Configuring Web Key Directory for GPG
Web Key Directory (WKD) is a proposal for a new way to discover other users keys, using HTTP and TLS. In short it looks up the UID on the users host. This works since all UIDs are email address, and all email addresses are built up of two parts, the username and host part.
When we need to look up a new key, we can just query the server, establish a secure connection using TLS, and ask it to provide the users public key. Boom! Now you don’t need to rely on flakey key servers that are abused by people for nefarious purposes, given their immutable nature.
The documentation for WKD leaves much to be desired, and seems mostly focused on setting up more advanced systems for larger organizations to let users manage their WKD identity. For personal use it’s pretty straight forward to generate and publish.
- UID is SHA1 hashed, Z-base32 encoded
- The public key is in binary format as payload of the UID
- Uses the RFC5785-scheme: https://netwerk.io/.well-known/openpgpkey/hu/dmkqu7xwyxmspm94y6147dss1n59nfag, where the last part is your UID
Show me, show me!
If you’re too lazy, just export the UID hash directly, like so:
vegardx@yondu:~ $ gpg --list-keys --with-wkd-hash email@example.com pub rsa4096/0xBBF808963354ED16 2019-08-06 [SC] Key fingerprint = 4770 5635 6BEF A6F0 FBE7 BB21 BBF8 0896 3354 ED16 uid [ultimate] Vegard Hansen <firstname.lastname@example.org> email@example.com sub rsa4096/0xCE7C14C99AB0CF0C 2019-08-06 [E] sub rsa4096/0xC2CADE62F7C2714B 2019-10-08 [A]
So when you’ve put the file in the correct place with the correct content you should be able to look yourself up, without using a key server, like so:
Published: 07 August, 2019
vegardx@bork:~ $ gpg --locate-keys firstname.lastname@example.org gpg: key BBF808963354ED16: public key "Vegard Hansen <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found pub rsa4096 2019-08-06 [SC] 477056356BEFA6F0FBE7BB21BBF808963354ED16 uid [ unknown] Vegard Hansen <firstname.lastname@example.org> sub rsa4096 2019-08-06 [E] sub rsa4096 2019-10-08 [A]