[Pkg-gnupg-commit] [gnupg2] 155/205: dirmngr: Use system provided root CAs with KS_FETCH.

[Daniel Kahn Gillmor]

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch experimental
in repository gnupg2.

commit c3aeda82b8d00b87a5af72b4075c487c10dfdf6b
Author: Werner Koch <wk at gnupg.org>
Date:   Wed Apr 27 08:18:37 2016 +0200

    dirmngr: Use system provided root CAs with KS_FETCH.
    
    * dirmngr/ks-engine-http.c (ks_http_fetch): Use HTTP_FLAG_TRUST_SYS.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>
---
 dirmngr/ks-engine-http.c | 4 +++-
 doc/gpg.texi             | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index b996c25..00d0c4b 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -73,7 +73,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
   estream_t fp = NULL;
   char *request_buffer = NULL;
 
-  err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
+  /* Note that we only use the system provided certificates with the
+   * fetch command.  */
+  err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_SYS);
   if (err)
     goto leave;
   http_session_set_log_cb (session, cert_log_cb);
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 781a188..0c43c55 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -476,7 +476,8 @@ only LDAP supports them all.
 @opindex fetch-keys
 Retrieve keys located at the specified URIs. Note that different
 installations of GnuPG may support different protocols (HTTP, FTP,
-LDAP, etc.)
+LDAP, etc.).  When using HTTPS the system provided root certificates
+are used by this command.
 
 @item --update-trustdb
 @opindex update-trustdb

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git