|
Size: 2712
Comment: change title and intro to explain that this is the "simple" version
|
Size: 3109
Comment: add method with gpg-wks-client
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 10: | Line 10: |
=== Using gpg-wks-client from newer GnuPG (upcoming with GnuPG v>=2.2.12) Gnu~PG [[https://dev.gnupg.org/T4289|2.2.12]] has an improved {{{gpg-wks-client}}} tool which can be used to create a local file structure. Documentation and Gpg4win release pending, compare https://dev.gnupg.org/T4268 . === Method with elder GnuPG version |
|
| Line 18: | Line 26: |
| === Usage | ==== Usage |
| Line 56: | Line 64: |
| This example [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example|Makefile]] automates the hu directory generation and publishing. Edit | This example [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example|Makefile]] automates the hu directory generation and publishing (using the python script method as documented above). Edit |
Hosting a Web Key Directory (without dynamic WKS)
Ideally a Web Key Directory will be created and maintained through a Web Key Service but organisations or individuals may want to just host a Web Key Directory without a Web Key Service. Using a flat file-structure that needs re-creating if a pubkey changes:
Requirements
- A web server that provides https with a trusted certificate.
Using gpg-wks-client from newer GnuPG (upcoming with GnuPG v>=2.2.12)
GnuPG 2.2.12 has an improved gpg-wks-client tool which can be used to create a local file structure.
Documentation and Gpg4win release pending, compare https://dev.gnupg.org/T4268 .
Method with elder GnuPG version
- A client machine with python and pyme installed (debian package python-pyme)
- The script: generate-openpgpkey-hu (in the Mercurial repository "wkd-tools")
There is an alternative implementation using Python 3, and python-gnupg instead of python-pyme available at https://gitlab.com/Martin_/generate-openpgpkey-hu-3/
Usage
You can either export all the keys in your keyring which belong to a domain or provide an explicit keyring containing the keys you want to publish.
The call:
./generate-openpgpkey-hu example.com hu
Will create a directory called hu containing all the keys with @example.com mail addresses.
If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys you want to publish.
e.g.:
gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
gpg --no-default-keyring --keyring ./wkd-keyring.gpg --importAnd then provide that keyring to generate-openpgpkey-hu:
./generate-openpgpkey-hu example.com hu wkd-keyring.gpg
Publishing
The hu directory has to be published on your server as https://example.com/.well-known/openpgpkey/hu/
On your server create the according directory and set the permissions according to your system. Make sure that there is no automatic directory listing for .well-known/openpgpkey/hu/.
This example Makefile automates the hu directory generation and publishing (using the python script method as documented above). Edit the variables at the top of the makefile to your RSYNC_TARGET The KEYRING variable is optional and can be empty.
Starting with draft 05 the OpenPGP Web Key Directory specification requires that a policy file https://example.com/.well-known/openpgpkey/policy is available. It can be an empty file, which fits well here, because it is only relevant for the update protocol anyway.
A WKD Checker should be implemented to verify the functionality of the WKD.