1 @c wks.texi - man pages for the Web Key Service tools.
2 @c Copyright (C) 2017 g10 Code GmbH
3 @c Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik
4 @c This is part of the GnuPG manual.
5 @c For copying conditions, see the file GnuPG.texi.
10 @chapter Web Key Service
12 GnuPG comes with tools used to maintain and access a Web Key
16 * gpg-wks-client:: Send requests via WKS
17 * gpg-wks-server:: Server to provide the WKS.
23 @manpage gpg-wks-client.1
25 @section Send requests via WKS
28 \- Client for the Web Key Service
59 The @command{gpg-wks-client} is used to send requests to a Web Key
60 Service provider. This is usuallay done to upload a key into a Web
63 With the @option{--supported} command the caller can test whether a
64 site supports the Web Key Service. The argument is an arbitray
65 address in the to be tested domain. For example
66 @file{foo@@example.net}. The command returns success if the Web Key
67 Service is supported. The operation is silent; to get diagnostic
68 output use the option @option{--verbose}.
70 With the @option{--check} command the caller can test whether a key
71 exists for a supplied mail address. The command returns success if a
74 The @option{--create} command is used to send a request for
75 publication in the Web Key Directory. The arguments are the
76 fingerprint of the key and the user id to publish. The output from
77 the command is a properly formatted mail with all standard headers.
78 This mail can be fed to @command{sendmail(8)} or any other tool to
79 actually send that mail. If @command{sendmail(8)} is installed the
80 option @option{--send} can be used to directly send the created
81 request. If the provider request a 'mailbox-only' user id and no such
82 user id is found, @command{gpg-wks-client} will try an additional user
85 The @option{--receive} and @option{--read} commands are used to
86 process confirmation mails as send from the service provider. The
87 former expects an encrypted MIME messages, the latter an already
88 decrypted MIME message. The result of these commands are another mail
89 which can be send in the same way as the mail created with
92 @command{gpg-wks-client} is not commonly invoked directly and thus it
93 is not installed in the bin directory. Here is an example how it can
94 be invoked manually to check for a Web Key Directory entry for
95 @file{foo@@example.org}:
98 $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@@example.net
103 @command{gpg-wks-client} understands these options:
109 Directly send created mails using the @command{sendmail} command.
110 Requires installation of that command.
112 @item --output @var{file}
115 Write the created mail to @var{file} instead of stdout. Note that the
116 value @code{-} for @var{file} is the same as writing to stdout.
118 @item --status-fd @var{n}
120 Write special status strings to the file descriptor @var{n}.
121 This program returns only the status messages SUCCESS or FAILURE which
122 are helpful when the caller uses a double fork approach and can't
123 easily get the return code of the process.
127 Enable extra informational output.
131 Disable almost all informational output.
135 Print version of the program and exit.
139 Display a brief help page and exit.
146 @command{gpg-wks-server}(1)
153 @manpage gpg-wks-server.1
155 @section Provide the Web Key Service
158 \- Server providing the Web Key Service
192 The @command{gpg-wks-server} is a server site implementation of the
193 Web Key Service. It receives requests for publication, sends
194 confirmation requests, receives confirmations, and published the key.
195 It also has features to ease the setup and maintenance of a Web Key
198 When used with the command @option{--receive} a single Web Key Service
199 mail is processed. Commonly this command is used with the option
200 @option{--send} to directly send the crerated mails back. See below
201 for an installation example.
203 The command @option{--cron} is used for regualr cleanup tasks. For
204 example non-confirmed requested should be removed after their expire
205 time. It is best to run this command once a day from a cronjob.
207 The command @option{--list-domains} prints all configured domains.
208 Further it creates missing directories for the configuration and
209 prints warnings pertaining to problems in the configuration.
211 The commands @option{--install-key}, @option{--remove-key}, and
212 @option{--revoke-key} are not yet functional.
217 @command{gpg-wks-server} understands these options:
221 @item --from @var{mailaddr}
223 Use @var{mailaddr} as the default sender address.
225 @item --header @var{name}=@var{value}
227 Add the mail header "@var{name}: @var{value}" to all outgoing mails.
231 Directly send created mails using the @command{sendmail} command.
232 Requires installation of that command.
234 @item --output @var{file}
237 Write the created mail also to @var{file}. Note that the value
238 @code{-} for @var{file} would write it to stdout.
242 Enable extra informational output.
246 Disable almost all informational output.
250 Print version of the program and exit.
254 Display a brief help page and exit.
260 @chapheading Examples
262 The Web Key Service requires a working directory to store keys
263 pending for publication. As root create a working directory:
266 # mkdir /var/lib/gnupg/wks
267 # chown webkey:webkey /var/lib/gnupg/wks
268 # chmod 2750 /var/lib/gnupg/wks
271 Then under your webkey account create directories for all your
272 domains. Here we do it for "example.net":
275 $ mkdir /var/lib/gnupg/wks/example.net
281 $ gpg-wks-server --list-domains
284 to create the required sub-directories with the permission set
285 correctly. For each domain a submission address needs to be
286 configured. All service mails are directed to that address. It can
287 be the same address for all configured domains, for example:
290 $ cd /var/lib/gnupg/wks/example.net
291 $ echo key-submission@@example.net >submission-address
294 The protocol requires that the key to be published is sent with an
295 encrypted mail to the service. Thus you need to create a key for
296 the submission address:
299 $ gpg --batch --passphrase '' --quick-gen-key key-submission@@example.net
300 $ gpg --with-wkd-hash -K key-submission@@example.net
303 The output of the last command looks similar to this:
306 sec rsa2048 2016-08-30 [SC]
307 C0FCF8642D830C53246211400346653590B3795B
308 uid [ultimate] key-submission@@example.net
309 bxzcxpxk8h87z1k7bzk86xn5aj47intu@@example.net
310 ssb rsa2048 2016-08-30 [E]
313 Take the hash of the string "key-submission", which is
314 "bxzcxpxk8h87z1k7bzk86xn5aj47intu" and manually publish that key:
317 $ gpg --export-options export-minimal --export \
318 > -o /var/lib/gnupg/wks/example.net/hu/bxzcxpxk8h87z1k7bzk86xn5aj47intu \
319 > key-submission@@example.new
322 Make sure that the created file is world readable.
324 Finally that submission address needs to be redirected to a script
325 running @command{gpg-wks-server}. The @command{procmail} command can
326 be used for this: Redirect the submission address to the user "webkey"
327 and put this into webkey's @file{.procmailrc}:
331 * !^From: webkey@@example.net
332 * !^X-WKS-Loop: webkey.example.net
333 |gpg-wks-server -v --receive \
334 --header X-WKS-Loop=webkey.example.net \
335 --from webkey@@example.net --send
341 @command{gpg-wks-client}(1)