WKD for GitHub pages

Neal H. Walfield neal at walfield.org
Sat Jan 9 11:37:14 CET 2021

Hi Stefan,

On Fri, 08 Jan 2021 23:05:52 +0100,
Stefan Claas via Gnupg-users wrote:
> On Fri, Jan 8, 2021 at 10:21 PM Stefan Claas
> <spam.trap.mailing.lists at gmail.com> wrote:
> > I guess the only way to fix it (for many people) would be
> > that, as of my understanding (now) the WKD check
> > and SSL cert check would be a bit more flexible, either
> > in allowing subdomains, like the github.io ones in form
> > of a fix in the code or as setting in GnuPG' config file.
> >
> > I could be totally wrong of course, so let's see what
> > Werner says.
> Well, I guess I am right, just did a gpg --debug-level guru
> under cmd.exe:
> ...
> gpg: DBG: chan_0x00000254 -> WKD_GET -- stefan at sac001.github.io
> gpg: DBG: chan_0x00000254 <- S SOURCE https://openpgpkey.sac001.github.io
> gpg: DBG: chan_0x00000254 <- S NOTE tls_cert_error 285212985 bad cert
> for 'openpgpkey.sac001.github.io': Hostname does not match the
> certificate
> gpg: Hinweis: Der Server benutzt eine ungültiges Zertifikat
> gpg: DBG: chan_0x00000254 <- ERR 285212985 Falscher Name <TLS>

It appears that gpg is trying the advanced lookup method, gets an
error, and then doesn't fallback to the direct lookup method.  This is
consistent with the I-D:

   3.1.  Key Discovery


   There are two variants on how to form the request URI: The advanced
   and the direct method.  Implementations MUST first try the advanced
   method.  Only if the required sub-domain does not exist, they SHOULD
   fall back to the direct method.


It appears that github.com's DNS is configured such that all domains
under github.com resolve to github.com's web server, even
subsubdomains.  For instance,
https://asdflkjasdfj.asdflkjasdflkj.github.com/ resolves to a 404.

So, it seems that you'll need to create openpgpkey.sac001.github.com.
Further, you'll have to figure out how to get a valid certificate for
it.  At least Firefox considers github.com's certificate to be valid
for foo.github.com, but not bar.foo.github.com.

:) Neal

More information about the Gnupg-users mailing list