ca-cert-file option deprecated in GnuPG 2.1

[a3nm]

Hello,

The OpenPGP Best Practices guide https://help.riseup.net/en/gpg-best-practices instructs users to add the following to ~/.gnupg/gpg.conf:

keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem

However, for users running GnuPG 2.1, this will result in the following warning:

gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf

Further, it will be ignored according to https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html

I think the guide should be updated accordingly, though I'm not sure whether the more recent option is supported on older versions that people may still be using.

[disturbio]

Hi,

Yes, the ca-cert-file config option will be ignored in future versions of gnupg/dirmngr, but it needs to be there for GnuPG 1 and Gnupg 2.0. Most of gnu/linux systems don't run version 2.1 yet, but here is the important thing:

By default, from version 2.1.11, Gnupg installs the CA certificate for hkps.pool.sks-keyservers.net and make use of it by default, which means rolling linux distributions will not have problems with no setting the hkp-cacert config option... that if the package mantainers of the distro decide to not do something crazy.

The dirmngr's config 'hpk-cacert' is not supported by previous versions, as it's just from 2.1 that is allowed to deal with keyservers.

[a3nm]

Thanks for your answer. This makes sense, but then users of GPG 2.1 that follow the guide (like me) will get spammed by the warning about ca-cert-file. Based on what you say, I think that the fix is simply to state in the guide that the ca-cert-file advice does not apply if you have GPG 2.1. Right?

[disturbio]

Yes, you are right! Want me to fix it or you want to do it?

The guide probably will need a good update for 2.1 when the libgcrypt 1.7 is released

[a3nm]

It's probably simpler if you can do it. If necessary, I can update the French translation accordingly, though.

[mjg]

That being true, many users are stuck with gpg 1 because their distro requires it for some tools, but use gpg 2.1 in parallel so that they can participate in all the fun. It is unfortunate that gpg 2.1 complains about the configuration that is necessary for gpg 1, when both are meant to be fit for parallel use (bar the secret keyring, I know).

[Robert-Ernst]

Why I have to find this issue, which is 3 years old and still opened?
I could have spared myself one hour of debugging when the documentation would be up-to-date and not 3 years old.

[a3nm]

Hi @BerndErnst

I agree that this problem should be fixed if it hasn't, however I'm not sure that blaming the people in charge is going to help -- I guess they are volunteers.

I don't have time to look into this now, but if you want to help this move forward, probably the thing to do is to see what the above commits did (apparently they didn't solve that issue?), fork the repository, do the change, and open a pull request.

Many thanks if you can help with this!