== Hosting a Web Key Directory (without dynamic WKS) Ideally a Web Key Directory will be created and maintained through a Web Key Service but organisations or individuals may want to just host a Web Key Directory without a Web Key Service. Using a flat file-structure that needs re-creating if a pubkey changes: === Requirements * A web server that provides https with a trusted certificate. === Using gpg-wks-client from newer GnuPG (upcoming with GnuPG v>=2.2.12) Gnu~PG [[https://dev.gnupg.org/T4289|2.2.12]] has an improved {{{gpg-wks-client}}} tool which can be used to create a local file structure. Documentation and Gpg4win release pending, compare https://dev.gnupg.org/T4268 . === Method with older GnuPG version or to publish many keys at once The script: [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu|generate-openpgpkey-hu]] (in the [[https://hg.intevation.de/gnupg/wkd-tools/|Mercurial repository "wkd-tools"]]) This implementation uses Python 2 with python-gpg or python-pyme. There is an alternative implementation using Python 3 and python-gnupg available at https://gitlab.com/Martin_/generate-openpgpkey-hu-3/ ==== Usage You can either export all the keys in your keyring which belong to a domain or provide an explicit keyring containing the keys you want to publish. The call: {{{ ./generate-openpgpkey-hu example.com hu }}} Will create a directory called hu containing all the keys with @example.com mail addresses. If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys you want to publish. e.g.: {{{ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \ gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import }}} And then provide that keyring to generate-openpgpkey-hu: {{{ ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg }}} === Publishing The hu directory has to be published on your server as {{{https://example.com/.well-known/openpgpkey/hu/}}} On your server create the according directory and set the permissions according to your system. **Make sure that there is no automatic directory listing for {{{.well-known/openpgpkey/hu/}}}.** This example [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example|Makefile]] automates the hu directory generation and publishing (using the python script method as documented above). Edit the variables at the top of the makefile to your {{{RSYNC_TARGET}}} The {{{KEYRING}}} variable is optional and can be empty. Starting with draft 05 the [[https://www.ietf.org/id/draft-koch-openpgp-webkey-service.txt|OpenPGP Web Key Directory specification]] requires that a policy file {{{https://example.com/.well-known/openpgpkey/policy}}} is available. It can be an empty file, which fits well here, because it is only relevant for the update protocol anyway. A [[Tasks#WKD_Checker|WKD Checker]] should be implemented to verify the functionality of the WKD.