5.4 KiB
Setting Up a Small Manual OpenPGP Web Key Directory
With the bit rot of the public PGP keyring, alternatives have sprung up. One is OpenPGP Web Key Directories which, for user randy@psg.com, rely on the authenticity of the DNS for psg.com, and the TLS certificate of the https://psg.com web server. In my case,
- I run the DNS service for psg.com on my own servers
- the psg.com zone is DNSSEC signed
- https://psg.com/ uses a Let's Encrypt TLS certificate, and
- there is a TLSA record for psg.com to leverage DNSSEC to give some authenticity to the Let's Encrypt TLS key.
Thanks to Phil Pennock for the patience to hammer the clue through my think skull.
If you want to get an IETF-like view of PGP Web Key Directories, see the OpenPGP Web Key Directory draft or the latest version.
Here is the wiki page; and the one about hosting a WKD.
If you want to build and install a system supporting multiple users with a federated WKD, Phil has this amazing app for that.
But I just wanted to install my own personal key as a WKD on the psg.com web service.
But psg.com is FreeBSD and all tooling seems to be for Linux, want the latest python3 and GPG, etc. So I built a scratch debian to create the files and then move them over.
Apologies that copy/paste is complicated by the Linux prompts, but I wanted to be clear which host was which.
And excuse my using two aliases to make my rsync use easier.
alias rsy='rsync -vlpPStgoHx'
alias rsyr='rsync -vPaHxRS'
Debian 10
If the server which hosts the web site for the domain of your PGP key has the current python3 and GPG, then you can just do this there.
This was not the case for me, so I started with a scratch debian buster VM, named scratch.rg.net oddly enough, on VirtualBox on my laptop. Debian 9 does not have the current python3, GPG, ...
The laptop itself is ryuu.rg.net, a Mac. The target system is psg.com.
Get the PGP Key to the Work Machine
We only need the public key, which one does not mind sloshing around everywhere.
I have multiple current, and a number of old, PGP keys, so I needed to be specific
gpg --export 75F2C46EF1697D9292761465CCCC05ECB83A02ED > randy.pgp
rsy randy.pgp scratch.rg.net:
Then create the local gpg repo on scratch.rg.net
scratch.rg.net:/home/randy> gpg --import randy.pgp
gpg: directory '/home/randy/.gnupg' created
gpg: keybox '/home/randy/.gnupg/pubring.kbx' created
gpg: key CCCC05ECB83A02ED: 36 signatures not checked due to missing keys
gpg: /home/randy/.gnupg/trustdb.gpg: trustdb created
gpg: key CCCC05ECB83A02ED: public key "Randy Bush <randy@psg.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
Get a Hack
I grabbed Phil's Script
wget https://github.com/PennockTech/openpgpkey-control/raw/main/other/standalone-update-website
chmod 755 standalone-update-website
Create an UnArmored Key
WKD wants an unarmored key, so
gpg --export --no-armor randy > randy.asc
Yes, the .asc would seem to imply armor, but what the heck.
Generate and Install the WKD Data
Make a working dir to have its content rsynced to psg.com later.
scratch.rg.net:/home/randy> mkdir work
Generate WKD
./standalone-update-website -v -d psg.com -o /home/randy/work -k randy.asc
pgp: created pbe8wr5gm5b4gf43adj411yrreqyib6u for randy@psg.com
And then move it to the real server
scratch.rg.net:/home/randy> cd work
scratch.rg.net:/home/randy/work> rsyr .well-known psg.com:/usr/local/www/share/psg
sending incremental file list
.well-known/
.well-known/openpgpkey/
.well-known/openpgpkey/policy
0 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=2/5)
.well-known/openpgpkey/hu/
.well-known/openpgpkey/hu/pbe8wr5gm5b4gf43adj411yrreqyib6u
26,027 100% 0.00kB/s 0:00:00 (xfr#2, to-chk=0/5)
Test That it Works
Go to a system with no local key store, at least one that does not have the key you want to test. Oh, and it has to have a newish gpg installed.
rip.psg.com:/home/randy> gpg --locate-external-keys --auto-key-locate wkd randy@psg.com
gpg: directory '/home/randy/.gnupg' created
gpg: keybox '/home/randy/.gnupg/pubring.kbx' created
gpg: /home/randy/.gnupg/trustdb.gpg: trustdb created
gpg: key CCCC05ECB83A02ED: public key "Randy Bush <randy@psg.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
pub rsa2048 2006-03-09 [SC] [expires: 2022-01-17]
75F2C46EF1697D9292761465CCCC05ECB83A02ED
uid [ unknown] Randy Bush <randy@psg.com>
sub rsa2048 2006-03-09 [E] [expires: 2022-01-02]
sub rsa4096 2014-02-12 [S] [expires: 2022-01-02]
And Bob's your uncle.
Getting a GPG which actually has --locate-external-keys
Debian stretch had too old a GPG. Buster too. On Buster, I had to
sudo apt-get install gpg/buster-backports gpgconf/buster-backports dirmngr/buster-backports
MacOS and GPGTools was insufficient, so I had to
brew install gnupg
Configuration Parameters
In my ~/.gnupg/gpg.conf I found
auto-key-locate wkd keyserver
useful to prefer fetching from WKD over the keyservers
2021.12.29