Page MenuHome GnuPG
Create Task
Maniphest T1458

Not needed X.509 certificates in default installation (gpgsm)
Closed, ResolvedPublic
Actions

Description

The file /usr/share/gnupg/com-certs.pem contains 15 X.509 certificates that are
either expired or incomplete. The certificates are mostly from several German
issuers like “Deutscher Sparkassen Verlag GmbH”, “Regulierungsbehörde für
Telekommunikation und Post” or “Bundesnetzagentur”.

The certificates are utterly useless (15 incomplete or expired certificates from
a bunch of German companies) and only clutter gpgsm --list-keys with
non-deletable, not usable content.

According to the answer in Arch Linux bug tracker this weird contents are
already there before packing the software for Arch Linux, so I’m going to file
that bug here, too.

Steps to reproduce:

  1. install gnupg package
  2. if already existent move ~/.gnupg to another location (BACKUP!)
  3. generate a new keypair with gpg --gen-key
  4. check X.509 certificates with gpgsm --list-keys

Details

External Link
https://bugs.archlinux.org/task/33059

Event Timeline

dsohler added projects: S/MIME, Arch, Bug Report.Dec 12 2012, 3:50 PM
dsohler set External Link to https://bugs.archlinux.org/task/33059.
dsohler added a subscriber: dsohler.
werner added a subscriber: werner.Dec 15 2012, 9:52 AM

Sorry, we can't do anything about it after a release. Delete the com-certs file
and the keys and you are done. Anyway, expired certificates are required in
X.509 - for example in the chain validation model.

werner added a project: Not A Bug.Dec 15 2012, 9:52 AM
dsohler added a comment.Dec 15 2012, 8:09 PM

To me this is still a bug (why only some more or less random German CAs only?).

werner added a comment.Dec 17 2012, 5:47 PM

Because I was able to verify the origin of these root certifciates. But see the
comments. The German signature law imposes some strict requirements on
qualified signatures; despite that GnuPG is not certified, it is prepared for
such a certification.

dsohler added a comment.Dec 18 2012, 3:49 AM

My guess: Whoever wants to use said certificates would add them bey themselves …
I don’t see the need for adding them by default.

werner closed this task as Resolved.Dec 20 2012, 9:10 AM
werner claimed this task.