We already did this for Libgcrypt 1.8 but take care that an installer includig Libgcrypt should run something like

icacls.exe %ProgramData%\GNU\etc\gcrypt /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F" /grant:r "Everyone:R"

to replace the permissions (/grant:r) for everyone, remove any default inheritance, and allow Administrators to write files etc.

In GnuPG we use CSIDL_COMMON_APPDATA and append "\GNU\etc\gnupg". If this can't be found we use the rootdir, that is he installation directory of the binary or one up if installed below a bin directory. The reason for using GNU and not POSIX or Unix is merely to avoid name clashes with other software ported to Windows. There was no real standard for this on Windows.

Note also that for GnuPG it is possible to change that directory by installing a file gpgconf.ctl alongside of gpgconf.exe. I do not think that we should put this feature into a the other modules.

Note that %SystemRoot% and probably also some CSIDL expands to the c:\Windows - that should be used as base for System32/drivers/etc .

For argparse we use /etc as a default but applications may use gpgrt_set_confdir to set a different one. Howeever if we already have a new get_sysconfdir function, it is easy and useful to change the default on Unix.

For gpgrt/argparse this could be an option (to remove hard-coded /etc):

I think this is correct even on Unix in case someone really uses /usr/local/etc (which I consider problematic). But for Windows we need to determine this at runtime.

Maybe we can have an extended version of gpgrt_fnameconcat which allows to use the susconfdir or some other standard directory. Such a a function may also be useful to just get that standard directory. For example

gpgrt_fnameconcat_new (GPGRT_SYSCONFDIR, "gcrypt", "random.conf", NULL);

which would result under Unix to /etc/gcrypt/random.conf. By using some other constant we would also fold the exsting to functions fnameconcat and absfnameconcat into one. For example a constant like GPGRT_ROOTDIR would be the same sas gpgrt_absfnameconcat and a constant value of 0 be gpgrt_fnameconcat. What about a gpgrt_fconcat ?

I checked the code under gnupg/dirmngr. Those are no harm.

dns-stuff.c has "/etc/..." but it's for POSIX machine, not for Windows.

dns.c has "/etc/hosts", "/etc/resolv.conf" and "/etc/nsswitch.conf" but those are not used for the use from dns-stuff.c.

In dns-stuff.c, when the string "/etc/hosts" for POSIX machine is used, Windows hosts_path is generated using SystemRoot environment variable.

I examined the code of gnupg_sysconfdir in gnupg/common/homedir.c, if we could factor out things to gpgrt, so that something like gpgrt_fconcat with GPGRT_SYSCONFDIR can be implemented.

I concluded that it's too big to move things into gpgrt, when our purpose is only for GPGRT_SYSCONFDIR support. Currently, on Unix, we support gpgconf_ctl for gnupg_sysconfdir. (It's not needed for libgcrypt configuration.)

For libgcrypt, I think that applying the patch rC33413bf3ddc0: w32: Use CSIDL_COMMON_APPDATA instead of /etc to 1.10, 1.11, and master is now relevant.

Okay, forward porting that patch is the easiest solution. Actually this is not enough: Users of Libgcrypt also need to make sure that the new sysconfig dir has the right permissions. That's a part for the installer and concrete ACLs may differ.

Scute fixed in rSc3dc9c581631: w32: Use CSIDL_COMMON_APPDATA if available.