X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=ObXz00Is6MW4bAmrkzM3OVp1s+O3e33S5s+YWXgrj93
	syFZ1zGBp0F6XOrX8Wp5iZ+SfXEOA63lVRLXDC63rWLuI+SsZ4zM9+JLboRPVyfk
	qkJKZ+/KIWl+wlQfD7c8Zdl8aCgFXkM/ss7P8ThMDDlz/aMiU7YOmaLh7b7mj004
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	 s=default; bh=Z6DiMIJipg0CpA9bNai8DVuTm0w=; b=b4lfYLXsIi8/6YOyw
	M/N5FP+vDJWraFtmBI5gKlfGhjJlbgQ3DUTI9nl0F5MU7OsNuIYzRyMaGX+fGQLZ
	C4GZW5hUPi/GXYRnK/HAu2ZRH0lZWufEYehiDXXL+NT5PO3tQJDTiDxujmNSIMdO
	VNwK/KiPAFl6DGkGS8YsE1K8gM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Systems, consortium, UD:mit.edu, Consortium
X-HELO: mail-io0-f172.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:mime-version:in-reply-to:references:from:date         :message-id:subject:to:content-transfer-encoding;        bh=w0aSjP2hVVlqlfwxRcyWpjPz9dr7lbdoLzKrNL++20A=;        b=YhXPX+4Z2CWUBPxikBQFmz7aAB8i28Bzl9I2l6Rh1aywPrEPoAeui/WDG7zOWb1pQx         hQdvIntQ7bC8fMDDwf5StYSjzqN/5Qz0zcqer3kQRy4WsxUKxd01c3eqcB2q+SYTaK+9         /qIQS2lmXGWMI3r42d/QZENWJMLZ24yLbkBeYUg6MeUIfaqVdOT4GXh8LM0u/ab9eBx0         YOXgZ+kd3kwOsG+SdybxRMyHHat3HrrR3fFlS8U+ectTtBXMVF5bQd4Cd9ZUcGnzCYh/         GtGeRBWc3crwVDodhzPkcVj4LIBS1albO1y4OvCOfiY5rdXr3SE/HW6En6VV1OP5Lrb6         pl0A==
X-Gm-Message-State: AIVw112rZNncQxFWDA81tajZX/WzQwTHLLM8WO8KTMSAo0hefv+EcDfF	aFitKdPdtseyZbJ+z2O5Xw7wU2bGUw==
X-Received: by 10.107.12.28 with SMTP id w28mr16106498ioi.150.1500180982554; Sat, 15 Jul 2017 21:56:22 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <okef84$e7f$1@blaine.gmane.org>
References: <CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A AT mail DOT gmail DOT com> <okef84$e7f$1 AT blaine DOT gmane DOT org>
From: Lee <ler762 AT gmail DOT com>
Date: Sun, 16 Jul 2017 00:56:21 -0400
Message-ID: <CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA@mail.gmail.com>
Subject: Re: gpg ca-cert-file=[which file???]
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id v6G4v5Db017853

On 7/15/17, René Berber wrote:
> On 7/15/2017 1:40 PM, Lee wrote:
>
> [snip]
>> in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
>> at least over an encrypted channel.  But what file should I be using
>> as the ca-cert file?
>
> You should be using the "system" files.
>
> On Cygwin that means installing the ca-certificates package (currently
> version 2.14-1).  They are installed in a location where the SSL package
> expects them, you don't have to go look for them, and shouldn't need to
> specify its location (a directory) on your gpg.conf

Where does the ca-certificates package put the certs?  gpg didn't find them :(
$ cygcheck -c ca-certificates
Cygwin Package Information
Package              Version        Status
ca-certificates      2.14-1         OK


>> $ grep "^keyserver" ~/.gnupg/gpg.conf
>> keyserver hkps://pgp.mit.edu/
>> keyserver-options check-cert=on
>> keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
>
> Wrong cert actually, I don't know why you say it worked.

Because it did work.

I didn't have the public key needed to verify the package, so gpg
--verify would complain about
gpg: Can't check signature: public key not found

gpg  --auto-key-locate keyserver --keyserver-options auto-key-retrieve
--verify ...
would complain about various things - I didn't save any of the error msgs
until I finally hit on the combination of
  keyserver hkps://pgp.mit.edu/
  keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
in my gpg.conf, at which point gpg verified the file.

and I no longer have the 'public key not found' problem:
$ gpg --verify BIND9.9.10-P1.x64.zip.asc
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign AT isc DOT org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57

> The cert that should have matched is the one used by the key server, not
> by you.

I'm guessing the "keyserver-options ca-cert-file=" needs to be
pointing at the ca-certificate package root store - but damnifiknow
where it is :(

Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple