From: Lee <ler762@gmail.com>
To: cygwin@cygwin.com
Subject: Re: gpg ca-cert-file=[which file???]
Date: Sun, 16 Jul 2017 05:14:00 -0000 [thread overview]
Message-ID: <CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA@mail.gmail.com> (raw)
In-Reply-To: <okef84$e7f$1@blaine.gmane.org>
On 7/15/17, René Berber wrote:
> On 7/15/2017 1:40 PM, Lee wrote:
>
> [snip]
>> in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
>> at least over an encrypted channel. But what file should I be using
>> as the ca-cert file?
>
> You should be using the "system" files.
>
> On Cygwin that means installing the ca-certificates package (currently
> version 2.14-1). They are installed in a location where the SSL package
> expects them, you don't have to go look for them, and shouldn't need to
> specify its location (a directory) on your gpg.conf
Where does the ca-certificates package put the certs? gpg didn't find them :(
$ cygcheck -c ca-certificates
Cygwin Package Information
Package Version Status
ca-certificates 2.14-1 OK
>> $ grep "^keyserver" ~/.gnupg/gpg.conf
>> keyserver hkps://pgp.mit.edu/
>> keyserver-options check-cert=on
>> keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
>
> Wrong cert actually, I don't know why you say it worked.
Because it did work.
I didn't have the public key needed to verify the package, so gpg
--verify would complain about
gpg: Can't check signature: public key not found
gpg --auto-key-locate keyserver --keyserver-options auto-key-retrieve
--verify ...
would complain about various things - I didn't save any of the error msgs
until I finally hit on the combination of
keyserver hkps://pgp.mit.edu/
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem
in my gpg.conf, at which point gpg verified the file.
and I no longer have the 'public key not found' problem:
$ gpg --verify BIND9.9.10-P1.x64.zip.asc
gpg: assuming signed data in `BIND9.9.10-P1.x64.zip'
gpg: Signature made Mon, Jun 5, 2017 2:31:57 PM EDT
gpg: using RSA key 0xF1B11BF05CF02E57
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57
> The cert that should have matched is the one used by the key server, not
> by you.
I'm guessing the "keyserver-options ca-cert-file=" needs to be
pointing at the ca-certificate package root store - but damnifiknow
where it is :(
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2017-07-16 4:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-15 19:04 Lee
2017-07-15 20:34 ` Jim Garrison via cygwin
2017-07-15 23:07 ` Lee
2017-07-16 4:56 ` René Berber
2017-07-16 5:14 ` Lee [this message]
2017-07-16 8:07 ` René Berber
2017-07-16 17:16 ` Lee
2017-07-16 21:07 ` René Berber
2017-07-17 13:40 ` Lee
2017-07-18 18:19 ` Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA@mail.gmail.com \
--to=ler762@gmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).