Page MenuHome GnuPG
Create Task
Maniphest T6096

Kleopatra: Add "include-default" when creating a new trustlist.txt
Closed, ResolvedPublic
Actions

Description

I noticed in testing that if you mark a root certificate as trusted in Kleopatra and do not have a trustlist.txt in the GNUPGHOME directory that Kleopatra does not write "include-default" in this trustlist.

This has the ugly side effect that once you mark a certificate as trusted the system wide trustlist.txt is ignored, changing the trust values of existing certificates.

So if the file trustlist.txt in the GNUPGHOME does not exist Kleopatra should add the following header:

# This is the global list of trusted keys.  Comment lines, like this
# one, as well as empty lines are ignored.  Lines have a length limit
# but this is not serious limitation as the format of the entries is
# fixed and checked by gpg-agent.  A non-comment line starts with
# optional white space, followed by the SHA-1 fingerpint in hex,
# optionally followed by a flag character which my either be 'P', 'S'
# or '*'.  This file will be read by gpg-agent if no local trustlist
# is available or if the statement "include-default" is used in the
# local list. You should give the gpg-agent(s) a HUP after editing
# this file.

# Include the default trust list
include-default

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRA2f357f08ff9b Avoid duplicating the last empty line when writing back lines
rKLEOPATRAb569a1b22e4b Write comment lines with DN attributes to trust list file
rKLEOPATRA8e05bd711386 Write header blurb to start of newly created trustlist.txt
rKLEOPATRA58c7ecceb32c Append optional relax flag to (un)trusted root certificates

Event Timeline

aheinecke triaged this task as High priority.Jul 20 2022, 12:07 PM
aheinecke created this task.
ikloecker added a commit: rKLEOPATRA58c7ecceb32c: Append optional relax flag to (un)trusted root certificates.Jul 20 2022, 4:23 PM
ikloecker added a commit: rKLEOPATRA8e05bd711386: Write header blurb to start of newly created trustlist.txt.
ikloecker added a commit: rKLEOPATRAb569a1b22e4b: Write comment lines with DN attributes to trust list file.
ikloecker added a commit: rKLEOPATRA2f357f08ff9b: Avoid duplicating the last empty line when writing back lines.
ikloecker changed the task status from Open to Testing.Jul 20 2022, 4:28 PM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.

I have used the same header blurb as gpg-agent (https://dev.gnupg.org/source/gnupg/browse/master/agent/trustlist.c$60-73) with an additional comment about the include-default statement.

Moreover, I have made the implementation in kleopatra more consistent with the one in gpg-agent:

  • Append " relax" to 'S' flag
  • Prepend key fingerprints with comment lines with the key's DN attributes
ikloecker removed ikloecker as the assignee of this task.Jul 25 2022, 4:29 PM
ikloecker added a subscriber: ikloecker.
bezprez added a subscriber: bezprez.Aug 1 2022, 7:04 AM
werner closed this task as Resolved.Aug 25 2022, 9:11 AM
werner claimed this task.
werner added a subscriber: werner.

I think we can close this one. Note also that we now have --no-user-trustlist and --sys-trustlist-name. in 2.2.37 and 2.3.7 which allows to entirely ignore the user trustlist and to define a global one..

werner removed a project: Restricted Project.Aug 25 2022, 9:11 AM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 1:52 PM