Questions regarding WKD/WKS

Werner Koch wk at
Fri Dec 2 14:59:05 CET 2022

On Thu,  1 Dec 2022 14:45, Andreas Heinlein said:

> 1. If I follow the guidelines for creating the directory
> /var/lib/gnupg/wkd, it has ownership webkey:webkey and permissions
> 2750. So there ist no chance for the apache user to be able to read

That does not look right.  You should have o+rx for the directories and
o+r for the files.

> suggested and I am submitting the key encrypted and signed with the

You should not sign the message.

   The key to be published MUST be submitted using a PGP/MIME encrypted
   message ({{{RFC(3156)}}}, section 4).  The message MUST NOT be signed
   (because the authenticity of the signing key has not yet been

I would also strongly suggest to use gpg-wks-client.

> gpg-wks-server: gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)

GnuPG 1.4 - really?  Don't do this.  And in particialr not a 12 year old

> 3. What is the behaviour when the WKS server receives a key for an
> address for which it already has a (different) key? Will it replace
> the old key, will it refuse or ignore the new one?

The old key will be replaced after the confirmation has been received.



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list