gpg ca-cert-file=[which file???]

Sat Jul 15 19:04:00 GMT 2017

It seems a bit silly to be downloading pgp keys 'in the clear', so
after a bit of searching I think I want
  keyserver hkps://whatever
in my ~/.gnupg/gpg.conf so I can do auto-key-retrieve securely ... or
at least over an encrypted channel.  But what file should I be using
as the ca-cert file?

What I ended up doing is
$ cd /etc
$ find . -name \*pem

and trying each file until I finally got one that worked:
$ grep "^keyserver" ~/.gnupg/gpg.conf
keyserver hkps://
keyserver-options check-cert=on
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify
gpg: assuming signed data in `'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: requesting key 0xF1B11BF05CF02E57 from hkps server
gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium,
Inc. (Signing key, 2017-2018) <>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57

Is there a better/more-correct file to use for the ca-cert-file= parameter?

How hard would it be to add hkps:// usage examples to the default gpg.conf file?


Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list