Skip to content

GPG: Automatically fetch keys using Web Key Directory protocol

Problem to solve

As GitLab is getting more and more popular there are multiple instances I'm signing in. For each one of them I need to add GPG/SSH keys. GitLab could help automate that by fetching keys using Web Key Directory protocol.

This new scheme implemented in gpg allows easy and secure key discovery based on e-mail.

For example this command:

gpg --locate-key test-wkd@metacode.biz

Will fetch the key from my server over secure connection (HTTPS). This does not use keyservers at all.

Further details

When signing up, or when new verified e-mail is added GitLab could automatically fetch the keys for that e-mail and add them to user's keys.

Web Key Directory is supported by clients:

  • gpg 2
  • EnigMail
  • OpenKeychain for Android
  • (support for more in progress: GpgOL...)

libraries (openpgp.js) and e-mail providers (posteo.de).

It is also easy to set up on own domain and some prominent servers already use it (e.g. kernel.org).

Proposal

  1. When signing up or verifying e-mail
  2. Fetch the keys using Web Key Directory (that requires converting e-mail to WKD URL)
  3. Add the key to user's GPG keys

What does success look like, and how can we measure that?

Signing up to a new instance, or adding verified e-mail and visiting GPG keys section in user's profile would show my key without manual entry.

Links / references

https://wiki.gnupg.org/WKD

If this proposal looks good to you I could work on a PR.