dirmngr: Use system provided root CAs with KS_FETCH.
authorWerner Koch <wk@gnupg.org>
Wed, 27 Apr 2016 06:18:37 +0000 (08:18 +0200)
committerWerner Koch <wk@gnupg.org>
Wed, 27 Apr 2016 06:18:37 +0000 (08:18 +0200)
* dirmngr/ks-engine-http.c (ks_http_fetch): Use HTTP_FLAG_TRUST_SYS.

Signed-off-by: Werner Koch <wk@gnupg.org>
dirmngr/ks-engine-http.c
doc/gpg.texi

index b996c25..00d0c4b 100644 (file)
@@ -73,7 +73,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
   estream_t fp = NULL;
   char *request_buffer = NULL;
 
-  err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
+  /* Note that we only use the system provided certificates with the
+   * fetch command.  */
+  err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_SYS);
   if (err)
     goto leave;
   http_session_set_log_cb (session, cert_log_cb);
index 781a188..0c43c55 100644 (file)
@@ -476,7 +476,8 @@ only LDAP supports them all.
 @opindex fetch-keys
 Retrieve keys located at the specified URIs. Note that different
 installations of GnuPG may support different protocols (HTTP, FTP,
-LDAP, etc.)
+LDAP, etc.).  When using HTTPS the system provided root certificates
+are used by this command.
 
 @item --update-trustdb
 @opindex update-trustdb