1GPG-WKS-SERVER(1) GNU Privacy Guard 2.2 GPG-WKS-SERVER(1)
2
6 gpg-wks-server - Server providing the Web Key Service
7
9 gpg-wks-server [options] --receive
10 gpg-wks-server [options] --cron
11 gpg-wks-server [options] --list-domains
12 gpg-wks-server [options] --check-key user-id
13 gpg-wks-server [options] --install-key file user-id
14 gpg-wks-server [options] --remove-key user-id
15 gpg-wks-server [options] --revoke-key user-id
16
19 The gpg-wks-server is a server site implementation of the Web Key Ser‐
20 vice. It receives requests for publication, sends confirmation
21 requests, receives confirmations, and published the key. It also has
22 features to ease the setup and maintenance of a Web Key Directory.
23 When used with the command --receive a single Web Key Service mail is
25 processed. Commonly this command is used with the option --send to
26 directly send the crerated mails back. See below for an installation
27 example.
28 The command --cron is used for regualr cleanup tasks. For example non-
30 confirmed requested should be removed after their expire time. It is
31 best to run this command once a day from a cronjob.
32 The command --list-domains prints all configured domains. Further it
34 creates missing directories for the configuration and prints warnings
35 pertaining to problems in the configuration.
36 The command --check-key (or just --check) checks whether a key with the
38 given user-id is installed. The process return success in this case;
39 to also print a diagnostic, use option -v. If the key is not installed
40 a diagnostics is printed and the process returns failure; to suppress
41 the diagnostic, use option -q. More than one user-id can be given; see
42 also option with-file.
43 The command --install-key manually installs a key into the WKD. The
45 arguments are a file with the keyblock and the user-id to install. If
46 the first argument resembles a fingerprint the key is taken from the
47 current keyring; to force the use of a file, prefix the first argument
48 with "./".
49 The command --remove-key uninstalls a key from the WKD. The process
51 returns success in this case; to also print a diagnostic, use option
52 -v. If the key is not installed a diagnostic is printed and the
53 process returns failure; to suppress the diagnostic, use option -q.
54 The command --revoke-key is not yet functional.
56
60 gpg-wks-server understands these options:
61 --from mailaddr
65 Use mailaddr as the default sender address.
66 --header name=value
69 Add the mail header "name: value" to all outgoing mails.
70 --send Directly send created mails using the sendmail command.
73 Requires installation of that command.
74 --output file
77 -o Write the created mail also to file. Note that the value - for
78 file would write it to stdout.
79 --with-dir
82 Also print the directory name for each domain listed by command
83 --list-domains.
84 --with-file
87 With command --check-key print for each user-id, the address,
88 --verbose
91 Enable extra informational output.
92 --quiet
95 Disable almost all informational output.
96 --version
99 Print version of the program and exit.
100 --help Display a brief help page and exit.
103
106 The Web Key Service requires a working directory to store keys pending
107 for publication. As root create a working directory:
108 # mkdir /var/lib/gnupg/wks
110 # chown webkey:webkey /var/lib/gnupg/wks
111 # chmod 2750 /var/lib/gnupg/wks
112 Then under your webkey account create directories for all your domains.
114 Here we do it for "example.net":
115 $ mkdir /var/lib/gnupg/wks/example.net
117 Finally run
119 $ gpg-wks-server --list-domains
121 to create the required sub-directories with the permission set cor‐
123 rectly. For each domain a submission address needs to be configured.
124 All service mails are directed to that address. It can be the same
125 address for all configured domains, for example:
126 $ cd /var/lib/gnupg/wks/example.net
128 $ echo key-submission@example.net >submission-address
129 The protocol requires that the key to be published is sent with an
131 encrypted mail to the service. Thus you need to create a key for the
132 submission address:
133 $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
135 $ gpg -K key-submission@example.net
136 The output of the last command looks similar to this:
138 sec rsa2048 2016-08-30 [SC]
140 C0FCF8642D830C53246211400346653590B3795B
141 uid [ultimate] key-submission@example.net
142 ssb rsa2048 2016-08-30 [E]
143 Take the fingerprint from that output and manually publish the key:
145 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
147 > key-submission@example.net
148 Finally that submission address needs to be redirected to a script run‐
150 ning gpg-wks-server. The procmail command can be used for this: Redi‐
151 rect the submission address to the user "webkey" and put this into
152 webkey's ‘.procmailrc’:
153 :0
155 * !^From: webkey@example.net
156 * !^X-WKS-Loop: webkey.example.net
157 |gpg-wks-server -v --receive \
158 --header X-WKS-Loop=webkey.example.net \
159 --from webkey@example.net --send
160
164 gpg-wks-client(1)
165GnuPG 2.2.9 2018-06-12 GPG-WKS-SERVER(1)