'/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

czardien · 2024-11-17 17:40:25

Hi,

I recently ran into an error when using dirmngr:

dirmngr[7737.0]: error loading certificate '/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

That file is owned by the core/gnupg package apparently so I thought it'd be worth flagging.

Not sure if that's relevant btw but I use it in my ~/.gnupg/dirmngr.conf file as:

keyserver hkps://hkps.pool.sks-keyservers.net
hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem

Cheers

Last edited by czardien (2024-11-17 17:41:30)

czardien · 2024-11-17 17:42:08

I should mention that I've just updated my system in case I'd be fetching an updated certificate, but the error persists.

czardien · 2024-11-17 18:07:43

Some people in the IRC have pointed out that this certificate is in fact expired since Oct 2022!

$ openssl x509 -enddate -noout -in /usr/share/gnupg/sks-keyservers.netCA.pem
notAfter=Oct 7 00:33:37 2022 GMT

It's also been mentioned that it's more likely an upstream issue, looking at the PKGBUILD: https://gitlab.archlinux.org/archlinux/ … =heads#L54, but I'm not really sure I can wrap my head around that PKGBUILD.

Antiz · 2024-11-17 18:34:25

Hi,

I'm person you talked to on IRC.

To give a little bit more precision, this certificate is included in the upstream archive sourced by the PKGBUILD, so this file is shipped by upstream gnupg.
In other terms, this is a gnupg "issue" not an Arch Linux one (given that this is actually an issue, I don't really know what this certificate is used for).

You would for instance see the exact same thing on a Debian system:

```
[antiz@debian ~]$ cat /etc/debian_version
12.8
[antiz@debian ~]$ openssl x509 -enddate -noout -in /usr/share/gnupg/sks-keyservers.netCA.pem
notAfter=Oct 7 00:33:37 2022 GMT
```

czardien · 2024-11-17 18:54:33

For context, this certificate was to be used together with the pool of SKS keyservers. However, now that I'm looking around, it actually looks like that pool has been taken down/deprecated a while back, circa 2019!

https://web.archive.org/web/20220119094 … rvers.net/

Bummers. Also pointing out that the Archwiki page for GnuPG still has references to these keyservers: https://wiki.archlinux.org/title/GnuPG#Key_servers.

Last edited by czardien (2024-11-17 18:54:50)

czardien · 2024-11-18 09:16:58

I updated the GnuPG Archwiki page to remove mentions to these SKS keyservers, and this certificate in particular. Please have a look and give me a shout if there's any problem.

Arch Linux

#1 2024-11-17 17:40:25

'/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

#2 2024-11-17 17:42:08

Re: '/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

#3 2024-11-17 18:07:43

Re: '/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

#4 2024-11-17 18:34:25

Re: '/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

#5 2024-11-17 18:54:33

Re: '/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

#6 2024-11-18 09:16:58

Re: '/usr/share/gnupg/sks-keyservers.netCA.pem': Certificate expired

Board footer