GPG: Automatically fetch keys using Web Key Directory protocol
Problem to solve
As GitLab is getting more and more popular there are multiple instances I'm signing in. For each one of them I need to add GPG/SSH keys. GitLab could help automate that by fetching keys using Web Key Directory protocol.
This new scheme implemented in gpg allows easy and secure key discovery based on e-mail.
For example this command:
gpg --locate-key test-wkd@metacode.biz
Will fetch the key from my server over secure connection (HTTPS). This does not use keyservers at all.
Further details
When signing up, or when new verified e-mail is added GitLab could automatically fetch the keys for that e-mail and add them to user's keys.
Web Key Directory is supported by clients:
- gpg 2
- EnigMail
- OpenKeychain for Android
- (support for more in progress: GpgOL...)
libraries (openpgp.js) and e-mail providers (posteo.de).
It is also easy to set up on own domain and some prominent servers already use it (e.g. kernel.org).
Proposal
- When signing up or verifying e-mail
- Fetch the keys using Web Key Directory (that requires converting e-mail to WKD URL)
- Add the key to user's GPG keys
What does success look like, and how can we measure that?
Signing up to a new instance, or adding verified e-mail and visiting GPG keys
section in user's profile would show my key without manual entry.
Links / references
If this proposal looks good to you I could work on a PR.