💾 Archived View for idiomdrottning.org › gpg-wkd captured on 2024-06-16 at 12:20:21. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

🚧 View Differences

-=-=-=-=-=-=-

GPG WKD

I know that for Proton Mail users, you can just gpg --locate-keys their address and you’ll get their keys.

I wanted to set up something similar for my own email and it was a headache and a half. This is more of a li’l diary entry and causerie than reliable and complete documentation.

mkdir -p /tmp/lets-do-this/.well-known/openpgpkey
cd /tmp/lets-do-this
sudo apt install gpg-wks-client # Or whatever non-Debian people do

Then, you’re supposed to do this:

gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key

but I have plenty of unused keys in my ring so I checked the first part of that, saw that the first was the one I wanted (matching fingerprints). First one means head -1, ninth would be sed -n 9p, and last would be tail -1.

So since in my case I’m grabbing the first:

gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|head -1|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key

Now, that’s not any good because it uses the “advanced” method. According to the RFC, that method is for multi-domain setups, but I have nginx so we can already dispatch on a domain level right in the web server, and for now I just wanted my Idiomdrottning domain. I want the direct method so I don’t have to futz around with registering a new hostname. At least for now.

This means manually having to:

cd .well-known/openpgpkey/
mv idiomdrottning.org/* .
rmdir idiomdrottning.org

Create an index.html file in the hu directory to disable dirlisting (not that there’s anything else in there).

Then

cd /tmp/lets-do-this
chmod -R 755 .well-known

and rsync it up to the server.

I didn’t get it working at first, because I had made two fatal mistakes.

One was pretty specific to my wonky setup: I already had the .well-known path reverse-proxied for some other stuff I’ve got going on. I had to edit nginx stuff to make that a li’l more fine grained. That was on me, I had a non-default setup.

The other was that the hu directory wasn’t executable by the www-data user. Readable is not enough when it comes to directories.

I could troubleshoot both of these issues with

wget -qO- "/.well-known/openpgpkey/hu/frhc9h9dc9cq8ffnxtrj817y4o1jxztm"|less

(Where that frhc9h9dc9cq8ffnxt… stuff is my own name, sandra.snan, encoded (SHA-1 hash in Z-Base-32). To find your own, look in that hu directory you generated.)

Anyway, now

gpg --locate-keys sandra.snan@idiomdrottning.org

finally works.

I’m not doing the whole proofs.json thing from Replacing Keybase, I’m only using a static WKD as per the GnuPG wiki.

Replacing Keybase

Finding PGP keys

WKD spec

WKDHosting - GnuPG wiki

WKD as a service

If you don’t have a web server on your email domain but you can set CNAME records, you can use OpenPGP’s WKD service:

keys.openpgp.org

You could get mitmed by them so this is only if you trust them, but it’s still better than a keyserver (which requires the same trust, and this is faster and works automatically in more apps).