Skip to content

Instantly share code, notes, and snippets.

@gwire

gwire/openpgp_wks_nginx.md

Last active July 5, 2019 16:36
Show Gist options
  • Save gwire/a29fbb1c466503d26c8c87271be7a020 to your computer and use it in GitHub Desktop.
Save gwire/a29fbb1c466503d26c8c87271be7a020 to your computer and use it in GitHub Desktop.
Download ZIP
Quick publishing of keys via OpenPGP web key service
Raw
openpgp_wks_nginx.md

Quick publishing of keys via OpenPGP web key service

Recent issues with OpenPGP key servers are likely to prompt PGP users to advertise their keys via alternative methods.

There is currently a DRAFT RFC (draft-koch-openpgp-webkey-service) for publishing keys where an infrastructure such as DANE is not yet in place.

For example, the key for [email protected] would be located at

https://openpgpkey.example.org/.well-known/openpgpkey/example.org/hu/apr3aj3jqcf89yd69qd8pkjp3pzawxhx?l=example

and if the domain openpgpkey.example.org did not exist, clients would fall-back to checking

https://example.org/.well-known/openpgpkey/hu/apr3aj3jqcf89yd69qd8pkjp3pzawxhx?l=example

Since this just represents static files being served by a webserver, it's feasible to manually set it up for a small organisation that controls their own email domain.

Adding the files to the server

I use a tool, wks-url.py, to find the ID. IDs are merely a web-safe encoding (a z-base-32 encoding of the SHA) of the local part of the email address - they're only unique within the scope of the domain.

Create the directory /data/srv/openpgpkey/example.org/hu/ and for each address export the key in a binary format into a file named as the ID. This is per email-address, not per unique key.

$ python wks-url.py -i example
apr3aj3jqcf89yd69qd8pkjp3pzawxhx
$ gpg --export [email protected] > apr3aj3jqcf89yd69qd8pkjp3pzawxhx
$ sudo cp ar3aj3jqcf89yd69qd8pkjp3pzawxhx /data/srv/openpgpkey/example.org/hu/

Webserver configuration

This is an example for Nginx, to be placed in the relevant server section.

If you're using the direct mechanism - ie publishing via https://example.org/

    location ^~ /.well-known/openpgpkey/hu/ {
            default_type "application/octet-stream";
            alias /data/srv/openpgpkey/example.org/hu/;
    }
    location = /.well-known/openpgpkey/policy {
            default_type "text/plain";
            return 200 "#\n" ;
    }
    location = /.well-known/openpgpkey/submission-address {
            default_type "text/plain";
            return 200 "[email protected]\n" ;
    }

If you're using the advanced method, then a configuration for https://openpgpkey.example.org is needed, which is slightly different

    location ^~ /.well-known/openpgpkey/ {
            default_type "application/octet-stream";
            alias /data/srv/openpgpkey/;
    }
    location = /.well-known/openpgpkey/example.org/policy {
            default_type "text/plain";
            return 200 "#\n" ;
    }
    location = /.well-known/openpgpkey/example.org/submission-address {
            default_type "text/plain";
            return 200 "[email protected]\n" ;
    }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment