On Mittwoch, 22. Februar 2023 16:35:34 CET Alexander Grahn via Gnupg-users wrote: > recently I obtained a free certificate from DGN (German Health Net) for > signing e-mails. I imported the p12 file with gpgsm into my keybox and > added the complete certificate chain to ~/.gnupg/trustlist.txt
You should only add root certificates to the trustlist. It probably doesn't harm to add non-root certificates, but it doesn't make much sense and it makes the trustlist longer (and thus less easy to manage) than necessary. > When I try to sign or encrypt, I get the following error: > > $ gpgsm --armor --sign testfile.txt > gpgsm: certificate not found: No public key > gpgsm: certificate #410FE63506C68DDF/CN=dgnservice CA 2 Type E:PN,O=DGN > Deutsches Gesundheitsnetz Service GmbH,C=DE gpgsm: checking the CRL failed: > Not found > gpgsm: error creating signature: Not found <GpgSM> [...] > `gpgsm --dump-chain' presents me the following URI: > > crlDP: > ldap://ldap.dgnservice.de:389/CN=CRL-1,O=DGN%20Service%20GmbH,C=DE?certific > ateRevocationList?base?objectClass=cRLDistributionPoint > > Now my question is whether the LDAP server is down, the URI incomplete > or wrong, or whether the problem is on the GPG end. The ldapurl tool can parse the URI: ``` $ ldapurl -H 'ldap://ldap.dgnservice.de:389/ CN=CRL-1,O=DGN%20Service%20GmbH,C=DE?certificateRevocationList?base? objectClass=cRLDistributionPoint' scheme: ldap host: ldap.dgnservice.de port: 389 dn: CN=CRL-1,O=DGN Service GmbH,C=DE selector: certificateRevocationList scope: base filter: objectClass=cRLDistributionPoint ``` I failed to use the ldapsearch tool to actually query the URI. It always tells me "Could not parse LDAP URI(s)=[...]", but I guess I'm just using it wrong. > On the other hand, > I cannot imagine that a wrong LDAP URI remains unnoticed by non-GPG > users. I know nothing about ldap and how to test such an URI. What can I do? > > I am using gnupg-2.4.0 and I double checked that it was compiled with > ldap support. Submit a bug report at https://dev.gnupg.org so that this can be tracked properly. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users