From c3aeda82b8d00b87a5af72b4075c487c10dfdf6b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 27 Apr 2016 08:18:37 +0200
Subject: [PATCH] dirmngr: Use system provided root CAs with KS_FETCH.

* dirmngr/ks-engine-http.c (ks_http_fetch): Use HTTP_FLAG_TRUST_SYS.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/ks-engine-http.c | 4 +++-
 doc/gpg.texi             | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index b996c2573..00d0c4b80 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -73,7 +73,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
   estream_t fp = NULL;
   char *request_buffer = NULL;
 
-  err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
+  /* Note that we only use the system provided certificates with the
+   * fetch command.  */
+  err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_SYS);
   if (err)
     goto leave;
   http_session_set_log_cb (session, cert_log_cb);
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 781a18828..0c43c55bd 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -476,7 +476,8 @@ only LDAP supports them all.
 @opindex fetch-keys
 Retrieve keys located at the specified URIs. Note that different
 installations of GnuPG may support different protocols (HTTP, FTP,
-LDAP, etc.)
+LDAP, etc.).  When using HTTPS the system provided root certificates
+are used by this command.
 
 @item --update-trustdb
 @opindex update-trustdb