til on Mister Muffin Blog http://blog.mister-muffin.de/tags/til/ Recent content in til on Mister Muffin Blog Hugo -- gohugo.io en-us Mon, 31 Mar 2025 16:07:19 +0000 TIL: OpenPGP Web Key Directory http://blog.mister-muffin.de/2025/03/31/til-openpgp-web-key-directory/ Mon, 31 Mar 2025 16:07:19 +0000 http://blog.mister-muffin.de/2025/03/31/til-openpgp-web-key-directory/ <p>Today I was looking for a way on how to best publish my OpenPGP key on my webserver. Surely, somebody came up with some sort of standard way for where to place that key, right? Turns out, they did: <a href="https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/">https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/</a></p> <p>The TLDR summary is, that my key can now be found here:</p> <p><a href="https://mister-muffin.de/.well-known/openpgpkey/hu/8yxgr5jjfok88r9um56kb44x9h4dyj7f">https://mister-muffin.de/.well-known/openpgpkey/hu/8yxgr5jjfok88r9um56kb44x9h4dyj7f</a></p> <p>Or be downloadable by just running:</p> <pre><code>$ gpg --locate-key josch@mister-muffin.de </code></pre> <p>Where does the hash come from? It&rsquo;s the local part of my email (josch) hashed with sha1 and encoded in <a href="https://en.wikipedia.org/wiki/Base32#z-base-32">z-base32</a>. That computation can be done by gpg:</p> <pre><code>$ gpg --with-wkd-hash -k josch@mister-muffin.de | grep mister-muffin.de [...] 8yxgr5jjfok88r9um56kb44x9h4dyj7f@mister-muffin.de </code></pre> <p>I exported the key that I put there using the following command:</p> <pre><code>$ gpg --no-options --export --export-options export-minimal,export-clean \ --export-filter keep-uid=&quot;uid = Johannes Schauer Marin Rodrigues &lt;josch@mister-muffin.de&gt;&quot; \ F83356BBE112B7462A41552F7D5D8C60CF4D3EB4 </code></pre> <p>There is a handy validator for such setups that can be found here: <a href="https://www.webkeydirectory.com">https://www.webkeydirectory.com</a></p> <p>I had an interesting debugging experience when I tried to verify my setup in a fresh Debian chroot because I got this error message when I ran above command:</p> <pre><code>gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: error retrieving 'josch@mister-muffin.de' via WKD: General error gpg: error reading key: General error </code></pre> <p>That&rsquo;s not very descriptive&hellip; Turns out, that I was missing the <code>ca-certificates</code> package. After installing it, everything worked as expected:</p> <pre><code>$ gpg --locate-key josch@mister-muffin.de gpg: key 7D5D8C60CF4D3EB4: public key &quot;Johannes Schauer Marin Rodrigues &lt;josch@mister-muffin.de&gt;&quot; imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2013-07-04 [SC] F83356BBE112B7462A41552F7D5D8C60CF4D3EB4 uid [ unknown] Johannes Schauer Marin Rodrigues &lt;josch@mister-muffin.de&gt; sub rsa4096 2013-07-04 [E] sub rsa4096 2013-07-04 [S] sub rsa4096 2023-07-08 [S] </code></pre>