X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; q=dns; s=default; b=Bmp1AFx HSbis3im91Dmi5mlH6kadLGJRsO58Ncn+kumROn9SQzUqM7gFOMZMN4R44C4dalZ KIUk1hbzvdu9MlTlUGu/KZjoxWizqFbUFwdBq/WN2YHkdos3FHnTDpysw7KwDMs0 82havUzvfGWzri/aCP+QATubnnxT4xM539+U= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; s=default; bh=YeX+pAekXGLUc PXPkRqAUsJY4Qo=; b=t+W0bT+ExphIwvWMELWYDJDihpdSmu20PXBD0X0gOAFGT AOpDg7IrlTJvmlrEK8y9oVCEaWrx8Up14R/KkCXuHEq8650RIpJiEwVq5feZkVZj XTSVXBQ0Y6y8qbYOAaqyntLJgGXkXirVcwNSvdVg0bJ76+1EPtw5PHtOYwkiXs= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=auditor, Feedback, ROOT, Serial X-HELO: mail-io0-f171.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=dCC+l9IB66gJk5LuQQsaPqZBWviGSIFeHImehGRJgOA=; b=I5G9e2QcyDhdYEku/At5ddzLEKGGNSvepxy2aYqrKlGx9x7EgJEUgD5Ly25sWWb1/I fF6hHIS35NysMSb7BUjk9cPdNXdulHlo7OzXUqh8PzTTg0lspplcP5+fY3t5gg1xA5+5 B+qNHy/xHbaR6nha5kcljuiQYnrgScDGHA+ngnvL3cpGWq6Fur8nj9fncMRaOYd0Bbi1 2I05rY4CwdSUDHAkkpGYi2T+shKVMFNDuP/RTN5r37UubEJScyNDMviV0nDWNuN816r/ fMS2FmJWTOYQLUW3oqQXQTFN0jTOZHQnNzy1DXJXVOW94FVAsRDl5QGKmH8VQGRJeBek +naQ== X-Gm-Message-State: AIVw112Qhd16Bn/LR357wMyeNhpDz1RbIQqZXGlfS2iwVDJy2A/zokzu viflYu6fMx2clBgIdcySNLM4FJKUPw== X-Received: by 10.107.12.28 with SMTP id w28mr2656722ioi.150.1500395419617; Tue, 18 Jul 2017 09:30:19 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References:

From: Lee Date: Tue, 18 Jul 2017 12:30:18 -0400 Message-ID: Subject: Re: gpg ca-cert-file=[which file???] To: cygwin AT cygwin DOT com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes On 7/17/17, Lee wrote: > > I don't care about EV right now. I don't want to trust any > certificate issued by CNNIC & a few other CAs. How do I do that? I didn't realize just how big a can of worms I'd opened. But I'm close enuf to where I wanted to be that I'm done for now. https://bugzilla.redhat.com/show_bug.cgi?id=873373#c3 Feedback from people who know would be good. Which is why I've been so verbose - I was hoping for feedback from Someone Who Knows :) My code auditor skillz leave much to be desired, so my gpg.conf now has keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.crt ## keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.trust.crt ## ca-bundle.crt = trusted root certs ## ca-bundle.trust.crt = trusted root certs + explicitly UNtrusted root certs ## does gpg check the trust bits in the certs??? need to figure that out ## before using ca-bundle.trust.crt To see all the certificates in a bundle: $ ./listcerts.sh | head -5 subject= /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES subject= /CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES subject= /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM subject= /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root $ cat listcerts.sh #!/bin/sh # ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle FILE="/etc/pki/tls/certs/ca-bundle.crt" # FILE="/etc/pki/tls/certs/ca-bundle.trust.crt" cat $FILE |\ awk -v cmd="openssl x509 -noout -subject " ' /^-----BEGIN/ { c = $0; next } { c = c "\n" $0 } /^-----END/ { print c|cmd; close(cmd); c = "" } ' # openssl x509 -noout -text # to see all the certificate info $ to blacklist a cert - in this case $ ./listcerts.sh | grep CNNIC subject= /C=CN/O=CNNIC/CN=CNNIC ROOT - find the specific cert in the bundle - extract just that cert and save it to a file - verify you extracted the right cert $ openssl x509 -noout -text -in ~/t/CNNIC.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1228079105 (0x49330001) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, O=CNNIC, CN=CNNIC ROOT Validity Not Before: Apr 16 07:09:14 2007 GMT Not After : Apr 16 07:09:14 2027 GMT Subject: C=CN, O=CNNIC, CN=CNNIC ROOT Subject Public Key Info: <.. snip ..> - copy the cert to /etc/pki/ca-trust/source/blacklist $ mv ~/t/CNNIC.pem /etc/pki/ca-trust/source/blacklist/ - update the trust db $ update-ca-trust - verify the unstrusted cert has been blacklisted: $ ./listcerts.sh | grep CNNIC - make an oopsie? $ mv /etc/pki/ca-trust/source/blacklist/CNNIC.pem ~/t $ update-ca-trust $ ./listcerts.sh | grep CNNIC subject= /C=CN/O=CNNIC/CN=CNNIC ROOT Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple