1 @c wks.texi - man pages for the Web Key Service tools.
2 @c Copyright (C) 2017 g10 Code GmbH
3 @c Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik
4 @c This is part of the GnuPG manual.
5 @c For copying conditions, see the file GnuPG.texi.
10 @chapter Web Key Service
12 GnuPG comes with tools used to maintain and access a Web Key
16 * gpg-wks-client:: Send requests via WKS
17 * gpg-wks-server:: Server to provide the WKS.
23 @manpage gpg-wks-client.1
25 @section Send requests via WKS
28 \- Client for the Web Key Service
59 The @command{gpg-wks-client} is used to send requests to a Web Key
60 Service provider. This is usuallay done to upload a key into a Web
63 With the @option{--supported} command the caller can test whether a
64 site supports the Web Key Service. The argument is an arbitray
65 address in the to be tested domain. For example
66 @file{foo@@example.net}. The command returns success if the Web Key
67 Service is supported. The operation is silent; to get diagnostic
68 output use the option @option{--verbose}. See option
69 @option{--with-colons} for a variant of this command.
71 With the @option{--check} command the caller can test whether a key
72 exists for a supplied mail address. The command returns success if a
75 The @option{--create} command is used to send a request for
76 publication in the Web Key Directory. The arguments are the
77 fingerprint of the key and the user id to publish. The output from
78 the command is a properly formatted mail with all standard headers.
79 This mail can be fed to @command{sendmail(8)} or any other tool to
80 actually send that mail. If @command{sendmail(8)} is installed the
81 option @option{--send} can be used to directly send the created
82 request. If the provider request a 'mailbox-only' user id and no such
83 user id is found, @command{gpg-wks-client} will try an additional user
86 The @option{--receive} and @option{--read} commands are used to
87 process confirmation mails as send from the service provider. The
88 former expects an encrypted MIME messages, the latter an already
89 decrypted MIME message. The result of these commands are another mail
90 which can be send in the same way as the mail created with
93 The command @option{--install-key} manually installs a key into a
94 local directory (see option @option{-C}) reflecting the structure of a
95 WKD. The arguments are a file with the keyblock and the user-id to
96 install. If the first argument resembles a fingerprint the key is
97 taken from the current keyring; to force the use of a file, prefix the
98 first argument with "./". If no arguments are given the parameters
99 are read from stdin; the expected format are lines with the
100 fingerprint and the mailbox separated by a space. The command
101 @option{--remove-key} removes a key from that directory, its only
102 argument is a user-id.
104 The command @option{--print-wkd-hash} prints the WKD user-id identifiers
105 and the corresponding mailboxes from the user-ids given on the command
106 line or via stdin (one user-id per line).
108 The command @option{--print-wkd-url} prints the URLs used to fetch the
109 key for the given user-ids from WKD. The meanwhile preferred format
110 with sub-domains is used here.
112 @command{gpg-wks-client} is not commonly invoked directly and thus it
113 is not installed in the bin directory. Here is an example how it can
114 be invoked manually to check for a Web Key Directory entry for
115 @file{foo@@example.org}:
118 $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@@example.net
123 @command{gpg-wks-client} understands these options:
129 Directly send created mails using the @command{sendmail} command.
130 Requires installation of that command.
134 This option has currently only an effect on the @option{--supported}
135 command. If it is used all arguments on the command line are taken
136 as domain names and tested for WKD support. The output format is one
137 line per domain with colon delimited fields. The currently specified
138 fields are (future versions may specify additional fields):
143 This is the domain name. Although quoting is not required for valid
144 domain names this field is specified to be quoted in standard C
148 If the value is true the domain supports the Web Key Directory.
151 If the value is true the domain supports the Web Key Service
152 protocol to upload keys to the directory.
155 This may contain an gpg-error code to describe certain
156 failures. Use @samp{gpg-error CODE} to explain the code.
158 @item 5 - protocol-version
159 The minimum protocol version supported by the server.
161 @item 6 - auth-submit
162 The auth-submit flag from the policy file of the server.
164 @item 7 - mailbox-only
165 The mailbox-only flag from the policy file of the server.
170 @item --output @var{file}
173 Write the created mail to @var{file} instead of stdout. Note that the
174 value @code{-} for @var{file} is the same as writing to stdout.
176 @item --status-fd @var{n}
178 Write special status strings to the file descriptor @var{n}.
179 This program returns only the status messages SUCCESS or FAILURE which
180 are helpful when the caller uses a double fork approach and can't
181 easily get the return code of the process.
184 @itemx --directory @var{dir}
186 Use @var{dir} as top level directory for the commands
187 @option{--install-key} and @option{--remove-key}. The default is
192 Enable extra informational output.
196 Disable almost all informational output.
200 Print version of the program and exit.
204 Display a brief help page and exit.
211 @command{gpg-wks-server}(1)
218 @manpage gpg-wks-server.1
220 @section Provide the Web Key Service
223 \- Server providing the Web Key Service
263 The @command{gpg-wks-server} is a server site implementation of the
264 Web Key Service. It receives requests for publication, sends
265 confirmation requests, receives confirmations, and published the key.
266 It also has features to ease the setup and maintenance of a Web Key
269 When used with the command @option{--receive} a single Web Key Service
270 mail is processed. Commonly this command is used with the option
271 @option{--send} to directly send the crerated mails back. See below
272 for an installation example.
274 The command @option{--cron} is used for regualr cleanup tasks. For
275 example non-confirmed requested should be removed after their expire
276 time. It is best to run this command once a day from a cronjob.
278 The command @option{--list-domains} prints all configured domains.
279 Further it creates missing directories for the configuration and
280 prints warnings pertaining to problems in the configuration.
282 The command @option{--check-key} (or just @option{--check}) checks
283 whether a key with the given user-id is installed. The process returns
284 success in this case; to also print a diagnostic use the option
285 @option{-v}. If the key is not installed a diagnostic is printed and
286 the process returns failure; to suppress the diagnostic, use option
287 @option{-q}. More than one user-id can be given; see also option
290 The command @option{--install-key} manually installs a key into the
291 WKD. The arguments are a file with the keyblock and the user-id to
292 install. If the first argument resembles a fingerprint the key is
293 taken from the current keyring; to force the use of a file, prefix the
294 first argument with "./". If no arguments are given the parameters
295 are read from stdin; the expected format are lines with the
296 fingerprint and the mailbox separated by a space.
298 The command @option{--remove-key} uninstalls a key from the WKD. The
299 process returns success in this case; to also print a diagnostic, use
300 option @option{-v}. If the key is not installed a diagnostic is
301 printed and the process returns failure; to suppress the diagnostic,
302 use option @option{-q}.
304 The command @option{--revoke-key} is not yet functional.
309 @command{gpg-wks-server} understands these options:
314 @itemx --directory @var{dir}
316 Use @var{dir} as top level directory for domains. The default is
317 @file{/var/lib/gnupg/wks}.
319 @item --from @var{mailaddr}
321 Use @var{mailaddr} as the default sender address.
323 @item --header @var{name}=@var{value}
325 Add the mail header "@var{name}: @var{value}" to all outgoing mails.
329 Directly send created mails using the @command{sendmail} command.
330 Requires installation of that command.
333 @itemx --output @var{file}
335 Write the created mail also to @var{file}. Note that the value
336 @code{-} for @var{file} would write it to stdout.
340 When used with the command @option{--list-domains} print for each
341 installed domain the domain name and its directory name.
345 When used with the command @option{--check-key} print for each user-id,
346 the address, 'i' for installed key or 'n' for not installed key, and
351 Enable extra informational output.
355 Disable almost all informational output.
359 Print version of the program and exit.
363 Display a brief help page and exit.
369 @chapheading Examples
371 The Web Key Service requires a working directory to store keys
372 pending for publication. As root create a working directory:
375 # mkdir /var/lib/gnupg/wks
376 # chown webkey:webkey /var/lib/gnupg/wks
377 # chmod 2750 /var/lib/gnupg/wks
380 Then under your webkey account create directories for all your
381 domains. Here we do it for "example.net":
384 $ mkdir /var/lib/gnupg/wks/example.net
390 $ gpg-wks-server --list-domains
393 to create the required sub-directories with the permissions set
394 correctly. For each domain a submission address needs to be
395 configured. All service mails are directed to that address. It can
396 be the same address for all configured domains, for example:
399 $ cd /var/lib/gnupg/wks/example.net
400 $ echo key-submission@@example.net >submission-address
403 The protocol requires that the key to be published is send with an
404 encrypted mail to the service. Thus you need to create a key for
405 the submission address:
408 $ gpg --batch --passphrase '' --quick-gen-key key-submission@@example.net
409 $ gpg -K key-submission@@example.net
412 The output of the last command looks similar to this:
415 sec rsa2048 2016-08-30 [SC]
416 C0FCF8642D830C53246211400346653590B3795B
417 uid [ultimate] key-submission@@example.net
418 ssb rsa2048 2016-08-30 [E]
421 Take the fingerprint from that output and manually publish the key:
424 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
425 > key-submission@@example.net
428 Finally that submission address needs to be redirected to a script
429 running @command{gpg-wks-server}. The @command{procmail} command can
430 be used for this: Redirect the submission address to the user "webkey"
431 and put this into webkey's @file{.procmailrc}:
435 * !^From: webkey@@example.net
436 * !^X-WKS-Loop: webkey.example.net
437 |gpg-wks-server -v --receive \
438 --header X-WKS-Loop=webkey.example.net \
439 --from webkey@@example.net --send
445 @command{gpg-wks-client}(1)