GnuPG Gpg4win Logo
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Navigation

  • RecentChanges
  • FindPage
  • HelpContents
Revision 8 as of 2019-05-15 13:11:02
  • WKDHosting

Hosting a Web Key Directory (without dynamic WKS)

Ideally a Web Key Directory will be created and maintained through a Web Key Service but organisations or individuals may want to just host a Web Key Directory without a Web Key Service. Using a flat file-structure that needs re-creating if a pubkey changes:

Requirements

  • A web server that provides https with a trusted certificate.

Using gpg-wks-client from newer GnuPG (upcoming with GnuPG v>=2.2.12)

GnuPG 2.2.12 has an improved gpg-wks-client tool which can be used to create a local file structure.

Documentation and Gpg4win release pending, compare https://dev.gnupg.org/T4268 .

Method with older GnuPG version or to publish many keys at once

The script: generate-openpgpkey-hu (in the Mercurial repository "wkd-tools")

This implementation uses Python 2 with python-gpg or python-pyme.

There is an alternative implementation using Python 3 and python-gnupg available at https://gitlab.com/Martin_/generate-openpgpkey-hu-3/

Usage

You can either export all the keys in your keyring which belong to a domain or provide an explicit keyring containing the keys you want to publish.

The call:

    ./generate-openpgpkey-hu example.com hu

Will create a directory called hu containing all the keys with @example.com mail addresses.

If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys you want to publish.

e.g.:

    gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
    gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import

And then provide that keyring to generate-openpgpkey-hu:

    ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg

Publishing

The hu directory has to be published on your server as https://example.com/.well-known/openpgpkey/hu/

On your server create the according directory and set the permissions according to your system. Make sure that there is no automatic directory listing for .well-known/openpgpkey/hu/.

This example Makefile automates the hu directory generation and publishing (using the python script method as documented above). Edit the variables at the top of the makefile to your RSYNC_TARGET The KEYRING variable is optional and can be empty.

Starting with draft 05 the OpenPGP Web Key Directory specification requires that a policy file https://example.com/.well-known/openpgpkey/policy is available. It can be an empty file, which fits well here, because it is only relevant for the update protocol anyway.

A WKD Checker should be implemented to verify the functionality of the WKD.

  • This site is hosted by Intevation GmbH
  • |
  • Datenschutzerklärung und Impressum
  • |
  • Privacy Policy and Imprint