dimngr: Do not check the self-signature of a root CA cert.

* dirmngr/validate.c (validate_cert_chain): Comment out that code.
2024-12-22 10:19:57 +01:00 · 2022-02-27 12:11:23 +01:00 · 2022-02-27 12:11:23 +01:00 · b901e63b4d
commit b901e63b4d
parent de87c8e1ea
1 changed files with 8 additions and 8 deletions
--- a/dirmngr/validate.c
+++ b/dirmngr/validate.c
@ -551,14 +551,14 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
      /* Is this a self-signed certificate? */
      if (is_root_cert (subject_cert, issuer, subject))
        {
-          /* Yes, this is our trust anchor.  */
-          if (check_cert_sig (subject_cert, subject_cert) )
-            {
-              log_error (_("selfsigned certificate has a BAD signature"));
-              err = gpg_error (depth? GPG_ERR_BAD_CERT_CHAIN
-                                    : GPG_ERR_BAD_CERT);
-              goto leave;
-            }
+          /* There is no need to check the signature of the trust anchor.  */
+          /* if (check_cert_sig (subject_cert, subject_cert) ) */
+          /*   { */
+          /*     log_error (_("selfsigned certificate has a BAD signature")); */
+          /*     err = gpg_error (depth? GPG_ERR_BAD_CERT_CHAIN */
+          /*                           : GPG_ERR_BAD_CERT); */
+          /*     goto leave; */
+          /*   } */

          /* Is this certificate allowed to act as a CA.  */
          err = allowed_ca (subject_cert, NULL);