gnupg: gpg-wks-server
9.2 Provide the Web Key Service
===============================
The 'gpg-wks-server' is a server site implementation of the Web Key
Service. It receives requests for publication, sends confirmation
requests, receives confirmations, and published the key. It also has
features to ease the setup and maintenance of a Web Key Directory.
When used with the command '--receive' a single Web Key Service mail
is processed. Commonly this command is used with the option '--send' to
directly send the crerated mails back. See below for an installation
example.
The command '--cron' is used for regualr cleanup tasks. For example
non-confirmed requested should be removed after their expire time. It
is best to run this command once a day from a cronjob.
The command '--list-domains' prints all configured domains. Further
it creates missing directories for the configuration and prints warnings
pertaining to problems in the configuration.
The command '--check-key' (or just '--check') checks whether a key
with the given user-id is installed. The process return success in this
case; to also print a diagnostic, use option '-v'. If the key is not
installed a diagnostics is printed and the process returns failure; to
suppress the diagnostic, use option '-q'. More than one user-id can be
given; see also option 'with-file'.
The command '--install-key' manually installs a key into the WKD. The
arguments are a file with the keyblock and the user-id to install. If
the first argument resembles a fingerprint the key is taken from the
current keyring; to force the use of a file, prefix the first argument
with "./".
The command '--remove-key' uninstalls a key from the WKD. The process
returns success in this case; to also print a diagnostic, use option
'-v'. If the key is not installed a diagnostic is printed and the
process returns failure; to suppress the diagnostic, use option '-q'.
The command '--revoke-key' is not yet functional.
'gpg-wks-server' understands these options:
'--from MAILADDR'
Use MAILADDR as the default sender address.
'--header NAME=VALUE'
Add the mail header "NAME: VALUE" to all outgoing mails.
'--send'
Directly send created mails using the 'sendmail' command. Requires
installation of that command.
'--output FILE'
'-o'
Write the created mail also to FILE. Note that the value '-' for
FILE would write it to stdout.
'--with-dir'
Also print the directory name for each domain listed by command
'--list-domains'.
'--with-file'
With command '--check-key' print for each user-id, the address, 'i'
for installed key or 'n' for not installed key, and the filename.
'--verbose'
Enable extra informational output.
'--quiet'
Disable almost all informational output.
'--version'
Print version of the program and exit.
'--help'
Display a brief help page and exit.
Examples
********
The Web Key Service requires a working directory to store keys pending
for publication. As root create a working directory:
# mkdir /var/lib/gnupg/wks
# chown webkey:webkey /var/lib/gnupg/wks
# chmod 2750 /var/lib/gnupg/wks
Then under your webkey account create directories for all your
domains. Here we do it for "example.net":
$ mkdir /var/lib/gnupg/wks/example.net
Finally run
$ gpg-wks-server --list-domains
to create the required sub-directories with the permission set
correctly. For each domain a submission address needs to be configured.
All service mails are directed to that address. It can be the same
address for all configured domains, for example:
$ cd /var/lib/gnupg/wks/example.net
$ echo key-submission@example.net >submission-address
The protocol requires that the key to be published is sent with an
encrypted mail to the service. Thus you need to create a key for the
submission address:
$ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
$ gpg -K key-submission@example.net
The output of the last command looks similar to this:
sec rsa2048 2016-08-30 [SC]
C0FCF8642D830C53246211400346653590B3795B
uid [ultimate] key-submission@example.net
ssb rsa2048 2016-08-30 [E]
Take the fingerprint from that output and manually publish the key:
$ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
> key-submission@example.net
Finally that submission address needs to be redirected to a script
running 'gpg-wks-server'. The 'procmail' command can be used for this:
Redirect the submission address to the user "webkey" and put this into
webkey's '.procmailrc':
:0
* !^From: webkey@example.net
* !^X-WKS-Loop: webkey.example.net
|gpg-wks-server -v --receive \
--header X-WKS-Loop=webkey.example.net \
--from webkey@example.net --send
Info Catalog
gnupg: gpg-wks-client
gnupg: Web Key Service