Previous: , Up: Web Key Service   [Contents][Index]


9.2 Provide the Web Key Service

The gpg-wks-server is a server site implementation of the Web Key Service. It receives requests for publication, sends confirmation requests, receives confirmations, and published the key. It also has features to ease the setup and maintenance of a Web Key Directory.

When used with the command --receive a single Web Key Service mail is processed. Commonly this command is used with the option --send to directly send the crerated mails back. See below for an installation example.

The command --cron is used for regualr cleanup tasks. For example non-confirmed requested should be removed after their expire time. It is best to run this command once a day from a cronjob.

The command --list-domains prints all configured domains. Further it creates missing directories for the configuration and prints warnings pertaining to problems in the configuration.

The commands --install-key, --remove-key, and --revoke-key are not yet functional.

gpg-wks-server understands these options:

--from mailaddr

Use mailaddr as the default sender address.

--header name=value

Add the mail header "name: value" to all outgoing mails.

--send

Directly send created mails using the sendmail command. Requires installation of that command.

--output file
-o

Write the created mail also to file. Note that the value - for file would write it to stdout.

--verbose

Enable extra informational output.

--quiet

Disable almost all informational output.

--version

Print version of the program and exit.

--help

Display a brief help page and exit.

Examples

The Web Key Service requires a working directory to store keys pending for publication. As root create a working directory:

  # mkdir /var/lib/gnupg/wks
  # chown webkey:webkey /var/lib/gnupg/wks
  # chmod 2750 /var/lib/gnupg/wks

Then under your webkey account create directories for all your domains. Here we do it for "example.net":

  $ mkdir /var/lib/gnupg/wks/example.net

Finally run

  $ gpg-wks-server --list-domains

to create the required sub-directories with the permission set correctly. For each domain a submission address needs to be configured. All service mails are directed to that address. It can be the same address for all configured domains, for example:

  $ cd /var/lib/gnupg/wks/example.net
  $ echo key-submission@example.net >submission-address

The protocol requires that the key to be published is sent with an encrypted mail to the service. Thus you need to create a key for the submission address:

  $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
  $ gpg --with-wkd-hash -K key-submission@example.net

The output of the last command looks similar to this:

  sec   rsa2048 2016-08-30 [SC]
        C0FCF8642D830C53246211400346653590B3795B
  uid           [ultimate] key-submission@example.net
                bxzcxpxk8h87z1k7bzk86xn5aj47intu@example.net
  ssb   rsa2048 2016-08-30 [E]

Take the hash of the string "key-submission", which is "bxzcxpxk8h87z1k7bzk86xn5aj47intu" and manually publish that key:

  $ gpg --export-options export-minimal --export \
  >  -o /var/lib/gnupg/wks/example.net/hu/bxzcxpxk8h87z1k7bzk86xn5aj47intu \
  >  key-submission@example.new

Make sure that the created file is world readable.

Finally that submission address needs to be redirected to a script running gpg-wks-server. The procmail command can be used for this: Redirect the submission address to the user "webkey" and put this into webkey’s .procmailrc:

:0
* !^From: webkey@example.net
* !^X-WKS-Loop: webkey.example.net
|gpg-wks-server -v --receive \
     --header X-WKS-Loop=webkey.example.net \
     --from webkey@example.net --send

Previous: , Up: Web Key Service   [Contents][Index]