...
 
Commits (2)
GEM
remote: https://rubygems.org/
specs:
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
asciidoctor (1.5.6.1)
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
asciidoctor (2.0.10)
colorator (1.1.0)
commonjs (0.2.7)
ffi (1.9.18)
concurrent-ruby (1.1.6)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
eventmachine (1.2.7)
ffi (1.12.2)
forwardable-extended (2.6.0)
jekyll (3.5.2)
http_parser.rb (0.6.0)
i18n (1.8.2)
concurrent-ruby (~> 1.0)
jekyll (4.1.0)
addressable (~> 2.4)
colorator (~> 1.0)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 1.1)
kramdown (~> 1.3)
em-websocket (~> 0.5)
i18n (~> 1.0)
jekyll-sass-converter (~> 2.0)
jekyll-watch (~> 2.0)
kramdown (~> 2.1)
kramdown-parser-gfm (~> 1.0)
liquid (~> 4.0)
mercenary (~> 0.3.3)
mercenary (~> 0.4.0)
pathutil (~> 0.9)
rouge (~> 1.7)
rouge (~> 3.0)
safe_yaml (~> 1.0)
jekyll-asciidoc (2.1.0)
terminal-table (~> 1.8)
jekyll-asciidoc (3.0.0)
asciidoctor (>= 1.5.0)
jekyll (>= 2.3.0)
jekyll (>= 3.0.0)
jekyll-less (0.0.4)
jekyll (>= 0.10.0)
less (>= 2.0.5)
jekyll-sass-converter (1.5.0)
sass (~> 3.4)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
jekyll-watch (1.5.0)
listen (~> 3.0, < 3.1)
kramdown (1.15.0)
jekyll-sass-converter (2.1.0)
sassc (> 2.0.1, < 3.0)
jekyll-sitemap (1.4.0)
jekyll (>= 3.7, < 5.0)
jekyll-watch (2.2.1)
listen (~> 3.0)
kramdown (2.2.1)
rexml
kramdown-parser-gfm (1.1.0)
kramdown (~> 2.0)
less (2.6.0)
commonjs (~> 0.2.7)
libv8 (3.16.14.19)
liquid (4.0.0)
listen (3.0.8)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
mercenary (0.3.6)
multi_json (1.12.2)
pathutil (0.14.0)
liquid (4.0.3)
listen (3.2.1)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
mercenary (0.4.0)
multi_json (1.14.1)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (3.0.0)
pygments.rb (1.2.0)
public_suffix (4.0.5)
pygments.rb (1.2.1)
multi_json (>= 1.0.0)
rb-fsevent (0.10.2)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
redcarpet (3.4.0)
rb-fsevent (0.10.4)
rb-inotify (0.10.1)
ffi (~> 1.0)
redcarpet (3.5.0)
ref (2.0.0)
rouge (1.11.1)
safe_yaml (1.0.4)
sass (3.5.1)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
rexml (3.2.4)
rouge (3.19.0)
safe_yaml (1.0.5)
sassc (2.3.0)
ffi (~> 1.9)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
therubyracer (0.12.3)
libv8 (~> 3.16.14.15)
ref
unicode-display_width (1.7.0)
PLATFORMS
ruby
......@@ -75,4 +91,4 @@ DEPENDENCIES
therubyracer!
BUNDLED WITH
1.17.2
1.17.3
......@@ -33,7 +33,7 @@ sass:
style: compressed
# Build settings
markdown: redcarpet
markdown: kramdown
highlighter: pygments
include: [
......
---
title: Setting Up a PGP Webkey Directory
layout: post
tags: Git Cgit Gentoo
social: {}
description: >
A friend on IRC asked me how I made my PGP key available in a webkey
directory. This post will detail my path, so you can easily set it up for
yourself.
---
A little while ago, a friend on IRC asked me how I set up a PGP webkey
directory on my website. For those that don't know, a webkey directory is a
method to find keys through `gpg`'s `--locate-key` command. This allows people
to find my key using this command:
{% highlight sh %}
gpg --locate-key [email protected]
{% endhighlight %}
This is a very user-friendly way for people to get your key, as compared to
using long IDs.
This post will walk you through setting it up on your site, so you can make
your key more easily accessible to other people.
## Set up the infrastructure
For a webkey directory to work, you simply need to have your key available at a
certain path on your website. The base path for this is
`.well-known/openpgpkey/`.
{% highlight sh %}
mkdir -p .well-known/openpgpkey
{% endhighlight %}
The webkey protocol will check for a `policy` file to exist, so you must create
this too. The file can be completely empty, and that's exactly how I have it.
{% highlight sh %}
touch .well-known/openpgpkey/policy
{% endhighlight %}
The key(s) will be placed in the `hu` directory, so create this one too.
{% highlight sh %}
mkdir .well-known/openpgpkey/hu
{% endhighlight %}
## Adding your PGP key
The key itself is just a standard export of your key, without ASCII armouring.
However, the key does need to have its file **name** in a specific format.
Luckily, you can just show this format with `gpg`'s `--with-wkd-hash` option.
{% highlight sh %}
gpg --with-wkd-hash -k [email protected]
{% endhighlight %}
This will yield output that may look something like this:
{% highlight text %}
pub rsa4096/0x7A6AC285E2D98827 2018-09-04 [SC]
Key fingerprint = 1660 F6A2 DFA7 5347 322A 4DC0 7A6A C285 E2D9 8827
uid [ultimate] Patrick Spek <[email protected]>
[email protected]
sub rsa2048/0x031D65902E840821 2018-09-04 [S]
sub rsa2048/0x556812D46DABE60E 2018-09-04 [E]
sub rsa2048/0x66CFE18D6D588BBF 2018-09-04 [A]
{% endhighlight %}
What we're interested in is the `uid` line with the hash in the local-part of
the email address, which would be `[email protected]`.
For the filename, we only care about the local-part itself, meaning the export
of the key must be saved in a file called `i4fxxwcfae1o4d7wnb5bop89yfx399yf`.
{% highlight sh %}
gpg --export 0x7A6AC285E2D98827 > .well-known/openpgpkey/hu/i4fxxwcfae1o4d7wnb5bop89yfx399yf
{% endhighlight %}
## Configuring your webserver
Lastly, your webserver may require some configuration to serve the files
correctly. For my blog, I'm using [`lighttpd`](https://www.lighttpd.net/), for
which the configuration block I'm using is as follows.
{% highlight lighttpd %}
$HTTP["url"] =~ "^/.well-known/openpgpkey" {
setenv.add-response-header = (
"Access-Control-Allow-Origin" => "*",
)
}
{% endhighlight %}
It may be worthwhile to note that if you do any redirection on your domain,
such as adding `www.` in front of it, the key lookup may fail. The error
message given by `gpg` on WKD lookup failures is... poor to say the least, so
if anything goes wrong, try some verbose `curl` commands and ensure that the
key is accessible at the right path in a single HTTP request.
## Wrapping up
That's all there's to it! Adding this to your site should be relatively
straightforward, but it may be a huge convenience to anyone looking for your
key. If you have any questions or feedback, feel free to reach out to me!