gpgkeys_curl doesn't allow the use of cURL's compiled-in certificate store
Closed, ResolvedPublic


The gpgkeys_curl helper always sets the libcurl option CURLOPT_CAINFO, even if
it has not been specified by the user using "keyserver-options ca-cert-file=
<file>". Unfortunately, this prevents the user from using the library's
compiled-in default certificate store, making it somewhat difficult to verify an
arbitrary endpoint's SSL certificate.

For example, I have published my gpg key in DNS using an https uri: 300 IN TXT

When attempting to use auto-key-locate pka, server cert verification fails:

$ gpg -v -v -v --keyserver-options debug --auto-key-locate pka -ea -r
gpg: using character set `utf-8'
gpg: requesting key E9FE1298 from https server
gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/ libidn/1.23

  • About to connect() to port 443 (#0)
  • Trying * connected
  • server certificate verification failed. CAfile: none CRLfile: none
  • Closing connection #0

gpgkeys: https fetch error 60: server certificate verification failed. CAfile:
none CRLfile: none

With the attached patch, which only specifies CURLOPT_CAINFO if it has been
configured by the user, the certification verification succeeds.


werner added a subscriber: werner.Oct 4 2013, 8:32 AM

Fixed with commit e957b9b for 2.0 - will be backported to 1.4 soon.


werner closed this task as Resolved.Oct 4 2013, 8:32 AM
werner claimed this task.