1GPG-WKS-SERVER(1) GNU Privacy Guard 2.3 GPG-WKS-SERVER(1)
2
3
4
6 gpg-wks-server - Server providing the Web Key Service
7
9 gpg-wks-server [options] --receive
10 gpg-wks-server [options] --cron
11 gpg-wks-server [options] --list-domains
12 gpg-wks-server [options] --check-key user-id
13 gpg-wks-server [options] --install-key file user-id
14 gpg-wks-server [options] --remove-key user-id
15 gpg-wks-server [options] --revoke-key user-id
16
17
19 The gpg-wks-server is a server side implementation of the Web Key Ser‐
20 vice. It receives requests for publication, sends confirmation re‐
21 quests, receives confirmations, and published the key. It also has
22 features to ease the setup and maintenance of a Web Key Directory.
23
24 When used with the command --receive a single Web Key Service mail is
25 processed. Commonly this command is used with the option --send to di‐
26 rectly send the created mails back. See below for an installation ex‐
27 ample.
28
29 The command --cron is used for regular cleanup tasks. For example non-
30 confirmed requested should be removed after their expire time. It is
31 best to run this command once a day from a cronjob.
32
33 The command --list-domains prints all configured domains. Further it
34 creates missing directories for the configuration and prints warnings
35 pertaining to problems in the configuration.
36
37 The command --check-key (or just --check) checks whether a key with the
38 given user-id is installed. The process returns success in this case;
39 to also print a diagnostic use the option -v. If the key is not in‐
40 stalled a diagnostic is printed and the process returns failure; to
41 suppress the diagnostic, use option -q. More than one user-id can be
42 given; see also option with-file.
43
44 The command --install-key manually installs a key into the WKD. The
45 arguments are a file with the keyblock and the user-id to install. If
46 the first argument resembles a fingerprint the key is taken from the
47 current keyring; to force the use of a file, prefix the first argument
48 with "./". If no arguments are given the parameters are read from
49 stdin; the expected format are lines with the fingerprint and the mail‐
50 box separated by a space.
51
52 The command --remove-key uninstalls a key from the WKD. The process
53 returns success in this case; to also print a diagnostic, use option
54 -v. If the key is not installed a diagnostic is printed and the
55 process returns failure; to suppress the diagnostic, use option -q.
56
57 The command --revoke-key is not yet functional.
58
59
60
62 gpg-wks-server understands these options:
63
64
65
66 -C dir
67 --directory dir
68 Use dir as top level directory for domains. The default is
69 ‘/var/lib/gnupg/wks’.
70
71
72 --from mailaddr
73 Use mailaddr as the default sender address.
74
75
76 --header name=value
77 Add the mail header "name: value" to all outgoing mails.
78
79
80 --send Directly send created mails using the sendmail command. Re‐
81 quires installation of that command.
82
83
84 -o file
85 --output file
86 Write the created mail also to file. Note that the value - for
87 file would write it to stdout.
88
89
90 --with-dir
91 When used with the command --list-domains print for each in‐
92 stalled domain the domain name and its directory name.
93
94
95 --with-file
96 When used with the command --check-key print for each user-id,
97 the address, 'i' for installed key or 'n' for not installed key,
98 and the filename.
99
100
101 --verbose
102 Enable extra informational output.
103
104
105 --quiet
106 Disable almost all informational output.
107
108
109 --version
110 Print version of the program and exit.
111
112
113 --help Display a brief help page and exit.
114
115
117 The Web Key Service requires a working directory to store keys pending
118 for publication. As root create a working directory:
119
120 # mkdir /var/lib/gnupg/wks
121 # chown webkey:webkey /var/lib/gnupg/wks
122 # chmod 2750 /var/lib/gnupg/wks
123
124 Then under your webkey account create directories for all your domains.
125 Here we do it for "example.net":
126
127 $ mkdir /var/lib/gnupg/wks/example.net
128
129 Finally run
130
131 $ gpg-wks-server --list-domains
132
133 to create the required sub-directories with the permissions set cor‐
134 rectly. For each domain a submission address needs to be configured.
135 All service mails are directed to that address. It can be the same ad‐
136 dress for all configured domains, for example:
137
138 $ cd /var/lib/gnupg/wks/example.net
139 $ echo key-submission@example.net >submission-address
140
141 The protocol requires that the key to be published is sent with an en‐
142 crypted mail to the service. Thus you need to create a key for the
143 submission address:
144
145 $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
146 $ gpg -K key-submission@example.net
147
148 The output of the last command looks similar to this:
149
150 sec rsa3072 2016-08-30 [SC]
151 C0FCF8642D830C53246211400346653590B3795B
152 uid [ultimate] key-submission@example.net
153 bxzcxpxk8h87z1k7bzk86xn5aj47intu@example.net
154 ssb rsa3072 2016-08-30 [E]
155
156 Take the fingerprint from that output and manually publish the key:
157
158 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
159 > key-submission@example.net
160
161 Finally that submission address needs to be redirected to a script run‐
162 ning gpg-wks-server. The procmail command can be used for this: Redi‐
163 rect the submission address to the user "webkey" and put this into we‐
164 bkey's ‘.procmailrc’:
165
166 :0
167 * !^From: webkey@example.net
168 * !^X-WKS-Loop: webkey.example.net
169 |gpg-wks-server -v --receive \
170 --header X-WKS-Loop=webkey.example.net \
171 --from webkey@example.net --send
172
173
174
176 gpg-wks-client(1)
177
178
179
180GnuPG 2.3.7 2022-06-27 GPG-WKS-SERVER(1)