FS#33059 : [gnupg] Not needed X.509 certificates in default installation

FS#33059 - [gnupg] Not needed X.509 certificates in default installation

Attached to Project: Arch Linux
Opened by Dirk (dsohler) - Wednesday, 12 December 2012, 07:46 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 16 December 2012, 22:52 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Gaetan Bisson (vesath)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

The file /usr/share/gnupg/com-certs.pem contains 15 X.509 certificates that are either expired or incomplete. The certificates are mostly from several German issuers like “Deutscher Sparkassen Verlag GmbH”, “Regulierungsbehörde für Telekommunikation und Post” or “Bundesnetzagentur”.

Additional info:

* gnupg version 2.0.19-3
* unaltered default configuration

Steps to reproduce:

1. install core/gnupg
2. if already existent move ~/.gnupg to another location (BACKUP!)
3. generate a new keypair with gpg --gen-key
4. check X.509 certificates with gpgsm --list-keys

(Don’t forget to delete ~/.gnupg after reproducing and copying you backup back!)

This task depends upon

Closed by Gaetan Bisson (vesath)
Sunday, 16 December 2012, 22:52 GMT
Reason for closing: Fixed
Additional comments about closing: in SVN

Comment by Gaetan Bisson (vesath) - Wednesday, 12 December 2012, 12:49 GMT

That's the file: /usr/share/gnupg/com-certs.pem

Well it's installed by GnuPG by default, and I see no ./configure knob to turn it off. Maybe we could discuss with upstream why that is.

Or is there a specific reason why you would want those certificates gone?

Comment by Dirk (dsohler) - Wednesday, 12 December 2012, 13:02 GMT

Forwarding this to upstream would probably the best idea. As described (can be easily confirmed following the “Steps to reproduce” part) in the bug report: The certificates are utterly useless (15 incomplete or expired certificates from a bunch of German companies – why the hell *g*) and only clutter gpgsm --list-keys with non-deletable, not usable content.

Comment by Gaetan Bisson (vesath) - Wednesday, 12 December 2012, 14:06 GMT

Well, you seem to have your arguments well prepared; would you care opening a bug report there? https://bugs.g10code.com/gnupg/

Comment by Dirk (dsohler) - Saturday, 15 December 2012, 19:08 GMT

They consider it as “not a bug” (but it actually is, i guess they just don’t care). A simple “echo '' > /usr/share/gnupg/com-certs.pem” in install script should solve that bug for arch package.

Comment by Gaetan Bisson (vesath) - Saturday, 15 December 2012, 19:20 GMT

If you remove this file entirely, does everything else behave as expected?

Comment by Dirk (dsohler) - Saturday, 15 December 2012, 22:42 GMT

I still can use GPG without that file. But I only use it for mail encryption and stuff.

Comment by Dirk (dsohler) - Saturday, 15 December 2012, 23:23 GMT

… tested again without this file. This time i created a new keybox (according to the comment in the file it’s used for initial keybox creation). Worked as expected. no error messages according to this file missing. I think it can be safely removed from package.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#33059 - [gnupg] Not needed X.509 certificates in default installation

Details

Loading...