gm-Message-State:	AIVw113MjeJx7kE2V6VUXCtE04OzYiwD4LxFhMeubZNN6GEDEbNsVBQ0 dkboCDKj8PG1+pJJkoEN8WZj+iqj+g==
X-Received:	by 10.31.58.206 with SMTP id h197mr6857382vka.23.1500144033959; Sat, 15 Jul 2017 11:40:33 -0700 (PDT)
MIME-Version:	1.0
From:	Lee <ler762 AT gmail DOT com>
Date:	Sat, 15 Jul 2017 14:40:33 -0400
Message-ID:	<CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A@mail.gmail.com>
Subject:	gpg ca-cert-file=[which file???]
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes