From c4e02a3b7ad6ee1da6bfc439921378bdbd5c029c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 27 Oct 2016 18:30:57 -0400 Subject: dirmngr: Register hkp-cacert even if the file doesn't exist yet * dirmngr/dirmngr.c (parse_readable_options): If we're unable to turn an argument for hkp-cacert into an absolute filename, terminate completely. * dirmngr/http.c (http_register_tls_ca): Show a warning if file is not immediately accessible, but register it anyway. -- Without this changeset, the condition of the filesystem when dirmngr is initialized will have an effect on later activities of dirmngr. For example, if a file identified by a hkp-cacert directive doesn't exist when dirmngr starts, dirmngr will behave as though it simply didn't have the hkp-cacert directive set at all, even if the file should appear later. dirmngr currently behaves differently if no hkp-cacert directives have been set then it does when at least one hkp-cacert directive has been set. For example, its choice of CA cert for hkps://hkps.pool.sks-keyservers.net depends on whether a TLS CA file has been registered. That behavior shouldn't additionally depend on the state of the filesystem at the time of dirmngr launch. Signed-off-by: Daniel Kahn Gillmor --- dirmngr/http.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'dirmngr/http.c') diff --git a/dirmngr/http.c b/dirmngr/http.c index b74a9ef9a..90682fa46 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -495,6 +495,11 @@ http_register_tls_ca (const char *fname) } else { + /* Warn if we can't access right now, but register it anyway in + case it becomes accessible later */ + if (access (fname, F_OK)) + log_info (_("can't access '%s': %s\n"), fname, + gpg_strerror (gpg_error_from_syserror())); sl = add_to_strlist (&tls_ca_certlist, fname); if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem")) sl->flags = 1; -- cgit