1GPG-WKS-SERVER(1) GNU Privacy Guard 2.2 GPG-WKS-SERVER(1)
2
6 gpg-wks-server - Server providing the Web Key Service
7
9 gpg-wks-server [options] --receive
10 gpg-wks-server [options] --cron
11 gpg-wks-server [options] --list-domains
12 gpg-wks-server [options] --check-key user-id
13 gpg-wks-server [options] --install-key file user-id
14 gpg-wks-server [options] --remove-key user-id
15 gpg-wks-server [options] --revoke-key user-id
16
19 The gpg-wks-server is a server site implementation of the Web Key Ser‐
20 vice. It receives requests for publication, sends confirmation re‐
21 quests, receives confirmations, and published the key. It also has
22 features to ease the setup and maintenance of a Web Key Directory.
23 When used with the command --receive a single Web Key Service mail is
25 processed. Commonly this command is used with the option --send to di‐
26 rectly send the crerated mails back. See below for an installation ex‐
27 ample.
28 The command --cron is used for regualr cleanup tasks. For example non-
30 confirmed requested should be removed after their expire time. It is
31 best to run this command once a day from a cronjob.
32 The command --list-domains prints all configured domains. Further it
34 creates missing directories for the configuration and prints warnings
35 pertaining to problems in the configuration.
36 The command --check-key (or just --check) checks whether a key with the
38 given user-id is installed. The process returns success in this case;
39 to also print a diagnostic use the option -v. If the key is not in‐
40 stalled a diagnostic is printed and the process returns failure; to
41 suppress the diagnostic, use option -q. More than one user-id can be
42 given; see also option with-file.
43 The command --install-key manually installs a key into the WKD. The
45 arguments are a file with the keyblock and the user-id to install. If
46 the first argument resembles a fingerprint the key is taken from the
47 current keyring; to force the use of a file, prefix the first argument
48 with "./". If no arguments are given the parameters are read from
49 stdin; the expected format are lines with the fingerprint and the mail‐
50 box separated by a space.
51 The command --remove-key uninstalls a key from the WKD. The process
53 returns success in this case; to also print a diagnostic, use option
54 -v. If the key is not installed a diagnostic is printed and the
55 process returns failure; to suppress the diagnostic, use option -q.
56 The command --revoke-key is not yet functional.
58
62 gpg-wks-server understands these options:
63 -C dir
67 --directory dir
68 Use dir as top level directory for domains. The default is
69 ‘/var/lib/gnupg/wks’.
70 --from mailaddr
73 Use mailaddr as the default sender address.
74 --header name=value
77 Add the mail header "name: value" to all outgoing mails.
78 --send Directly send created mails using the sendmail command. Re‐
81 quires installation of that command.
82 -o file
85 --output file
86 Write the created mail also to file. Note that the value - for
87 file would write it to stdout.
88 --with-dir
91 When used with the command --list-domains print for each in‐
92 stalled domain the domain name and its directory name.
93 --with-file
96 When used with the command --check-key print for each user-id,
97 the address, 'i' for installed key or 'n' for not installed key,
98 and the filename.
99 --verbose
102 Enable extra informational output.
103 --quiet
106 Disable almost all informational output.
107 --version
110 Print version of the program and exit.
111 --help Display a brief help page and exit.
114
117 The Web Key Service requires a working directory to store keys pending
118 for publication. As root create a working directory:
119 # mkdir /var/lib/gnupg/wks
121 # chown webkey:webkey /var/lib/gnupg/wks
122 # chmod 2750 /var/lib/gnupg/wks
123 Then under your webkey account create directories for all your domains.
125 Here we do it for "example.net":
126 $ mkdir /var/lib/gnupg/wks/example.net
128 Finally run
130 $ gpg-wks-server --list-domains
132 to create the required sub-directories with the permissions set cor‐
134 rectly. For each domain a submission address needs to be configured.
135 All service mails are directed to that address. It can be the same ad‐
136 dress for all configured domains, for example:
137 $ cd /var/lib/gnupg/wks/example.net
139 $ echo key-submission@example.net >submission-address
140 The protocol requires that the key to be published is send with an en‐
142 crypted mail to the service. Thus you need to create a key for the
143 submission address:
144 $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
146 $ gpg -K key-submission@example.net
147 The output of the last command looks similar to this:
149 sec rsa2048 2016-08-30 [SC]
151 C0FCF8642D830C53246211400346653590B3795B
152 uid [ultimate] key-submission@example.net
153 ssb rsa2048 2016-08-30 [E]
154 Take the fingerprint from that output and manually publish the key:
156 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
158 > key-submission@example.net
159 Finally that submission address needs to be redirected to a script run‐
161 ning gpg-wks-server. The procmail command can be used for this: Redi‐
162 rect the submission address to the user "webkey" and put this into we‐
163 bkey's ‘.procmailrc’:
164 :0
166 * !^From: webkey@example.net
167 * !^X-WKS-Loop: webkey.example.net
168 |gpg-wks-server -v --receive \
169 --header X-WKS-Loop=webkey.example.net \
170 --from webkey@example.net --send
171
175 gpg-wks-client(1)
176GnuPG 2.2.27 2020-12-21 GPG-WKS-SERVER(1)