We can make this work when we put the following in "gpgsm.conf":
# See: https://dev.gnupg.org/T6677 ignore-cert-extension 18.104.22.168 # See: https://dev.gnupg.org/T6678 ignore-cert-extension 22.214.171.124
This works fine until you enable CRLs
When CRL checks are enabled:
gpgsm --with-validation --enable-crl-checks -k email@example.com
it still fails. (See T6545 ) for the error.
We thought we needed an option --ignore-crl-extensions to fix that but that was a thought error. Because the problem is not crl extensions, it is that dimngr validates the CRLs itself and this validation does not use GPGSM and as such the GPGSM option to ignore the cert extensions still fails.
Since all the code is there to ignore the extensions etc. this task is mostly about plumbing in a new option and add this in the right place. So you can take a look at how --ignore-crl-extensions was added to dirmngr. And then look into GPGSM how --ignore-cert-extensions work. And then add the option --ignore-cert-extensions also to dirmngr.
Ideally GPGSM could transmit the option from its config to dirmngr so that it would only be need to set once. But there is a small usecase for setting this option in dirmngr and not in GPGSM and so this feature makes sense on its own and would anyway be the basis for such a transmission.