I know that for Proton Mail users, you can just gpg --locate-keys
their address and you’ll get their keys.
I wanted to set up something similar for my own email and it was a headache and a half. This is more of a li’l diary entry and causerie than reliable and complete documentation.
mkdir -p /tmp/lets-do-this/.well-known/openpgpkey
cd /tmp/lets-do-this
sudo apt install gpg-wks-client # Or whatever non-Debian people do
Then, you’re supposed to do this:
gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key
but I have plenty of unused keys in my ring so I checked the first part of that, saw that the first was the one I wanted (matching fingerprints). First one means head -1
, ninth would be sed -n 9p
, and last would be tail -1
.
So since in my case I’m grabbing the first:
gpg --list-options show-only-fpr-mbox -k sandra.snan@idiomdrottning.org|head -1|/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key
Now, that’s not any good because it uses the “advanced” method. According to the RFC, that method is for multi-domain setups, but I have nginx so we can already dispatch on a domain level right in the web server, and for now I just wanted my Idiomdrottning domain. I want the direct method so I don’t have to futz around with registering a new hostname. At least for now.
This means manually having to:
cd .well-known/openpgpkey/
mv idiomdrottning.org/* .
rmdir idiomdrottning.org
Create an index.html file in the hu
directory to disable dirlisting (not that there’s anything else in there).
Then
cd /tmp/lets-do-this
chmod -r 755 .well-known
and rsync it up to the server.
I didn’t get it working at first, because I had made two fatal mistakes.
One was pretty specific to my wonky setup: I already had the .well-known path reverse-proxied for some other stuff I’ve got going on. I had to edit nginx stuff to make that a li’l more fine grained. That was on me, I had a non-default setup.
The other was that the hu
directory wasn’t executable by the www-data
user. Readable is not enough when it comes to directories.
I could troubleshoot both of these issues with
wget -qO- "https://idiomdrottning.org/.well-known/openpgpkey/hu/frhc9h9dc9cq8ffnxtrj817y4o1jxztm"|less
(Where that frhc9h9dc9cq8ffnxt…
stuff is my own name, sandra.snan
, encoded (SHA-1 hash in Z-Base-32). To find your own, look in that hu
directory you generated.)
Anyway, now
gpg --locate-keys sandra.snan@idiomdrottning.org
finally works.
I’m not doing the whole proofs.json thing from Replacing Keybase, I’m only using a static WKD as per the GnuPG wiki.