Nah, the description for that extension is pretty strict and I won't feel comfortable to just ignore it. BTW there is also T6398 (nameConstraints) which needs support. But for debugging a ignore extension makes sense.

• werner added a commit: rGb1ecc8353ae3: dirmngr: New option --ignore-crl-extensions..Jun 19 2023, 2:37 PM

rGb1ecc8353ae3 is just what I meant, so that we can recommend such an option in the future as a workaround until a new update becomes available which supports such an extension.

We had one request to support this back in 2017 but it was closed because the respective CA stopped using this extension. See T2039.

• werner renamed this task from Support CRL exension issuingDistributionPoint to Support CRL extension issuingDistributionPoint.Jun 22 2023, 11:44 AM

• werner mentioned this in T2039: CRL issuingDistributionPoint support.

• werner updated the task description. (Show Details)Jun 22 2023, 11:59 AM

• werner mentioned this in T6509: Release GnuPG 2.4.3.Jul 4 2023, 4:57 PM

• werner added a commit: rGed92b45c474e: dirmngr: New option --ignore-crl-extensions..Jul 5 2023, 2:30 PM

While remembering this I added to our standard.conf (and for testing first to my local conf):

# Unsupported CRL extensions
# See: https://dev.gnupg.org/T6677
ignore-crl-extension 2.5.29.36
# See: https://dev.gnupg.org/T6678
ignore-crl-extension 2.5.29.54

But at least with 2.4.3 this did not seem to have an effect:
2023-10-13 10:12:23 dirmngr[28076.6] DBG: BEGIN Certificate 'crl_issuer_cert':
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      serial: 215E78D99648B021C6394A6566D8E00F46A1E595
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   notBefore: 2020-11-18 14:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:    notAfter: 2029-08-14 13:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      issuer: CN=Federal Common Policy CA G2,OU=FPKI,O=U.S. Government,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:     subject: OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   hash algo: 1.2.840.113549.1.1.12
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   SHA1 fingerprint: 07F5DC58F83778D5B5738A988292C00A674A0F40
2023-10-13 10:12:23 dirmngr[28076.6] DBG: END Certificate
2023-10-13 10:12:23 dirmngr[28076.6] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffff003031300d06096086480165030402010500042078 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   19e98b02adf329453721c022ba03120cdecdf958e2baff9673a47c8fc048ac
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042078 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  19e98b02adf329453721c022ba03120cdecdf958e2baff9673a47c8fc048ac
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify  sig:+4754fa79b140d922e16c983aa1672437f2dcd119e2d89f6fd43de5b8ddf93645 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  7d8b3b62494cb1b03870ab8bd35216ff49aa93339d5c06dba6eea5731b20d339 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  9a16ba0bcc524fa851dc23832f5da69a122e2a9fd6098a7e222c6358fbb17bdc \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  6d84ea7125b8460ccd8359a1082e13c95ea98f99f22f434929d296100e700632 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  2419faa4e91368334ede1f158c6d1aea210d712c99e390b1c0aaf1291a7aee5f \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  8a290498e964c3ed353e51bb2d2c09375f4f1a69f762a5a8b10f99aa3fcedcbf \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  c8b21b21d3ce4c4fffa18f6c99bb551027932ff509bae0f297a16a33791d7634 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  302e0d4191f28c44dfbd9a025f79073a99fcb2c059064a79964dd7d8abd051ae
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify    n:+e7bda06a815bef8fa0b0278cae5a27dddbf9a632c9c94e2708ed10aa24a1cd72 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  bc66a83035ae3bcfe29d177c35a1f791c58b2ed2a83fea0ce5414e6cd436e51b \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  c09e36c5d7a308da6300c0328b03491e07aec2edb6bd42ff8c712e429e8d7e06 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  434d64a531d631e8eda62a06307dc5aa02be13d19aee1194f6b832d02795336f \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  cba09dde92ddfac5da6774211b51f7bdc902258842026c96ca87170c79b24a00 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  e6fa83c8f2af40b378a5e70eac15314127e11103b15c50804ce640caf259daff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  2c165c912e340041217380f5a23b6cb0006f2ab6fd373a469d208f483157158f \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  0de42fbe0a60363a165a64e1e0fffa7ce4f1316f8015066c9971e21acb5c1ecd
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify    e:+010001
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042078 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  19e98b02adf329453721c022ba03120cdecdf958e2baff9673a47c8fc048ac
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify    => Good
2023-10-13 10:12:23 dirmngr[28076.6] DBG: finish_sig_check: gcry_pk_verify: Success
2023-10-13 10:12:23 dirmngr[28076.6] DBG: BEGIN Certificate 'subject':
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      serial: 215E78D99648B021C6394A6566D8E00F46A1E595
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   notBefore: 2020-11-18 14:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:    notAfter: 2029-08-14 13:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      issuer: CN=Federal Common Policy CA G2,OU=FPKI,O=U.S. Government,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:     subject: OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   hash algo: 1.2.840.113549.1.1.12
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   SHA1 fingerprint: 07F5DC58F83778D5B5738A988292C00A674A0F40
2023-10-13 10:12:23 dirmngr[28076.6] DBG: END Certificate
2023-10-13 10:12:23 dirmngr[28076.6] critical certificate extension 2.5.29.36 is not supported
2023-10-13 10:12:23 dirmngr[28076.6] critical certificate extension 2.5.29.54 is not supported
2023-10-13 10:12:23 dirmngr[28076.6] error checking validity of CRL issuer certificate: Unsupported certificate
2023-10-13 10:12:23 dirmngr[28076.6] crl_parse_insert failed: Unsupported certificate
2023-10-13 10:12:23 dirmngr[28076.6] crl_cache_insert via DP failed: Unsupported certificate
2023-10-13 10:12:23 dirmngr[28076.6] command 'ISVALID' failed: Unsupported certificate

Both with the entrust chain and the greenbone test chain.

And yes in gpgsm.conf both the extensions are also marked with ignore-cert-extension.

aheinecke assigned this task to • werner.Oct 18 2023, 2:44 PM

aheinecke moved this task from Backlog to WiP on the gnupg22 board.

aheinecke mentioned this in T6770: Add --ignore-cert-extensions to dirmngr.Oct 20 2023, 2:57 PM

• werner moved this task from WiP to Backlog on the gnupg22 board.Nov 10 2023, 9:08 AM

aheinecke mentioned this in T6701: GpgOL: Use GPGME_ENCRYPT_ALWAYS_TRUST.Nov 10 2023, 12:00 PM

• werner mentioned this in T6307: Release GnuPG 2.2.42.Nov 28 2023, 4:59 PM

• werner mentioned this in T6578: Release GnuPG 2.4.4.Jan 25 2024, 11:37 AM