Page MenuHome GnuPG

Kleopatra: Add "include-default" when creating a new trustlist.txt
Closed, ResolvedPublic


I noticed in testing that if you mark a root certificate as trusted in Kleopatra and do not have a trustlist.txt in the GNUPGHOME directory that Kleopatra does not write "include-default" in this trustlist.

This has the ugly side effect that once you mark a certificate as trusted the system wide trustlist.txt is ignored, changing the trust values of existing certificates.

So if the file trustlist.txt in the GNUPGHOME does not exist Kleopatra should add the following header:

# This is the global list of trusted keys.  Comment lines, like this
# one, as well as empty lines are ignored.  Lines have a length limit
# but this is not serious limitation as the format of the entries is
# fixed and checked by gpg-agent.  A non-comment line starts with
# optional white space, followed by the SHA-1 fingerpint in hex,
# optionally followed by a flag character which my either be 'P', 'S'
# or '*'.  This file will be read by gpg-agent if no local trustlist
# is available or if the statement "include-default" is used in the
# local list. You should give the gpg-agent(s) a HUP after editing
# this file.

# Include the default trust list

Event Timeline

aheinecke created this task.
ikloecker changed the task status from Open to Testing.Jul 20 2022, 4:28 PM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.

I have used the same header blurb as gpg-agent ($60-73) with an additional comment about the include-default statement.

Moreover, I have made the implementation in kleopatra more consistent with the one in gpg-agent:

  • Append " relax" to 'S' flag
  • Prepend key fingerprints with comment lines with the key's DN attributes
ikloecker added a subscriber: ikloecker.
werner claimed this task.
werner added a subscriber: werner.

I think we can close this one. Note also that we now have --no-user-trustlist and --sys-trustlist-name. in 2.2.37 and 2.3.7 which allows to entirely ignore the user trustlist and to define a global one..

werner removed a project: Restricted Project.Aug 25 2022, 9:11 AM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 1:52 PM