When used with the command --receive a single Web Key Service mail is processed. Commonly this command is used with the option --send to directly send the crerated mails back. See below for an installation example.
The command --cron is used for regualr cleanup tasks. For example non-confirmed requested should be removed after their expire time. It is best to run this command once a day from a cronjob.
The command --list-domains prints all configured domains. Further it creates missing directories for the configuration and prints warnings pertaining to problems in the configuration.
The command --check-key (or just --check) checks whether a key with the given user-id is installed. The process returns success in this case; to also print a diagnostic use the option -v. If the key is not installed a diagnostic is printed and the process returns failure; to suppress the diagnostic, use option -q. More than one user-id can be given; see also option with-file.
The command --install-key manually installs a key into the WKD. The arguments are a file with the keyblock and the user-id to install. If the first argument resembles a fingerprint the key is taken from the current keyring; to force the use of a file, prefix the first argument with "./". If no arguments are given the parameters are read from stdin; the expected format are lines with the fingerprint and the mailbox separated by a space.
The command --remove-key uninstalls a key from the WKD. The process returns success in this case; to also print a diagnostic, use option -v. If the key is not installed a diagnostic is printed and the process returns failure; to suppress the diagnostic, use option -q.
The command --revoke-key is not yet functional.
gpg-wks-server understands these options:
The Web Key Service requires a working directory to store keys pending for publication. As root create a working directory:
# mkdir /var/lib/gnupg/wks # chown webkey:webkey /var/lib/gnupg/wks # chmod 2750 /var/lib/gnupg/wks
Then under your webkey account create directories for all your domains. Here we do it for "example.net":
$ mkdir /var/lib/gnupg/wks/example.net
$ gpg-wks-server --list-domains
to create the required sub-directories with the permissions set correctly. For each domain a submission address needs to be configured. All service mails are directed to that address. It can be the same address for all configured domains, for example:
$ cd /var/lib/gnupg/wks/example.net $ echo email@example.com >submission-address
The protocol requires that the key to be published is send with an encrypted mail to the service. Thus you need to create a key for the submission address:
$ gpg --batch --passphrase '' --quick-gen-key firstname.lastname@example.org $ gpg -K email@example.com
The output of the last command looks similar to this:
sec rsa2048 2016-08-30 [SC] C0FCF8642D830C53246211400346653590B3795B uid [ultimate] firstname.lastname@example.org ssb rsa2048 2016-08-30 [E]
Take the fingerprint from that output and manually publish the key:
$ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \ > email@example.com
Finally that submission address needs to be redirected to a script running gpg-wks-server. The procmail command can be used for this: Redirect the submission address to the user "webkey" and put this into webkey's '.procmailrc':
:0 * !^From: firstname.lastname@example.org * !^X-WKS-Loop: webkey.example.net |gpg-wks-server -v --receive \ --header X-WKS-Loop=webkey.example.net \ --from email@example.com --send