WKD for GitHub pages
Neal H. Walfield
neal at walfield.org
Sat Jan 9 11:37:14 CET 2021
Hi Stefan,
On Fri, 08 Jan 2021 23:05:52 +0100,
Stefan Claas via Gnupg-users wrote:
> On Fri, Jan 8, 2021 at 10:21 PM Stefan Claas
> <spam.trap.mailing.lists at gmail.com> wrote:
>
> > I guess the only way to fix it (for many people) would be
> > that, as of my understanding (now) the WKD check
> > and SSL cert check would be a bit more flexible, either
> > in allowing subdomains, like the github.io ones in form
> > of a fix in the code or as setting in GnuPG' config file.
> >
> > I could be totally wrong of course, so let's see what
> > Werner says.
>
> Well, I guess I am right, just did a gpg --debug-level guru
> under cmd.exe:
>
> ...
> gpg: DBG: chan_0x00000254 -> WKD_GET -- stefan at sac001.github.io
> gpg: DBG: chan_0x00000254 <- S SOURCE https://openpgpkey.sac001.github.io
> gpg: DBG: chan_0x00000254 <- S NOTE tls_cert_error 285212985 bad cert
> for 'openpgpkey.sac001.github.io': Hostname does not match the
> certificate
> gpg: Hinweis: Der Server benutzt eine ungültiges Zertifikat
> gpg: DBG: chan_0x00000254 <- ERR 285212985 Falscher Name <TLS>
It appears that gpg is trying the advanced lookup method, gets an
error, and then doesn't fallback to the direct lookup method. This is
consistent with the I-D:
3.1. Key Discovery
...
There are two variants on how to form the request URI: The advanced
and the direct method. Implementations MUST first try the advanced
method. Only if the required sub-domain does not exist, they SHOULD
fall back to the direct method.
https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07
It appears that github.com's DNS is configured such that all domains
under github.com resolve to github.com's web server, even
subsubdomains. For instance,
https://asdflkjasdfj.asdflkjasdflkj.github.com/ resolves to a 404.
So, it seems that you'll need to create openpgpkey.sac001.github.com.
Further, you'll have to figure out how to get a valid certificate for
it. At least Firefox considers github.com's certificate to be valid
for foo.github.com, but not bar.foo.github.com.
:) Neal
More information about the Gnupg-users
mailing list