The gpgkeys_curl helper always sets the libcurl option CURLOPT_CAINFO, even if
it has not been specified by the user using "keyserver-options ca-cert-file=
<file>". Unfortunately, this prevents the user from using the library's
compiled-in default certificate store, making it somewhat difficult to verify an
arbitrary endpoint's SSL certificate.
For example, I have published my gpg key in DNS using an https uri:
huber._pka.paradoxical.net. 300 IN TXT
When attempting to use auto-key-locate pka, server cert verification fails:
$ gpg -v -v -v --keyserver-options debug --auto-key-locate pka -ea -r
gpg: using character set `utf-8'
gpg: requesting key E9FE1298 from https server www.paradoxical.net
gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/22.214.171.124 libidn/1.23
- About to connect() to www.paradoxical.net port 443 (#0)
- Trying 126.96.36.199... * connected
- server certificate verification failed. CAfile: none CRLfile: none
- Closing connection #0
gpgkeys: https fetch error 60: server certificate verification failed. CAfile:
none CRLfile: none
With the attached patch, which only specifies CURLOPT_CAINFO if it has been
configured by the user, the certification verification succeeds.