diff options
author | Patrick Spek <p.spek@tyil.nl> | 2021-02-05 09:55:25 +0100 |
---|---|---|
committer | Patrick Spek <p.spek@tyil.nl> | 2021-04-01 07:26:50 +0200 |
commit | c455896ae9e69e2498742ff795e7886dee1ffa23 (patch) | |
tree | 62a7353cbd1b14b4dd93b453f1f38cfe533c66ec /_posts/2020-05-30-setting-up-pgp-wkd.md | |
parent | 32acfbf6bf21d52e987d1b7599128f75b759ab28 (diff) |
Move source files into src
Diffstat (limited to '_posts/2020-05-30-setting-up-pgp-wkd.md')
-rw-r--r-- | _posts/2020-05-30-setting-up-pgp-wkd.md | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/_posts/2020-05-30-setting-up-pgp-wkd.md b/_posts/2020-05-30-setting-up-pgp-wkd.md deleted file mode 100644 index 147f8c0..0000000 --- a/_posts/2020-05-30-setting-up-pgp-wkd.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -title: Setting Up a PGP Webkey Directory -layout: post -tags: PGP GPG WKD Security -social: - email: mailto:~tyil/public-inbox@lists.sr.ht&subject=Setting Up a PGP Webkey Directory - mastodon: https://soc.fglt.nl/notice/9vaBwcOO6ynNYfT7Lc -description: > - A friend on IRC asked me how I made my PGP key available in a webkey - directory. This post will detail my path, so you can easily set it up for - yourself. ---- - -A little while ago, a friend on IRC asked me how I set up a PGP webkey -directory on my website. For those that don't know, a webkey directory is a -method to find keys through `gpg`'s `--locate-key` command. This allows people -to find my key using this command: - -{% highlight sh %} -gpg --locate-key p.spek@tyil.nl -{% endhighlight %} - -This is a very user-friendly way for people to get your key, as compared to -using long IDs. - -This post will walk you through setting it up on your site, so you can make -your key more easily accessible to other people. - -## Set up the infrastructure - -For a webkey directory to work, you simply need to have your key available at a -certain path on your website. The base path for this is -`.well-known/openpgpkey/`. - -{% highlight sh %} -mkdir -p .well-known/openpgpkey -{% endhighlight %} - -The webkey protocol will check for a `policy` file to exist, so you must create -this too. The file can be completely empty, and that's exactly how I have it. - -{% highlight sh %} -touch .well-known/openpgpkey/policy -{% endhighlight %} - -The key(s) will be placed in the `hu` directory, so create this one too. - -{% highlight sh %} -mkdir .well-known/openpgpkey/hu -{% endhighlight %} - -## Adding your PGP key - -The key itself is just a standard export of your key, without ASCII armouring. -However, the key does need to have its file **name** in a specific format. -Luckily, you can just show this format with `gpg`'s `--with-wkd-hash` option. - -{% highlight sh %} -gpg --with-wkd-hash -k p.spek@tyil.nl -{% endhighlight %} - -This will yield output that may look something like this: - -{% highlight text %} -pub rsa4096/0x7A6AC285E2D98827 2018-09-04 [SC] - Key fingerprint = 1660 F6A2 DFA7 5347 322A 4DC0 7A6A C285 E2D9 8827 -uid [ultimate] Patrick Spek <p.spek@tyil.nl> - i4fxxwcfae1o4d7wnb5bop89yfx399yf@tyil.nl -sub rsa2048/0x031D65902E840821 2018-09-04 [S] -sub rsa2048/0x556812D46DABE60E 2018-09-04 [E] -sub rsa2048/0x66CFE18D6D588BBF 2018-09-04 [A] -{% endhighlight %} - -What we're interested in is the `uid` line with the hash in the local-part of -the email address, which would be `i4fxxwcfae1o4d7wnb5bop89yfx399yf@tyil.nl`. -For the filename, we only care about the local-part itself, meaning the export -of the key must be saved in a file called `i4fxxwcfae1o4d7wnb5bop89yfx399yf`. - -{% highlight sh %} -gpg --export 0x7A6AC285E2D98827 > .well-known/openpgpkey/hu/i4fxxwcfae1o4d7wnb5bop89yfx399yf -{% endhighlight %} - -## Configuring your webserver - -Lastly, your webserver may require some configuration to serve the files -correctly. For my blog, I'm using [`lighttpd`](https://www.lighttpd.net/), for -which the configuration block I'm using is as follows. - -{% highlight lighttpd %} -$HTTP["url"] =~ "^/.well-known/openpgpkey" { - setenv.add-response-header = ( - "Access-Control-Allow-Origin" => "*", - ) -} -{% endhighlight %} - -It may be worthwhile to note that if you do any redirection on your domain, -such as adding `www.` in front of it, the key lookup may fail. The error -message given by `gpg` on WKD lookup failures is... poor to say the least, so -if anything goes wrong, try some verbose `curl` commands and ensure that the -key is accessible at the right path in a single HTTP request. - -## Wrapping up - -That's all there's to it! Adding this to your site should be relatively -straightforward, but it may be a huge convenience to anyone looking for your -key. If you have any questions or feedback, feel free to reach out to me! |