1 @c wks.texi - man pages for the Web Key Service tools.
2 @c Copyright (C) 2017 g10 Code GmbH
3 @c Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik
4 @c This is part of the GnuPG manual.
5 @c For copying conditions, see the file GnuPG.texi.
10 @chapter Web Key Service
12 GnuPG comes with tools used to maintain and access a Web Key
16 * gpg-wks-client:: Send requests via WKS
17 * gpg-wks-server:: Server to provide the WKS.
23 @manpage gpg-wks-client.1
25 @section Send requests via WKS
28 \- Client for the Web Key Service
59 The @command{gpg-wks-client} is used to send requests to a Web Key
60 Service provider. This is usuallay done to upload a key into a Web
63 With the @option{--supported} command the caller can test whether a
64 site supports the Web Key Service. The argument is an arbitray
65 address in the to be tested domain. For example
66 @file{foo@@example.net}. The command returns success if the Web Key
67 Service is supported. The operation is silent; to get diagnostic
68 output use the option @option{--verbose}. See option
69 @option{--with-colons} for a variant of this command.
71 With the @option{--check} command the caller can test whether a key
72 exists for a supplied mail address. The command returns success if a
75 The @option{--create} command is used to send a request for
76 publication in the Web Key Directory. The arguments are the
77 fingerprint of the key and the user id to publish. The output from
78 the command is a properly formatted mail with all standard headers.
79 This mail can be fed to @command{sendmail(8)} or any other tool to
80 actually send that mail. If @command{sendmail(8)} is installed the
81 option @option{--send} can be used to directly send the created
82 request. If the provider request a 'mailbox-only' user id and no such
83 user id is found, @command{gpg-wks-client} will try an additional user
86 The @option{--receive} and @option{--read} commands are used to
87 process confirmation mails as send from the service provider. The
88 former expects an encrypted MIME messages, the latter an already
89 decrypted MIME message. The result of these commands are another mail
90 which can be send in the same way as the mail created with
93 The command @option{--install-key} manually installs a key into a
94 local directory (see option @option{-C}) reflecting the structure of a
95 WKD. The arguments are a file with the keyblock and the user-id to
96 install. If the first argument resembles a fingerprint the key is
97 taken from the current keyring; to force the use of a file, prefix the
98 first argument with "./". If no arguments are given the parameters
99 are read from stdin; the expected format are lines with the
100 fingerprint and the mailbox separated by a space. The command
101 @option{--remove-key} removes a key from that directory, its only
102 argument is a user-id.
104 @command{gpg-wks-client} is not commonly invoked directly and thus it
105 is not installed in the bin directory. Here is an example how it can
106 be invoked manually to check for a Web Key Directory entry for
107 @file{foo@@example.org}:
110 $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@@example.net
115 @command{gpg-wks-client} understands these options:
121 Directly send created mails using the @command{sendmail} command.
122 Requires installation of that command.
126 This option has currently only an effect on the @option{--supported}
127 command. If it is used all arguimenst on the command line are taken
128 as domain names and tested for WKD support. The output format is one
129 line per domain with colon delimited fields. The currently specified
130 fields are (future versions may specify additional fields):
135 This is the domain name. Although quoting is not required for valid
136 domain names this field is specified to be quoted in standard C
140 If the value is true the domain supports the Web Key Directory.
143 If the value is true the domain supports the Web Key Service
144 protocol to upload keys to the directory.
147 This may contain an gpg-error code to describe certain
148 failures. Use @samp{gpg-error CODE} to explain the code.
150 @item 5 - protocol-version
151 The minimum protocol version supported by the server.
153 @item 6 - auth-submit
154 The auth-submit flag from the policy file of the server.
156 @item 7 - mailbox-only
157 The mailbox-only flag from the policy file of the server.
162 @item --output @var{file}
165 Write the created mail to @var{file} instead of stdout. Note that the
166 value @code{-} for @var{file} is the same as writing to stdout.
168 @item --status-fd @var{n}
170 Write special status strings to the file descriptor @var{n}.
171 This program returns only the status messages SUCCESS or FAILURE which
172 are helpful when the caller uses a double fork approach and can't
173 easily get the return code of the process.
176 @itemx --directory @var{dir}
178 Use @var{dir} as top level directory for the commands
179 @option{--install-key} and @option{--remove-key}. The default is
184 Enable extra informational output.
188 Disable almost all informational output.
192 Print version of the program and exit.
196 Display a brief help page and exit.
203 @command{gpg-wks-server}(1)
210 @manpage gpg-wks-server.1
212 @section Provide the Web Key Service
215 \- Server providing the Web Key Service
255 The @command{gpg-wks-server} is a server site implementation of the
256 Web Key Service. It receives requests for publication, sends
257 confirmation requests, receives confirmations, and published the key.
258 It also has features to ease the setup and maintenance of a Web Key
261 When used with the command @option{--receive} a single Web Key Service
262 mail is processed. Commonly this command is used with the option
263 @option{--send} to directly send the crerated mails back. See below
264 for an installation example.
266 The command @option{--cron} is used for regualr cleanup tasks. For
267 example non-confirmed requested should be removed after their expire
268 time. It is best to run this command once a day from a cronjob.
270 The command @option{--list-domains} prints all configured domains.
271 Further it creates missing directories for the configuration and
272 prints warnings pertaining to problems in the configuration.
274 The command @option{--check-key} (or just @option{--check}) checks
275 whether a key with the given user-id is installed. The process returns
276 success in this case; to also print a diagnostic use the option
277 @option{-v}. If the key is not installed a diagnostic is printed and
278 the process returns failure; to suppress the diagnostic, use option
279 @option{-q}. More than one user-id can be given; see also option
282 The command @option{--install-key} manually installs a key into the
283 WKD. The arguments are a file with the keyblock and the user-id to
284 install. If the first argument resembles a fingerprint the key is
285 taken from the current keyring; to force the use of a file, prefix the
286 first argument with "./". If no arguments are given the parameters
287 are read from stdin; the expected format are lines with the
288 fingerprint and the mailbox separated by a space.
290 The command @option{--remove-key} uninstalls a key from the WKD. The
291 process returns success in this case; to also print a diagnostic, use
292 option @option{-v}. If the key is not installed a diagnostic is
293 printed and the process returns failure; to suppress the diagnostic,
294 use option @option{-q}.
296 The command @option{--revoke-key} is not yet functional.
301 @command{gpg-wks-server} understands these options:
306 @itemx --directory @var{dir}
308 Use @var{dir} as top level directory for domains. The default is
309 @file{/var/lib/gnupg/wks}.
311 @item --from @var{mailaddr}
313 Use @var{mailaddr} as the default sender address.
315 @item --header @var{name}=@var{value}
317 Add the mail header "@var{name}: @var{value}" to all outgoing mails.
321 Directly send created mails using the @command{sendmail} command.
322 Requires installation of that command.
325 @itemx --output @var{file}
327 Write the created mail also to @var{file}. Note that the value
328 @code{-} for @var{file} would write it to stdout.
332 When used with the command @option{--list-domains} print for each
333 installed domain the domain name and its directory name.
337 When used with the command @option{--check-key} print for each user-id,
338 the address, 'i' for installed key or 'n' for not installed key, and
343 Enable extra informational output.
347 Disable almost all informational output.
351 Print version of the program and exit.
355 Display a brief help page and exit.
361 @chapheading Examples
363 The Web Key Service requires a working directory to store keys
364 pending for publication. As root create a working directory:
367 # mkdir /var/lib/gnupg/wks
368 # chown webkey:webkey /var/lib/gnupg/wks
369 # chmod 2750 /var/lib/gnupg/wks
372 Then under your webkey account create directories for all your
373 domains. Here we do it for "example.net":
376 $ mkdir /var/lib/gnupg/wks/example.net
382 $ gpg-wks-server --list-domains
385 to create the required sub-directories with the permissions set
386 correctly. For each domain a submission address needs to be
387 configured. All service mails are directed to that address. It can
388 be the same address for all configured domains, for example:
391 $ cd /var/lib/gnupg/wks/example.net
392 $ echo key-submission@@example.net >submission-address
395 The protocol requires that the key to be published is send with an
396 encrypted mail to the service. Thus you need to create a key for
397 the submission address:
400 $ gpg --batch --passphrase '' --quick-gen-key key-submission@@example.net
401 $ gpg -K key-submission@@example.net
404 The output of the last command looks similar to this:
407 sec rsa2048 2016-08-30 [SC]
408 C0FCF8642D830C53246211400346653590B3795B
409 uid [ultimate] key-submission@@example.net
410 ssb rsa2048 2016-08-30 [E]
413 Take the fingerprint from that output and manually publish the key:
416 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
417 > key-submission@@example.net
420 Finally that submission address needs to be redirected to a script
421 running @command{gpg-wks-server}. The @command{procmail} command can
422 be used for this: Redirect the submission address to the user "webkey"
423 and put this into webkey's @file{.procmailrc}:
427 * !^From: webkey@@example.net
428 * !^X-WKS-Loop: webkey.example.net
429 |gpg-wks-server -v --receive \
430 --header X-WKS-Loop=webkey.example.net \
431 --from webkey@@example.net --send
437 @command{gpg-wks-client}(1)