text/gemini; lang=en
# GPG WKD
I know that for Proton Mail users, you can just gpg --locate-keys their address and you’ll get their keys.
I wanted to set up something similar for my own email and it was a headache and a half. This is more of a li’l diary entry and causerie than reliable and complete documentation.
```Shell commands
mkdir -p /tmp/lets-do-this/.well-known/openpgpkey
cd /tmp/lets-do-this
sudo apt install gpg-wks-client # Or whatever non-Debian people do
```
Then, you’re supposed to do this:
```Shell commands
gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key
```
but I have plenty of unused keys in my ring so I checked the first part of that, saw that the first was the one I wanted (matching fingerprints). First one means head -1, ninth would be sed -n 9p, and last would be tail -1.
So since in my case I’m grabbing the first:
```Shell commands
gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|head -1|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key
```
Now, that’s not any good because it uses the “advanced” method. According to the RFC, that method is for multi-domain setups, but I have nginx so we can already dispatch on a domain level right in the web server, and for now I just wanted my Idiomdrottning domain. I want the direct method so I don’t have to futz around with registering a new hostname. At least for now.
This means manually having to:
```Shell commands
cd .well-known/openpgpkey/
mv idiomdrottning.org/* .
rmdir idiomdrottning.org
```
Create an index.html file in the hu directory to disable dirlisting (not that there’s anything else in there).
Then
```Shell commands
cd /tmp/lets-do-this
chmod -R 755 .well-known
```
and rsync it up to the server.
I didn’t get it working at first, because I had made two fatal mistakes.
One was pretty specific to my wonky setup: I already had the .well-known path reverse-proxied for some other stuff I’ve got going on. I had to edit nginx stuff to make that a li’l more fine grained. That was on me, I had a non-default setup.
The other was that the hu directory wasn’t executable by the www-data user. Readable is not enough when it comes to directories.
I could troubleshoot both of these issues with
```Shell commands
wget -qO- "/.well-known/openpgpkey/hu/frhc9h9dc9cq8ffnxtrj817y4o1jxztm"|less
```
(Where that frhc9h9dc9cq8ffnxt… stuff is my own name, sandra.snan, encoded (SHA-1 hash in Z-Base-32). To find your own, look in that hu directory you generated.)
Anyway, now
```Shell commands
gpg --locate-keys sandra.snan@idiomdrottning.org
```
finally works.
I’m not doing the whole proofs.json thing from Replacing Keybase, I’m only using a static WKD as per the GnuPG wiki.
=> //alexschroeder.ch/wiki/2020-05-08_Replacing_Keybase Replacing Keybase
=> /finding-keys Finding PGP keys
=> https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service WKD spec
=> https://wiki.gnupg.org/WKDHosting WKDHosting - GnuPG wiki
## WKD as a service
If you don’t have a web server on your email domain but you can set CNAME records, you can use OpenPGP’s WKD service:
=> https://keys.openpgp.org/about/usage keys.openpgp.org
You could get mitmed by them so this is only if you trust them, but it’s still better than a keyserver (which requires the same trust, and this is faster and works automatically in more apps).
This content has been proxied by September (ba2dc).