Setting up WKD with lighttpd
Web Key Directory is an approach for simple distribution of public PGP keys. The idea is that a mail client checks for a needed key automatically and the user can simply encrypt a mail, without further interaction (no searching on a keyserver or manual downloading and importing into GnuPG).
The first site you find searching for it is GnuPG's WKD wiki page. But – just speaking of me – this page is quite confusing, and setting up WKD seems to be quite complicated. Happily, it isn't ;-)
A nice blog post describes what has to be done when you want to setup WKD. Just in case the linked blog post is removed: Providing PGP keys via WKD using the "direct" method (there's also an "advanced" method I didn't use) strips down to:
- Inside the web root of yout HTTP server, create .well-known/openpgpkey/hu/
- Touch .well-known/openpgpkey/policy
- Find out your key's WKD hash (the letter salad before the @):
gpg --with-wkd-hash -k address@your-server.org - Export the key without ASCII-armoring it to a file named like the hash:
gpg --export address@your-server.org > a3tboyto3mewxb6wip98xkoepyqqxy94 - Put the file in .well-known/openpgpkey/hu/
Finally, you need to tell the HTTP server to deliver the correct MIME type for the key file(s). As usual, the article only contains configuration examples for Apache and nginx. As a lighttpd user, you're used to that ;-)
To make life a bit easier for the lighttpd users out there wanting to setup WKD, here's the snippet you need to make lighttpd deliver the correct MIME type and HTTP headers:
$HTTP["url"] =~ "^/.well-known/openpgpkey/hu/" {
mimetype.assign = ( "" => "application/octet-stream" )
setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
}
You can validate your setup to be correct using gpg-wks-client, which is shipped with GnuPG:
gpg-wks-client -v --check address@your-server.org
Now go and make the world a bit better by setting up WKD ;-)