Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ca-cert-file option deprecated in GnuPG 2.1 #294

Open
a3nm opened this issue Mar 4, 2016 · 7 comments
Open

ca-cert-file option deprecated in GnuPG 2.1 #294

a3nm opened this issue Mar 4, 2016 · 7 comments

Comments

@a3nm
Copy link

@a3nm a3nm commented Mar 4, 2016

Hello,

The OpenPGP Best Practices guide https://help.riseup.net/en/gpg-best-practices instructs users to add the following to ~/.gnupg/gpg.conf:

keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem

However, for users running GnuPG 2.1, this will result in the following warning:

gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf

Further, it will be ignored according to https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html

I think the guide should be updated accordingly, though I'm not sure whether the more recent option is supported on older versions that people may still be using.

@disturbio

This comment has been minimized.

Copy link
Contributor

@disturbio disturbio commented Mar 6, 2016

Hi,

Yes, the ca-cert-file config option will be ignored in future versions of gnupg/dirmngr, but it needs to be there for GnuPG 1 and Gnupg 2.0. Most of gnu/linux systems don't run version 2.1 yet, but here is the important thing:

By default, from version 2.1.11, Gnupg installs the CA certificate for hkps.pool.sks-keyservers.net and make use of it by default, which means rolling linux distributions will not have problems with no setting the hkp-cacert config option... that if the package mantainers of the distro decide to not do something crazy.

The dirmngr's config 'hpk-cacert' is not supported by previous versions, as it's just from 2.1 that is allowed to deal with keyservers.

@a3nm

This comment has been minimized.

Copy link
Author

@a3nm a3nm commented Mar 6, 2016

Thanks for your answer. This makes sense, but then users of GPG 2.1 that follow the guide (like me) will get spammed by the warning about ca-cert-file. Based on what you say, I think that the fix is simply to state in the guide that the ca-cert-file advice does not apply if you have GPG 2.1. Right?

@disturbio

This comment has been minimized.

Copy link
Contributor

@disturbio disturbio commented Mar 6, 2016

Yes, you are right! Want me to fix it or you want to do it?

The guide probably will need a good update for 2.1 when the libgcrypt 1.7 is released

@a3nm

This comment has been minimized.

Copy link
Author

@a3nm a3nm commented Mar 6, 2016

It's probably simpler if you can do it. If necessary, I can update the French translation accordingly, though.

@mjg

This comment has been minimized.

Copy link

@mjg mjg commented Jun 10, 2016

That being true, many users are stuck with gpg 1 because their distro requires it for some tools, but use gpg 2.1 in parallel so that they can participate in all the fun. It is unfortunate that gpg 2.1 complains about the configuration that is necessary for gpg 1, when both are meant to be fit for parallel use (bar the secret keyring, I know).

tjanez added a commit to tjanez/dotfiles that referenced this issue Feb 17, 2018
It is obsolete since GnuPG 2.1 and according to this Riseup issue:
riseupnet/riseup_help#294,
GnuPG 2.1.11+ installs the CA certificate for
hkps.pool.sks-keyservers.net and makes use of it by default.
kradan added a commit to kradan/riseup_help that referenced this issue Jul 7, 2018
  - add note for gnupg prior 2.1
  - add known error for parcimonie
  - add section to troubleshoot dirmngr
  - remove hint to Applebaum's outdated duraconf
  - Closes riseupnet#294
  - Closes riseupnet#449
kradan added a commit to kradan/riseup_help that referenced this issue Sep 20, 2018
  - add note for gnupg prior 2.1
  - add known error for parcimonie
  - add section to troubleshoot dirmngr
  - remove hint to Applebaum's outdated duraconf
  - Closes riseupnet#294
  - Closes riseupnet#449
@BerndErnst

This comment has been minimized.

Copy link

@BerndErnst BerndErnst commented Feb 14, 2019

Why I have to find this issue, which is 3 years old and still opened?
I could have spared myself one hour of debugging when the documentation would be up-to-date and not 3 years old.

@a3nm

This comment has been minimized.

Copy link
Author

@a3nm a3nm commented Feb 14, 2019

Hi @BerndErnst

I agree that this problem should be fixed if it hasn't, however I'm not sure that blaming the people in charge is going to help -- I guess they are volunteers.

I don't have time to look into this now, but if you want to help this move forward, probably the thing to do is to see what the above commits did (apparently they didn't solve that issue?), fork the repository, do the change, and open a pull request.

Many thanks if you can help with this!

kradan added a commit to kradan/riseup_help that referenced this issue Sep 28, 2019
  - add note for gnupg prior 2.1
  - add known error for parcimonie
  - add section to troubleshoot dirmngr
  - remove hint to Applebaum's outdated duraconf
  - Closes riseupnet#294
  - Closes riseupnet#449
kradan added a commit to kradan/riseup_help that referenced this issue Oct 4, 2019
  - add note for gnupg prior 2.1
  - add known error for parcimonie
  - add section to troubleshoot dirmngr
  - remove hint to Applebaum's outdated duraconf
  - Closes riseupnet#294
  - Closes riseupnet#449
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.