Make your GnuPG key discoverable via Web Key Directory

Fabio Natali, 24 November 2024

Intro

These are the steps I followed to add GnuPG's Web Key Directory (WKD) to my website. The WKD mechanism, specified in this Active Internet-Draft, makes it possible "to locate OpenPGP keys by mail address using a Web service and the HTTPS protocol".

How to use it

For a long time OpenPGP key servers were the main option in order to retrieve someone's OpenPGP key knowing their email, key ID, or key fingerprint. Over time, however, the design of OpenPGP key servers has shown various limitations (e.g. no retraction mechanism) and the experience around using key servers hasn't always been perfectly smooth (e.g. synchronisation and reliability issues). More details in this Wikipedia article.

A few years ago Web Key Directory (WKD) was introduced as a further mechanism to find and retrieve OpenPGP keys. In a nutshell, WKD defines how OpenPGP keys can be made available for download via HTTPS.

WKD makes the following assumptions. It assumes that the OpenPGP key is associated to an email address (e.g. alice@example.com) and that the key owner (Alice) has control over the email domain (example.com). In its simplest form, WKD assumes that Alice can set up a web server serving content via HTTPS from example.com.

Alice can use gpg-wks-server to export their OpenPGP public key: 

mkdir --mode=750 WKD-PATH
gpg-wks-server --directory WKD-PATH --install-key KEY-ID EMAIL-ADDRESS

WKD-PATH, KEY-ID, and EMAIL-ADDRESS are placeholders for, respectively, the local path where to save the command output, the OpenPGP key ID, the associated email address.

Alice can then take the WKD folder from the previous step and publish it on their domain under https://example.com/.well-known/openpgpkey/. This step largely depends on how Alice's website gets deployed.

This is a tad niche but in my particular case I use Emacs Org as a static site generator. I use gpg-wks-server as shown above to create a WKD folder. Once added to the website repository, the folder gets picked up by the website build script, thanks to this little Emacs Lisp snippet: 

("wkd"
 :base-directory "src/wkd/fabionatali.com"
 :base-extension any
 :recursive t
 :publishing-directory "build/html/.well-known/openpgpkey"
 :publishing-function org-publish-attachment)

...

("all"
 :components ("site" "site-assets" ... "wkd"))

As I said, this is very specific to the way my website is built. Regardless of the technology used by your website, the gist is that the WKD folder needs to be served from https://YOUR-DOMAIN/.well-known/openpgpkey/.

With that in place, this is how to check that everything works as expected: 

gpg --auto-key-locate wkd --locate-keys alice@example.com

If you've got Alice's key in your keyring already, just run the above command from within an empty GnuPG home folder, by setting GNUPGHOME=/tmp/some-empty-folder.

Outro

I'd meant to look into WKD for a long time, I'm glad I finally found the time to do it now. This is far from being a WKD tutorial, rather just a quick description of what it's used for and how it can be set up in a very specific case, i.e. in the context of a static website. Still, I hope it can be useful to someone!

Fabio Natali © 2024, CC BY-NC-SA 4.0.

Revision 3a220d5.