I know that for Proton Mail users, you can just gpg --locate-keys their address and you’ll get their keys.
I wanted to set up something similar for my own email and it was a headache and a half. This is more of a li’l diary entry and causerie than reliable and complete documentation.
mkdir -p /tmp/lets-do-this/.well-known/openpgpkey
cd /tmp/lets-do-this
sudo apt install gpg-wks-client # Or whatever non-Debian people do
Then, you’re supposed to do this:
gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key
but I have plenty of unused keys in my ring so I checked the first part of that, saw that the first was the one I wanted (matching fingerprints). First one means head -1, ninth would be sed -n 9p, and last would be tail -1.
So since in my case I’m grabbing the first:
gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|head -1|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key
Now, that’s not any good because it uses the “advanced” method. According to the RFC, that method is for multi-domain setups, but I have nginx so we can already dispatch on a domain level right in the web server, and for now I just wanted my Idiomdrottning domain. I want the direct method so I don’t have to futz around with registering a new hostname. At least for now.
This means manually having to:
cd .well-known/openpgpkey/
mv idiomdrottning.org/* .
rmdir idiomdrottning.org
Create an index.html file in the hu directory to disable dirlisting (not that there’s anything else in there).
Then
cd /tmp/lets-do-this
chmod -R 755 .well-known
and rsync it up to the server.
I didn’t get it working at first, because I had made two fatal mistakes.
One was pretty specific to my wonky setup: I already had the .well-known path reverse-proxied for some other stuff I’ve got going on. I had to edit nginx stuff to make that a li’l more fine grained. That was on me, I had a non-default setup.
The other was that the hu directory wasn’t executable by the www-data user. Readable is not enough when it comes to directories.
I could troubleshoot both of these issues with
wget -qO- "https://idiomdrottning.org/.well-known/openpgpkey/hu/frhc9h9dc9cq8ffnxtrj817y4o1jxztm"|less
(Where that frhc9h9dc9cq8ffnxt… stuff is my own name, sandra.snan, encoded (SHA-1 hash in Z-Base-32). To find your own, look in that hu directory you generated.)
Anyway, now
gpg --locate-keys sandra.snan@idiomdrottning.org
finally works.
I’m not doing the whole proofs.json thing from Replacing Keybase, I’m only using a static WKD as per the GnuPG wiki.
If you don’t have a web server on your email domain but you can set CNAME records, you can use OpenPGP’s WKD service.
You could get mitmed by them (which would become obvious to you after the fact) so this is only if you trust them, but it’s still better than a keyserver (which requires the same trust, and this is faster and works automatically in more apps).