The Wombelix Post - GPGhttps://dominik.wombacher.cc/2022-12-29T00:00:00+01:00My GPG Key is now available via Web Key Directory (WKD)2022-12-29T00:00:00+01:002022-12-29T00:00:00+01:00Dominik Wombachertag:dominik.wombacher.cc,2022-12-29:/posts/my-gpg-key-is-now-available-via-web-key-directory-wkd.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>First of all, what's <strong>WKD</strong> and what's the benefit using it?
It's an easy way to retrieve GPG keys based on a given E-Mail address.
It improves the user experience ... <a class="read-more" href="/posts/my-gpg-key-is-now-available-via-web-key-directory-wkd.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>First of all, what's <strong>WKD</strong> and what's the benefit using it?
It's an easy way to retrieve GPG keys based on a given E-Mail address.
It improves the user experience without leveraging any keyserver infrastructure.
And that's exactly why I decided to make my key available via WKD,
I think the whole keyserver concept is broken and I want to support a
decentralized approach that gives the user control of his data.</p>
<p>So how to get it working? In a Nutshell, your public key has to be available in binary
format at a specific URL on your Domain. There are multiple ways to achieve that,
I decided to use Direct mode and just to export my key, name it appropriately,
created the necessary folders and upload it to my webserver.</p>
<p>So far you could, and still can, find my latest GPG public key on my
<a class="reference external" href="https://dominik.wombacher.cc/pages/contact.html">Contact</a> page, you can now also retrieve it via <em>gpg</em>
or other applications which support WKD, for example <em>Thunderbird</em>.
For my mail address <strong>dominik@wombacher.cc</strong>, the WKD URL is
<code>https://wombacher.cc/.well-known/openpgpkey/hu/i4spe47w9w9i1wncq7tpum5m4b81bko9</code>,
the last part is the hash of my username <strong>dominik</strong> and the actual public key file.</p>
<p>There is a nice <a class="reference external" href="https://metacode.biz/openpgp/web-key-directory">online tool</a>
available to verify if the setup is correct.</p>
<p>I had to do two other, minor, things to get all tests passed. 1/Creating an empty file
called <strong>policy</strong> in the folder <code>/.well-known/openpgpkey/</code>, 2/sending a CORS header via nginx:</p>
<pre class="code text literal-block">
location /.well-known/openpgpkey/ {
add_header Access-Control-Allow-Origin *;
}
</pre>
<p>Afterwards everything was fine and my key available via WKD:</p>
<pre class="code text literal-block">
Direct: key: https://wombacher.cc/.well-known/openpgpkey/hu/i4spe47w9w9i1wncq7tpum5m4b81bko9?l=dominik
Direct: found key: A6FB74CC95114AA977FFD04ACDDD24A5C0758945
Direct: Key contains correct User ID: Dominik Wombacher <dominik@wombacher.cc>
Direct: CORS header is correctly set up
Direct: Policy file is present
</pre>
<p>I think WKD is a really nice approach and solves the problems that came up by using
keyservers, there are already lot of mail provider and applications which support it,
so I guess that's the future of GPG key distribution.</p>
<p>Kudos to <a class="reference external" href="https://www.kuketz-blog.de/gnupg-web-key-directory-wkd-einrichten/">kuketz-blog.de (german)</a>
(Archive: <a class="reference external" href="https://archive.today/2022.12.30-113149/https://www.kuketz-blog.de/gnupg-web-key-directory-wkd-einrichten/">[1]</a>) and
<a class="reference external" href="https://wiki.gnupg.org/WKD">wiki.gnupg.org</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221224231449/https://wiki.gnupg.org/WKD">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.30-105157/https://wiki.gnupg.org/WKD">[2]</a>),
my main sources to understand and setup WKD.</p>