💾 Archived View for idiomdrottning.org › finding-keys captured on 2024-08-25 at 00:53:00. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-06-16)

-=-=-=-=-=-=-

Finding PGP keys

Calling the public key a “key” in public key encryption was a bad and confusing idea. Calling it an envelope or a padlock or a chain woulda been way better, reserving the name “key” for the private key. This goes for both SSL certs and for PGP email.

Here’s how I find PGP public keys. I have a zsh function that runs this, where “$1” means the email address I want to send to:

gpg --auto-key-locate local,wkd,keyserver --locate-keys "$1" ||
    curl -XGET https://api.protonmail.ch/pks/lookup\?op\=get\&search\=$(uenc "$1")|gpg --import

That second clause doesn’t get invoked very often; Proton users who don’t have their own domain, their keys are available over WKD, and some users who do have their own domain still have WKD set up, and some (all?) who don’t are still in Proton’s HPK keyserver. Maybe that covers all of them and there’s nothing left. I put it in the script before I knew about their keyserver, and got good mileage out of it early on. I’m never ever gonna get Proton myself and it’s so nice to just be able to normally email people who’re on there and step one to doing that is getting their keys.

This doesn’t find Autocrypt keys; that’s something I might wanna fix somehow, maybe introducing a notmuch query into the mix? I’d have to reindex with that header.

Now, local is checked first and that’s bad, don’t try that at home, kids. If I already have some old, stale key to them, that’s what’s gonna pop up first and end the search. But I’m such a ditz that I kept re-importing keys that I’ve already got until I introduced local as the first step.

The keyservers I currently check are these:

keyserver hkps://keys.openpgp.org
keyserver hkps://mail-api.proton.me
keyserver hkps://keys.mailvelope.com
keyserver hkps://keyserver.ubuntu.com
keyserver hkps://pgp.mit.edu

I’m not sure my own keys are in any of them, I might’ve submitted them at one time or another. I primarily rely on WKD or Autocrypt. The keyserver idea was pretty flawed compared to WKD, and then Autocrypt is a good workaround for email providers that don’t allow WKD. Which are pretty few, but Posteo does and anything that allows you to use your own domain.

Now, if this doesn’t find anything and I know they’re here on Gemini, I sometimes go and check their capsule if they’ve published their key there. If I only have a web page for them, I usually don’t bother.

GPG WKD

How do I publish the public PGP key for my Posteo email address in the Posteo key directory?