diff options
| author | Werner Koch <wk@gnupg.org> | 2021-10-06 10:31:41 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2021-10-06 10:35:51 +0200 |
| commit | 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d (patch) | |
| tree | 7f9240291d53a3b9155394fcb5d6cc5eca14ecc5 /doc | |
| parent | dirmngr: Fix Let's Encrypt certificate chain validation. (diff) | |
| download | gnupg2-4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d.tar.xz gnupg2-4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d.zip | |
dirmngr: New option --ignore-cert
* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--
This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/dirmngr.texi | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 1638d7d84..bc6f0ba39 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -588,6 +588,25 @@ won't be rejected due to an unknown critical extension. Use this option with care because extensions are usually flagged as critical for a reason. +@item --ignore-cert @var{fpr}|@var{file} +@opindex ignore-cert +Entirely ignore certificates with the fingerprint @var{fpr}. As an +alternative to the fingerprint a filename can be given in which case +all certificates described in that file are ignored. Any argument +which contains a slash, dot or tilde is considered a filename. Usual +filename expansion takes place: A tilde at the start followed by a +slash is replaced by the content of @env{HOME}, no slash at start +describes a relative filename which will be searched at the home +directory. To make sure that the @var{file} is searched in the home +directory, either prepend the name with "./" or use a name which +contains a dot. The format of such a file is a list of SHA-1 +fingerprint, one per line with optional colons between the bytes. +Empty lines and lines prefixed with a hash mark are ignored. + +This option is useful as a quick workaround to exclude certain +certificates from the system store. + + @item --hkp-cacert @var{file} Use the root certificates in @var{file} for verification of the TLS certificates used with @code{hkps} (keyserver access over TLS). If |