Hosting a Web Key Directory (without dynamic WKS)

Ideally a Web Key Directory will be created and maintained through a Web Key Service but organizations or individuals may want to just host a Web Key Directory without a Web Key Service. Using a flat file-structure that needs re-creating if a pubkey changes:

Other howtos

Requirements

Test

After setting it up the following should work with your email address (on a GNU/Linux system with GnuPG installed ). It does not import your pubkey.

   gpg --homedir "$(mktemp -d)" --verbose --locate-keys your.email@example.org

An alternative test with extra output is:

gpg-wks-client --check -v --debug=ipc your.email@example.org

Using gpg-wks-client from newer GnuPG (GnuPG v>=2.2.12)

GnuPG 2.2.12 has an improved gpg-wks-client tool which can be used to create a local file under the subdir openpgpkey, which has to be created.

It takes the (public) keys from the GnuPG keyring, so the keys need to be known to GnuPG.

PATTERN="@example.org"
gpg --list-options show-only-fpr-mbox  -k $PATTERN | gpg-wks-client -v --install-key

(Note for windows 10 - PowerShell: You may require path names to the binary, e.g. 'C:\Program Files(x86)\GnuPG\bin\gpg-wks-client.exe')

Details:

Method with older GnuPG version

The script: generate-openpgpkey-hu (in the Mercurial repository "wkd-tools")

This implementation uses Python 2 with python-gpg or python-pyme.

There is an alternative implementation using Python 3 and python-gnupg available at https://gitlab.com/Martin_/generate-openpgpkey-hu-3/

Usage

You can either export all the keys in your keyring which belong to a domain or provide an explicit keyring containing the keys you want to publish.

The call:

    ./generate-openpgpkey-hu example.com hu

Will create a directory called hu containing all the keys with @example.com mail addresses.

If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys you want to publish.

e.g.:

    gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
    gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import

And then provide that keyring to generate-openpgpkey-hu:

    ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg

Publishing

The hu directory has to be published on your server as https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/ (or https://example.com/.well-known/openpgpkey/hu/ if openpgpkey.example.com is not resolvable via DNS).

On your server create the according directory and set the permissions according to your system. Make sure that there is no automatic directory listing for .well-known/openpgpkey/example.com/hu/ (or .well-known/openpgpkey/hu if using the fallback "direct" URL scheme).

Starting with draft 05 the OpenPGP Web Key Directory specification requires that a policy file https://openpgpkey.example.com/.well-known/openpgpkey/example.com/policy (or https://example.com/.well-known/openpgpkey/policy if using the "direct" URL scheme) is available. It can be an empty file, which fits well here, because it is only relevant for the update protocol anyway.

A WKD Checker should be implemented to verify the functionality of the WKD.

This example Makefile automates the hu directory generation and publishing (using the python script for the older gnupg version method as documented above). Edit the variables at the top of the makefile to your RSYNC_TARGET The KEYRING variable is optional and can be empty.

Hosting Web Key Directory with Mailvelope Key Server

With a small patch and a reverse proxy like caddy, Mailvelope Keyserver can act as a Web Key Directory.

WKDHosting (last edited 2024-06-03 11:32:27 by PiratePraveen)