Mailing List Archive

Hi

I received a smime signed message, however it turns out that I cannot
use it for encrypting my responsce

Since
> gpgsm: issuer certificate: #/CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE

Is not found

I have drmngr installed (Ubuntu 16.06)
and run
gpgconf --launch dirmngr

However the root certificate is still not found. Thunderbird provides
this certificate so I could install it manually.
However I would prefer an automated solution.

Any hints?

Thanks and regards

Uwe Brauer

Hi Uwe,

Am Sonntag 07 Juni 2020 17:14:10 schrieb Uwe Brauer via Gnupg-users:
> However the root certificate is still not found. Thunderbird provides
> this certificate so I could install it manually.
> However I would prefer an automated solution.

from my point of view, installing a root CA in the hiearchical trust model
means that you fully trust it, thus it cannot be done automatically, unless
you have a trusted sources of root certificates.

If you trust a set of root certificates, like the ones shipped with your
operating system or a different application, you could just import them all
and mark them trusted. Of course you would need to sync this, if the set
changes on updates.

Some hints about using CMS and S/MIME are here https://wiki.gnupg.org/X.509
but this misses instructions how to deal with root certificates in modern
GnuPG versions currently.

Regards,
Bernhard


--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

On Tue, Jun 09, 2020 at 09:40:25AM +0200, Bernhard Reiter wrote:
> If you trust a set of root certificates, like the ones shipped with your
> operating system or a different application, you could just import them all
> and mark them trusted. Of course you would need to sync this, if the set
> changes on updates.

I believe the original question was, how to allow gpg to automatically trust
the root certificates provided by the os or Thunderbird.

>>> "BM" == Brian Minton <brian@minton.name> writes:

> On Tue, Jun 09, 2020 at 09:40:25AM +0200, Bernhard Reiter wrote:
>> If you trust a set of root certificates, like the ones shipped with your
>> operating system or a different application, you could just import them all
>> and mark them trusted. Of course you would need to sync this, if the set
>> changes on updates.

> I believe the original question was, how to allow gpg to automatically trust
> the root certificates provided by the os or Thunderbird.

Yes it was and I still don't know.


> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mittwoch 29 Juli 2020 13:56:46 schrieb Uwe Brauer via Gnupg-users:
> > I believe the original question was, how to allow gpg to automatically
> > trust the root certificates provided by the os or Thunderbird.
>
> Yes it was and I still don't know.

As far as I know gpgsm does not provide an automatic way
to use X509 root certificates from the operating system
or Thunderbird.

You could construct a simple script to sync certs to dirmngr
if the os or other app store updates.

Regards,
Bernhard


--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner