Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Questions regarding WKD/WKS
gnupg-users at gnupg
Dec 1, 2022, 5:45 AM
Post #1 of 4 (296 views)
Permalink
Hello,

I am trying to implement WKD/WKS and followed the tutorial here:
https://wiki.gnupg.org/WKS

I have a few questions:

1. If I follow the guidelines for creating the directory /var/lib/gnupg/wkd, it has ownership webkey:webkey and permissions 2750. So there ist no chance for the apache user to be able to read anything within that directory. I could solve that by adding the apache user to the webkey group. Is that the intended solution?

2. I am stuck when submitting a key to the submission address for confirmation. I have created a key for the submission address as suggested and I am submitting the key encrypted and signed with the key I am submitting. On the server side, gpg-wks-server fails when trying to decrypt the key because it cannot verify the signature:

gpg-wks-server: t2body for level 0
gpg-wks-server: t2body for level 1
gpg-wks-server: t2body for level 1
gpg-wks-server: gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
gpg-wks-server: gpg: public key is ***
gpg-wks-server: gpg: using subkey *** instead of primary key ***
gpg-wks-server: gpg: public key is ***
gpg-wks-server: gpg: encrypted with ELG key, ID ***
gpg-wks-server: gpg: using subkey *** instead of primary key ***
gpg-wks-server: gpg: encrypted with 3072-bit RSA key, ID ***, creat
ed 2022-11-30
gpg-wks-server: gpg:       "schluessel@***.de"
gpg-wks-server: gpg: AES256 encrypted data
gpg-wks-server: gpg: original file name=''
gpg-wks-server: gpg: Signature made Wed Nov 30 12:27:14 2022 CET
gpg-wks-server: gpg:                using DSA key ***
gpg-wks-server: gpg: Can't check signature: No public key
gpg-wks-server: error running '/usr/bin/gpg': exit status 2
gpg-wks-server: decryption failed: General error
gpg-wks-server: parsing decrypted message
gpg-wks-server: no suitable data found in the message
gpg-wks-server: command failed: No data

There's obviously no chance verification could succeed. How can I turn this off? I tried creating /home/webkey/.gnupg/gpg.conf and adding "skip-verify" to it. This works on the command line, but has no effect on gpg-wks-server.

3. What is the behaviour when the WKS server receives a key for an address for which it already has a (different) key? Will it replace the old key, will it refuse or ignore the new one?

Thanks,
Andreas

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions regarding WKD/WKS [ In reply to ]
gnupg-users at gnupg
Dec 2, 2022, 5:59 AM
Post #2 of 4 (293 views)
Permalink
On Thu, 1 Dec 2022 14:45, Andreas Heinlein said:

> 1. If I follow the guidelines for creating the directory
> /var/lib/gnupg/wkd, it has ownership webkey:webkey and permissions
> 2750. So there ist no chance for the apache user to be able to read

That does not look right. You should have o+rx for the directories and
o+r for the files.

> suggested and I am submitting the key encrypted and signed with the

You should not sign the message.

The key to be published MUST be submitted using a PGP/MIME encrypted
message ({{{RFC(3156)}}}, section 4). The message MUST NOT be signed
(because the authenticity of the signing key has not yet been
confirmed).

I would also strongly suggest to use gpg-wks-client.

> gpg-wks-server: gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)

GnuPG 1.4 - really? Don't do this. And in particialr not a 12 year old
version.

> 3. What is the behaviour when the WKS server receives a key for an
> address for which it already has a (different) key? Will it replace
> the old key, will it refuse or ignore the new one?

The old key will be replaced after the confirmation has been received.


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Attached Files:

Re: Questions regarding WKD/WKS [ In reply to ]
gnupg-users at gnupg
Dec 2, 2022, 9:06 AM
Post #3 of 4 (293 views)
Permalink
Am 02.12.22 um 14:59 schrieb Werner Koch:
> On Thu, 1 Dec 2022 14:45, Andreas Heinlein said:
>
>> 1. If I follow the guidelines for creating the directory
>> /var/lib/gnupg/wkd, it has ownership webkey:webkey and permissions
>> 2750. So there ist no chance for the apache user to be able to read
> That does not look right. You should have o+rx for the directories and
> o+r for the files.
If I do that, I get:
gpg-wks-server: directory '/var/lib/gnupg/wks' has too relaxed permissions
gpg-wks-server: Fix by running: chmod o-rw '/var/lib/gnupg/wks'

This is gpg-wks-server version 2.2.27, as packaged with Debian 11. If this is a (known) bug, I may try to get it fixed.
>
>> suggested and I am submitting the key encrypted and signed with the
> You should not sign the message.
>
> The key to be published MUST be submitted using a PGP/MIME encrypted
> message ({{{RFC(3156)}}}, section 4). The message MUST NOT be signed
> (because the authenticity of the signing key has not yet been
> confirmed).
>
> I would also strongly suggest to use gpg-wks-client.
Thanks, I overlooked that. I find it a little difficult to instruct normal users to configure their client to sign mails, but make an exception when submitting their mail to the wks.

I cannot use gpg-wks-client here - our folks are using thunderbird. This is a known missing feature in thunderbird, WKS client support got lost when moving from Enigmail to their own implementation. See here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1695048

For the moment it would be nice if we could "stretch" the RFC a little and just ignore any signatures. Any way to achieve that, or would it be necessary to patch the wks server?
>
>> gpg-wks-server: gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
> GnuPG 1.4 - really? Don't do this. And in particialr not a 12 year old
> version.
Yeah, I know. This was from an old testing machine, I wouldn't do that in real life ;-)
>
>> 3. What is the behaviour when the WKS server receives a key for an
>> address for which it already has a (different) key? Will it replace
>> the old key, will it refuse or ignore the new one?
> The old key will be replaced after the confirmation has been received.
That's what I expected.

Thank you,
Andreas
Re: Questions regarding WKD/WKS [ In reply to ]
bwalzer at 59
Dec 3, 2022, 2:54 PM
Post #4 of 4 (293 views)
Permalink
On Thu, Dec 01, 2022 at 02:45:33PM +0100, Andreas Heinlein via Gnupg-users wrote:
> Hello,
>
> I am trying to implement WKD/WKS and followed the tutorial here:
> https://wiki.gnupg.org/WKS
>
> I have a few questions:
>
> 1. If I follow the guidelines for creating the directory
> /var/lib/gnupg/wkd, it has ownership webkey:webkey and permissions
> 2750. So there ist no chance for the apache user to be able to read
> anything within that directory. I could solve that by adding the
> apache user to the webkey group. Is that the intended solution?

That is from this part:

mkdir /var/lib/gnupg/wks
chown webkey:webkey /var/lib/gnupg/wks
chmod 2750 /var/lib/gnupg/wks

That doesn't make sense to me. I think this might count as a
documentation bug. The original author probably wanted to leave the
directory sticky instead. At any rate, the web server needs access to
this directory. Something like adding the apache user to the webkey
group sounds like a reasonable approach.

Bruce

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal