A question about WKD
wiktor at metacode.biz
Wed Jan 2 11:18:25 CET 2019
On 01.01.2019 13:19, Stefan Claas wrote:
> Hi Wiktor and all,
> since my current WKD key is a temporary key i would like to know
> for best practice the following:
> In a couple of days i will receive my Kanguru Defender 3000 USB stick
> and then i will create a new key pair and put it on the stick, along
> with other things. This key will then also be signed by Governikus.
> Because WKD currently does not cover revocation certs i would like
> to know how to continue. Should i upload then my revoked temp
> key to SKS or should i simply replace the keys. If possible i would
> like to avoid SKS usage in the future.
> Does GnuPG detects when i use a new WKD pub key, once i signed
> a new message?
Revoke your current key locally and generate a new one, now export both binary
keys (that includes revocation) to a file. Place it in .well-known/openpgpkey/hu
overwriting the old file.
Now, when GnuPG does --locate-key it will fetch both keys, revoke your old one
and add the new one.
If someone already has your old key GnuPG will do the fetch automatically when
the old key expires (you didn't use expiry as far as I can see so it won't
One can still "force" the WKD refresh using:
$ gpg --auto-key-locate clear,wkd,nodefault --locate-key sac at 300baud.de
I just tested this all with some dummy key on my end and it worked just fine...
hope it works on your end too.
As for signing, if you specify signing key using "e-mail notation" GnuPG will
embed Signer's UID packet and when the recipient uses --auto-key-retrieve it
will grab your key using WKD instead of keyservers. But I didn't test what would
happen if the old key is already present in the keyring that doesn't match the
signature, probably nothing.
(You can inspect this file with pgpdump if you want to see the packet:
$ curl https://metacode.biz/.well-known/security.txt | pgpdump
Happy New Year!
More information about the Gnupg-users