Hints on how to check for a WKD key (was: Trying to get PKA working)

Werner Koch wk at gnupg.org
Wed Feb 21 17:16:57 CET 2024 

On Wed, 21 Feb 2024 15:52, Philip Colmer said:

> that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use
> gpg --homedir "$(mktemp -d)" --verbose --locate-keys
> your.email at example.org ... and this doesn't work.

Its a wiki and ppl change it at will and worse nobody checks and updates
it.

The above seems to be an old idea to make sure tha the key does not yet
exist.  In contrast to --locate-key --locate-external-key loads the key
from external resources even if it already exists.  Thus this is a
refresh key function.  Some folks don't like to clutter their keyring
with more keys and thus use a temporary GNUPGHOME directory (i..e
--homedir). For me the above works:

$ gpg --homedir "$(mktemp -d)" --verbose --locate-keys wk at gnupg.org
[...]
gpg: pub  ed25519/63113AE866587D0A 2018-09-28  wk at gnupg.org
gpg: key 63113AE866587D0A: public key "wk at gnupg.org" imported
gpg: no running gpg-agent - starting '/usr/local/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to the agent established
gpg: Total number processed: 1
gpg:               imported: 1
gpg: auto-key-locate found fingerprint AEA84EDCF01AD86C4701C85C63113AE866587D0A
gpg: automatically retrieved 'wk at gnupg.org' via WKD
pub   ed25519 2018-09-28 [SC] [expires: 2027-01-31]
      AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid           [ unknown] wk at gnupg.org
sub   cv25519 2018-09-28 [E] [expired: 2022-01-31]
sub   ed25519 2020-08-04 [S]
sub   brainpoolP384r1 2021-06-28 [E] [expires: 2027-01-10]

Another way to test is

$ gpg-wks-client check -v wk at gnupg.org
gpg-wks-client: public key for 'wk at gnupg.org' found via WKD
gpg-wks-client: fingerprint: AEA84EDCF01AD86C4701C85C63113AE866587D0A
gpg-wks-client:     user-id: wk at gnupg.org
gpg-wks-client:     created: Mon 01 Oct 2018 05:39:07 PM CEST
gpg-wks-client:   addr-spec: wk at gnupg.org

This is develpment version, you need to use the classical thing though:

$ gpg-wks-client --check -v wk at gnupg.org

If you add --debug=ipc you can actually see what has been requested from
the server.  Without any option you just get an returns status for
scripting.

Now someone(tm) should update the wiki.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240221/613973d4/attachment-0001.sig>

More information about the Gnupg-users mailing list