blog | ~bdeshi

tilde adventures wanderings.

setting up gpg web key directory

February 21, 2020 — ~bdeshi

so we know that were badly done. however, sharing gpg keys seems like a big hassle if we stop using keyservers.

but if you have your own web domain, then it becomes almost too easy, with gpg wkd.

web key directory protocol basically means, gpg looks at the email address of a given key id, and retrieves the key directly from the domain given in the email.

so setting up a web key directory require you have your own domain and an email address with that domain. tough luck to * users (unless you can hack into the server root! ;) )

so anyway, here's how to do it:

get the WKD hash of your gpg key:

$ gpg --fingerprint --with-wkd-hash 0xDEADCODEBAADCODE

which outputs

pub   rsa2048 2020-02-20 [SC]
      A52A 51D0 8ECD D98D 0D72  559D DEAD CODE BAAD CODE
uid           [ultimate] YOURNAME <main@YOURDOMAIN.tld>
sub   rsa2048 2020-02-20 [E]

the meaningless string upto @ at line 4 is your hash.

you have to export your public key into a file with that hash as its name:

$ gpg --output rzufz5uv2a9bq7youre9cool1pal6yqh --export -a 0xDEADCODEBAADCODE

great! now create a .well-known/openpgpkey/hu folder in your web server's public_htmli aka webroot. make sure indexing is disabled for this location in you web server.

then paste the exported publickey file as is into that hu folder.

also, you have to create an empty file called policy beside that hu folder.

so these URLs should point to those two files:

https://YOURDOMAIN.tld/.well-known/openpgpkey/hu/rzufz5uv2a9bq7youre9cool1pal6yqh https://YOURDOMAIN.tld/.well-known/openpgpkey/policy

and that's done!

now anyone can do:

$ gpg --locate-key mail@YOURDOMAIN.tld

and they're going to get your public key straight from the horse's mouth, so to say.

isn't this cool?

Tags: gpg, security, web

Where's your gpg key?

February 12, 2020 — ~bdeshi

so gpg keys are the standard methods of identity and a common encryption method on the opensource world and elsewhere. its logically and mathematically sound, and dependable as long as you know the source of the key. so like any good oss citizen, i also have gpg keys of my own, and dutifully put them online on various keyservers.

the web-of-trust model of key trustworthyness sound very good: i trust you, i trust your key, so anyone who trusts me also trusts your key. so people sign each others' keys with my signature, and then anyone who finds those keys knows if it can be trusted by looking at who else had signed it.

but the infrastructure is apparently almost childish. there was a widepsread attack vandalism in the recent past that basically destroyed usability of gpg keyservers.

it goes like this: someone adds a huge number of signatures to public keys, which blows up the the key size, and then reuploads it to keyservers. which makes client software crash when trying to import those giant keyfiles.

i've discovered a new keyserver which tries to mitigate that problem: they make sure the email ids on uploaded keys can be verified, so just anyone can't upload random keys with your email id.

it's sensible. so i uploaded my key there.

also, meanwhile i found one of my older expired keys hanging around on a keyserver like nothing happened while i'd actually revoked it months ago. then deleted the revocation certificate. without uploading it on that particular server. so now that key has become immortal in one place.

by the way, my tilde GPG key is here: bdeshi.pubkey.asc

oh and i'm also on keybase, which wants to be a gpg-based social network!

Tags: gpg, identity, encryption