From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 67623 invoked by alias); 15 Jul 2017 18:40:39 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 67244 invoked by uid 89); 15 Jul 2017 18:40:37 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Systems, downloading, Consortium, consortium X-HELO: mail-vk0-f50.google.com Received: from mail-vk0-f50.google.com (HELO mail-vk0-f50.google.com) (209.85.213.50) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 15 Jul 2017 18:40:36 +0000 Received: by mail-vk0-f50.google.com with SMTP id r126so60784679vkg.0 for ; Sat, 15 Jul 2017 11:40:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=RlLEkY6bWfEkfmd8vQg2mGQYNVG0fu0qVqGNcOeiW+s=; b=BkVPDteFzISEF0LsGhMqGC2ndzZhx23Y2TFZ8jk/KwzPwElOPrSLE25/y7gzmTpKRE 5SAJx8hMusN5WTGf8PrSvasFX7Ew2mZ8RV+fWsdtqbzX9x3/PV08vGrfCIFlmKW+/b6S iaKfagdmlw/nFFDtZEb7yb4ymeEaEbwpgwsY9CkrbJPXaCCdIZv117lI53MDmzSg1/eO fSYu+7cLqKMFdGLZ7GqTqVzrJ433u3Sj6P/EKRbZMtV37JPEjCDktfaII1pWLG2cIhFl 0x2+U88rbCOSabPouwVXMyIyAE6gD4TODgO3clZveKfaMFNZdVK8K5oEpDbwkxxQ8LXx mMbw== X-Gm-Message-State: AIVw113MjeJx7kE2V6VUXCtE04OzYiwD4LxFhMeubZNN6GEDEbNsVBQ0 dkboCDKj8PG1+pJJkoEN8WZj+iqj+g== X-Received: by 10.31.58.206 with SMTP id h197mr6857382vka.23.1500144033959; Sat, 15 Jul 2017 11:40:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.139.202 with HTTP; Sat, 15 Jul 2017 11:40:33 -0700 (PDT) From: Lee Date: Sat, 15 Jul 2017 19:04:00 -0000 Message-ID: Subject: gpg ca-cert-file=[which file???] To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2017-07/txt/msg00239.txt.bz2 It seems a bit silly to be downloading pgp keys 'in the clear', so after a bit of searching I think I want keyserver hkps://whatever in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or at least over an encrypted channel. But what file should I be using as the ca-cert file? What I ended up doing is $ cd /etc $ find . -name \*pem ./pki/ca-trust/extracted/pem ./pki/ca-trust/extracted/pem/email-ca-bundle.pem ./pki/ca-trust/extracted/pem/objsign-ca-bundle.pem ./pki/ca-trust/extracted/pem/tls-ca-bundle.pem ./pki/tls/cert.pem and trying each file until I finally got one that worked: $ grep "^keyserver" ~/.gnupg/gpg.conf keyserver hkps://pgp.mit.edu/ keyserver-options check-cert=on keyserver-options ca-cert-file=/etc/pki/tls/cert.pem $ gpg --auto-key-locate keyserver --keyserver-options auto-key-retrieve --verify BIND9.9.10-P1.x64.zip.asc gpg: assuming signed data in `BIND9.9.10-P1.x64.zip' gpg: Signature made Mon, Jun 5, 2017 2:31:57 PM EDT gpg: using RSA key 0xF1B11BF05CF02E57 gpg: requesting key 0xF1B11BF05CF02E57 from hkps server pgp.mit.edu gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium, Inc. (Signing key, 2017-2018) " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2017-2018) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57 Is there a better/more-correct file to use for the ca-cert-file= parameter? How hard would it be to add hkps:// usage examples to the default gpg.conf file? Thanks, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple