Questions regarding WKD/WKS

Andreas Heinlein aheinlein at gmx.com
Thu Dec 1 14:45:33 CET 2022 

Hello,

I am trying to implement WKD/WKS and followed the tutorial here:
https://wiki.gnupg.org/WKS

I have a few questions:

1. If I follow the guidelines for creating the directory /var/lib/gnupg/wkd, it has ownership webkey:webkey and permissions 2750. So there ist no chance for the apache user to be able to read anything within that directory. I could solve that by adding the apache user to the webkey group. Is that the intended solution?

2. I am stuck when submitting a key to the submission address for confirmation. I have created a key for the submission address as suggested and I am submitting the key encrypted and signed with the key I am submitting. On the server side, gpg-wks-server fails when trying to decrypt the key because it cannot verify the signature:

gpg-wks-server: t2body for level 0
gpg-wks-server: t2body for level 1
gpg-wks-server: t2body for level 1
gpg-wks-server: gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
gpg-wks-server: gpg: public key is ***
gpg-wks-server: gpg: using subkey *** instead of primary key ***
gpg-wks-server: gpg: public key is ***
gpg-wks-server: gpg: encrypted with ELG key, ID ***
gpg-wks-server: gpg: using subkey *** instead of primary key ***
gpg-wks-server: gpg: encrypted with 3072-bit RSA key, ID ***, creat
ed 2022-11-30
gpg-wks-server: gpg:       "schluessel@***.de"
gpg-wks-server: gpg: AES256 encrypted data
gpg-wks-server: gpg: original file name=''
gpg-wks-server: gpg: Signature made Wed Nov 30 12:27:14 2022 CET
gpg-wks-server: gpg:                using DSA key ***
gpg-wks-server: gpg: Can't check signature: No public key
gpg-wks-server: error running '/usr/bin/gpg': exit status 2
gpg-wks-server: decryption failed: General error
gpg-wks-server: parsing decrypted message
gpg-wks-server: no suitable data found in the message
gpg-wks-server: command failed: No data

There's obviously no chance verification could succeed. How can I turn this off? I tried creating /home/webkey/.gnupg/gpg.conf and adding "skip-verify" to it. This works on the command line, but has no effect on gpg-wks-server.

3. What is the behaviour when the WKS server receives a key for an address for which it already has a (different) key? Will it replace the old key, will it refuse or ignore the new one?

Thanks,
Andreas

More information about the Gnupg-users mailing list