1 @c wks.texi - man pages for the Web Key Service tools.
2 @c Copyright (C) 2017 g10 Code GmbH
3 @c Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik
4 @c This is part of the GnuPG manual.
5 @c For copying conditions, see the file GnuPG.texi.
10 @chapter Web Key Service
12 GnuPG comes with tools used to maintain and access a Web Key
16 * gpg-wks-client:: Send requests via WKS
17 * gpg-wks-server:: Server to provide the WKS.
23 @manpage gpg-wks-client.1
25 @section Send requests via WKS
28 \- Client for the Web Key Service
59 The @command{gpg-wks-client} is used to send requests to a Web Key
60 Service provider. This is usually done to upload a key into a Web
63 With the @option{--supported} command the caller can test whether a
64 site supports the Web Key Service. The argument is an arbitrary
65 address in the to be tested domain. For example
66 @file{foo@@example.net}. The command returns success if the Web Key
67 Service is supported. The operation is silent; to get diagnostic
68 output use the option @option{--verbose}. See option
69 @option{--with-colons} for a variant of this command.
71 With the @option{--check} command the caller can test whether a key
72 exists for a supplied mail address. The command returns success if a
75 The @option{--create} command is used to send a request for
76 publication in the Web Key Directory. The arguments are the
77 fingerprint of the key and the user id to publish. The output from
78 the command is a properly formatted mail with all standard headers.
79 This mail can be fed to @command{sendmail(8)} or any other tool to
80 actually send that mail. If @command{sendmail(8)} is installed the
81 option @option{--send} can be used to directly send the created
82 request. If the provider request a 'mailbox-only' user id and no such
83 user id is found, @command{gpg-wks-client} will try an additional user
86 The @option{--receive} and @option{--read} commands are used to
87 process confirmation mails as send from the service provider. The
88 former expects an encrypted MIME messages, the latter an already
89 decrypted MIME message. The result of these commands are another mail
90 which can be send in the same way as the mail created with
93 The command @option{--install-key} manually installs a key into a
94 local directory (see option @option{-C}) reflecting the structure of a
95 WKD. The arguments are a file with the keyblock and the user-id to
96 install. If the first argument resembles a fingerprint the key is
97 taken from the current keyring; to force the use of a file, prefix the
98 first argument with "./". If no arguments are given the parameters
99 are read from stdin; the expected format are lines with the
100 fingerprint and the mailbox separated by a space. The command
101 @option{--remove-key} removes a key from that directory, its only
102 argument is a user-id.
104 The command @option{--print-wkd-hash} prints the WKD user-id identifiers
105 and the corresponding mailboxes from the user-ids given on the command
106 line or via stdin (one user-id per line).
108 The command @option{--print-wkd-url} prints the URLs used to fetch the
109 key for the given user-ids from WKD. The meanwhile preferred format
110 with sub-domains is used here.
114 @command{gpg-wks-client} understands these options:
120 Directly send created mails using the @command{sendmail} command.
121 Requires installation of that command.
125 This option has currently only an effect on the @option{--supported}
126 command. If it is used all arguments on the command line are taken
127 as domain names and tested for WKD support. The output format is one
128 line per domain with colon delimited fields. The currently specified
129 fields are (future versions may specify additional fields):
134 This is the domain name. Although quoting is not required for valid
135 domain names this field is specified to be quoted in standard C
139 If the value is true the domain supports the Web Key Directory.
142 If the value is true the domain supports the Web Key Service
143 protocol to upload keys to the directory.
146 This may contain an gpg-error code to describe certain
147 failures. Use @samp{gpg-error CODE} to explain the code.
149 @item 5 - protocol-version
150 The minimum protocol version supported by the server.
152 @item 6 - auth-submit
153 The auth-submit flag from the policy file of the server.
155 @item 7 - mailbox-only
156 The mailbox-only flag from the policy file of the server.
161 @item --output @var{file}
164 Write the created mail to @var{file} instead of stdout. Note that the
165 value @code{-} for @var{file} is the same as writing to stdout.
167 @item --status-fd @var{n}
169 Write special status strings to the file descriptor @var{n}.
170 This program returns only the status messages SUCCESS or FAILURE which
171 are helpful when the caller uses a double fork approach and can't
172 easily get the return code of the process.
175 @itemx --directory @var{dir}
177 Use @var{dir} as top level directory for the commands
178 @option{--install-key} and @option{--remove-key}. The default is
183 Enable extra informational output.
187 Disable almost all informational output.
191 Print version of the program and exit.
195 Display a brief help page and exit.
202 @command{gpg-wks-server}(1)
209 @manpage gpg-wks-server.1
211 @section Provide the Web Key Service
214 \- Server providing the Web Key Service
254 The @command{gpg-wks-server} is a server side implementation of the
255 Web Key Service. It receives requests for publication, sends
256 confirmation requests, receives confirmations, and published the key.
257 It also has features to ease the setup and maintenance of a Web Key
260 When used with the command @option{--receive} a single Web Key Service
261 mail is processed. Commonly this command is used with the option
262 @option{--send} to directly send the created mails back. See below
263 for an installation example.
265 The command @option{--cron} is used for regular cleanup tasks. For
266 example non-confirmed requested should be removed after their expire
267 time. It is best to run this command once a day from a cronjob.
269 The command @option{--list-domains} prints all configured domains.
270 Further it creates missing directories for the configuration and
271 prints warnings pertaining to problems in the configuration.
273 The command @option{--check-key} (or just @option{--check}) checks
274 whether a key with the given user-id is installed. The process returns
275 success in this case; to also print a diagnostic use the option
276 @option{-v}. If the key is not installed a diagnostic is printed and
277 the process returns failure; to suppress the diagnostic, use option
278 @option{-q}. More than one user-id can be given; see also option
281 The command @option{--install-key} manually installs a key into the
282 WKD. The arguments are a file with the keyblock and the user-id to
283 install. If the first argument resembles a fingerprint the key is
284 taken from the current keyring; to force the use of a file, prefix the
285 first argument with "./". If no arguments are given the parameters
286 are read from stdin; the expected format are lines with the
287 fingerprint and the mailbox separated by a space.
289 The command @option{--remove-key} uninstalls a key from the WKD. The
290 process returns success in this case; to also print a diagnostic, use
291 option @option{-v}. If the key is not installed a diagnostic is
292 printed and the process returns failure; to suppress the diagnostic,
293 use option @option{-q}.
295 The command @option{--revoke-key} is not yet functional.
300 @command{gpg-wks-server} understands these options:
305 @itemx --directory @var{dir}
307 Use @var{dir} as top level directory for domains. The default is
308 @file{/var/lib/gnupg/wks}.
310 @item --from @var{mailaddr}
312 Use @var{mailaddr} as the default sender address.
314 @item --header @var{name}=@var{value}
316 Add the mail header "@var{name}: @var{value}" to all outgoing mails.
320 Directly send created mails using the @command{sendmail} command.
321 Requires installation of that command.
324 @itemx --output @var{file}
326 Write the created mail also to @var{file}. Note that the value
327 @code{-} for @var{file} would write it to stdout.
331 When used with the command @option{--list-domains} print for each
332 installed domain the domain name and its directory name.
336 When used with the command @option{--check-key} print for each user-id,
337 the address, 'i' for installed key or 'n' for not installed key, and
342 Enable extra informational output.
346 Disable almost all informational output.
350 Print version of the program and exit.
354 Display a brief help page and exit.
360 @chapheading Examples
362 The Web Key Service requires a working directory to store keys
363 pending for publication. As root create a working directory:
366 # mkdir /var/lib/gnupg/wks
367 # chown webkey:webkey /var/lib/gnupg/wks
368 # chmod 2750 /var/lib/gnupg/wks
371 Then under your webkey account create directories for all your
372 domains. Here we do it for "example.net":
375 $ mkdir /var/lib/gnupg/wks/example.net
381 $ gpg-wks-server --list-domains
384 to create the required sub-directories with the permissions set
385 correctly. For each domain a submission address needs to be
386 configured. All service mails are directed to that address. It can
387 be the same address for all configured domains, for example:
390 $ cd /var/lib/gnupg/wks/example.net
391 $ echo key-submission@@example.net >submission-address
394 The protocol requires that the key to be published is sent with an
395 encrypted mail to the service. Thus you need to create a key for
396 the submission address:
399 $ gpg --batch --passphrase '' --quick-gen-key key-submission@@example.net
400 $ gpg -K key-submission@@example.net
403 The output of the last command looks similar to this:
406 sec rsa3072 2016-08-30 [SC]
407 C0FCF8642D830C53246211400346653590B3795B
408 uid [ultimate] key-submission@@example.net
409 bxzcxpxk8h87z1k7bzk86xn5aj47intu@@example.net
410 ssb rsa3072 2016-08-30 [E]
413 Take the fingerprint from that output and manually publish the key:
416 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
417 > key-submission@@example.net
420 Finally that submission address needs to be redirected to a script
421 running @command{gpg-wks-server}. The @command{procmail} command can
422 be used for this: Redirect the submission address to the user "webkey"
423 and put this into webkey's @file{.procmailrc}:
427 * !^From: webkey@@example.net
428 * !^X-WKS-Loop: webkey.example.net
429 |gpg-wks-server -v --receive \
430 --header X-WKS-Loop=webkey.example.net \
431 --from webkey@@example.net --send
437 @command{gpg-wks-client}(1)