| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:mime-version:in-reply-to:references:from:date | |
| :message-id:subject:to:content-type:content-transfer-encoding; | |
| q=dns; s=default; b=raqrOTfyAOYC6l+XInfuSUsXjPhD/suhcLcpPZM/0Tt | |
| B1a511zrNpJ/GWudoLxnjCXTchDOzdwy13kSdVZyaLbxThbpx4RBTaGMeu3sTCM2 | |
| bzizCXqIRXC22lddli1gS3v8rMq5w4AZnSHJBEQw9u+HS1mH0XVwQSlYQkP1XJdE | |
| = | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:mime-version:in-reply-to:references:from:date | |
| :message-id:subject:to:content-type:content-transfer-encoding; | |
| s=default; bh=zsGKDIfaT2UxRgODOnSdR3/jEp8=; b=HcvWgOyrW8sMoCipR | |
| F+/kwWg1bxrjbjAOQ/2+FaeHysK1kE0pB16epcJiJ0MTTJRhR9DxAdh3laYMuImZ | |
| H9B/Dozer27wjNckF8OSpaOIqnBYU8Z309Y47Ia8/9H96zQ79RIdxv3WJl9vg7oY | |
| NlZiXbiAYkUg2bEIvn78mkk/uQ= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=1.4 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=cyber, Cyber, UD:tls-ca-bundle.pem, ca-trust |
| X-HELO: | mail-it0-f47.google.com |
| X-Google-DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=G9c1DuFJqMW53haywSeDSvSZy+VxUsT6h4wT2oUhEP4=; b=VwZsWHyx4R0SvsF2z49J7Kn4xiq9GGub5ELl3DIZfYNsiyA2FjJFrln1tWfqcxmPy7 b2cLBPstWLg4cHH9jlSkreuBYbNoGiVEWX+m/y7hjkGE5DgGztidQ044FiIxaVh0Vcyc 6g4iCbsGzg8Ihe1c78Pv1d78xG73M8Jlf+nA701FFmBLa6ASEP7QyLe0WdnGRwNp4k5Y NHCtKrQ1tKoQzHfVDiBV1YP69tijxUPIG6Ap+ZeKelc490rOLwYE6WSIc3hPiYZQjMfv 3jzbRfxcvuB81vUuMObAuVzSPj/HNUg9Hat3NQpfTjkX5S60qdI+h0FkviVOuypJ4vD8 ik+g== |
| X-Gm-Message-State: | AIVw113A4sH8J+xQQ6Edl5Q9lHOspEKMbIv7AesEQ1SqvSlBitHI4q7j WcfOHhLh7DaGYiLgF5YHsqpm9TyxmQ== |
| X-Received: | by 10.36.19.5 with SMTP id 5mr2295866itz.65.1500223123208; Sun, 16 Jul 2017 09:38:43 -0700 (PDT) |
| MIME-Version: | 1.0 |
| In-Reply-To: | <okesn6$agb$1@blaine.gmane.org> |
| References: | <CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A AT mail DOT gmail DOT com> <okef84$e7f$1 AT blaine DOT gmane DOT org> <CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA AT mail DOT gmail DOT com> <okesn6$agb$1 AT blaine DOT gmane DOT org> |
| From: | Lee <ler762 AT gmail DOT com> |
| Date: | Sun, 16 Jul 2017 12:38:42 -0400 |
| Message-ID: | <CAD8GWsuMuda5O2X-1N_q8TpZ_wZQBhEEJpfdA1eQO+x1iDLH5A@mail.gmail.com> |
| Subject: | Re: gpg ca-cert-file=[which file???] |
| To: | cygwin AT cygwin DOT com |
| X-IsSubscribed: | yes |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id v6GGcxPR029173 |
On 7/16/17, René Berber wrote:
> On 7/15/2017 11:56 PM, Lee wrote:
> [snip]
>> I'm guessing the "keyserver-options ca-cert-file=" needs to be
>> pointing at the ca-certificate package root store - but damnifiknow
>> where it is :(
>
> https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Fca-certificates%2Fca-certificates-2.14-1&grep=cacert
>
> That lists what is being installed, and where.
>
> The tls-ca-bundle files contain the root certificates.
Thanks - that gets me a bit further down the rabbit hole.
I used
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
which the ca-certificates bundle shows as a 0 byte file pointing to
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
which is also a 0 byte file??
but there's several README files, so let's take a look
/etc/pki/ca-trust/extracted/pem/README
Distrust information cannot be represented in this file format,
and distrusted certificates are missing from these files.
oops. distrusted certs are missing, so I probably don't want to use
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
/etc/pki/ca-trust/source/README
Please refer to the update-ca-trust(8) manual page for additional information.
ok... man update-ca-trust
FILES
/etc/pki/tls/certs/ca-bundle.trust.crt
Classic filename, file contains a list of CA certificates in
the extended BEGIN/END TRUSTED CERTIFICATE file format,
which includes trust (and/or distrust) flags specific to
certificate usage. This file is a symbolic link that refers
to the consolidated output created by the update-ca-trust command.
cool.. that sounds like what I want
/etc/pki/tls/certs/ca-bundle.trust.crt is a link to
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
so let's fix my gpg.conf:
$ grep "^keyserver" ~/.gnupg/gpg.conf
keyserver hkps://pgp.mit.edu/
keyserver-options check-cert=on
keyserver-options
ca-cert-file=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
temporarily remove my list of public keys
$ mv ~/.gnupg/pubring.gpg ~/.gnupg/orig-pubring.gpg
start wireshark & give it a try
$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify BIND9.9.10-P1.x64.zip.asc
gpg: keyring `/home/Lee/.gnupg/pubring.gpg' created
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun 5, 2017 2:31:57 PM EDT
gpg: using RSA key 0xF1B11BF05CF02E57
gpg: requesting key 0xF1B11BF05CF02E57 from hkps server pgp.mit.edu
gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium,
Inc. (Signing key, 2017-2018) <codesign AT isc DOT org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign AT isc DOT org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57
yay! I got the public key using TLS
$ cd /etc/pki/ca-trust/extracted/openssl
$ grep DigiNotar ca-bundle.trust.crt
# Explicitly Distrust DigiNotar Cyber CA
# Explicitly Distrust DigiNotar Cyber CA 2nd
# Explicitly Distrust DigiNotar Root CA
# Explicitly Distrust DigiNotar Services 1024 CA
# Explicitly Distrusted DigiNotar PKIoverheid
# Explicitly Distrusted DigiNotar PKIoverheid G2
yay!
$ grep CNNIC ca-bundle.trust.crt
# CNNIC ROOT
oops..
https://wiki.mozilla.org/CA/Additional_Trust_Changes
CNNIC
Mozilla currently recommends not trusting any certificates issued by
this CA after 1st April 2015. This covers two roots in our store -
"CNNIC ROOT" and "China Internet Network Information Center EV
Certificates Root".
back to man update-ca-trust
... and I'm lost :(
It looks like there's some certs in
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt that I don't
want to trust.. but how to tell which ones & how to set
distrust/blacklist trust flags on them? or maybe I need to copy them
to /etc/pki/ca-trust/source/blacklist/ ???
Anyone have any pointers on how to distrust certs in
ca-bundle.trust.crt (assuming that _is_ the file I should be using) or
even how to show exactly what's in there?
$ grep "#" ca-bundle.trust.crt
shows lots of comments but
$ openssl x509 -in ca-bundle.trust.crt -noout -subject -dates
just shows me the first cert :(
Thanks
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |