Provide a method to build a simple WKD server filestructure on Windows
Testing, LowPublic

Description

A users wants to create the flat WKD structure on windows.

The steps of

https://wiki.gnupg.org/WKDHosting

do not work today as it requires a GNU/Linux machine for the python bindings
or a rebuild of the new python bindings for Windows.

werner added a subscriber: werner.Mon, Nov 26, 11:25 AM

Sorry, we won't implement a server for WIndows. No sane provider uses Windows for a large mail setup.

werner triaged this task as Low priority.Mon, Nov 26, 11:26 AM

If they really want to do that for Windows, they can use some database approach like Protonmail does it. This does not require any file structure.

As I see it Bernhard is just asking for the flat strucuture so basically some export script that creates the needed files on windows.

This makes me wish for an "export-wkd" (as we already have export-pka and export-dane)" that would take a folder argument and then place a file in there for each userid with a key only containing the userid that matches the filename.

@werner it is like @aheinecke writes:

We have a simple script to create a flat file structure just for serving for small email providers (like with just one or a handful of pubkeys).
Our current instructions with the two python scripts only allow this for GNU like systems. Some user contacted us about this, because he wanted to do this on Windows and did not find a way. One way to resolve this would be to build python-gnupg package for windows and make sure it runs with the python3 script available there.

... that would be useful in many ways. I'd say we should support anyone who wants to use pythong-gnupg on windows.

And if the file-structure is created on windows, it might just be uploaded to a webserver, even if the email is served by a difference providers or system.

gpg-wks-server --install-key fingerprint

does everything you want. But only on a Unix system. You script needs to be adjusted for the changes in the protocol anyway. BTW, we have a portable scripting engine in gnupg: gpgscm.

bernhard added a comment.EditedTue, Nov 27, 8:28 AM

Precondition: A list of pubkeys, as keyring or as keyring file with list of fingerprints.
Goal: a static file structure that can be uploaded on my webserver.
Platform: Windows, a better solution does require less additional dependencies apart from Gpg4win.

The two ways suggested so far:

way 1 build python-gnupg and adapt existing script

Needs a build python-gnupg package for windows. Extra dependency: python.

way 2 develop a new script based on GnuPG tools

Use gpg-wks-server and gpgscm to develop a script doing this.
Does gpgscm come with Gpg4win already or does it need to be build as extra dependency?

Why not using PowerShell? Because --with-colons does not output the required hash? But that can't be the reason because Python has the very same problem. Using Python for scripts is anyway a bit of overkill.

I am pretty sure I can could implement that directory structure with standard cmd.exe features.

@werner Be my guest.

I had a glance on this to implement it in bash using standard tools, (sha1 but no zbase32) it's not easy enough that I could do it with trivial effort. Yes with colons is a problem. My understanding of bash regex is also not up to it etc.

You will need to look for all keys with a uid for a domain, filter out expired / revoked / disabled keys using with colons. Then filter out all uid's not belonging to that domain with export filters. Then sha1 and zbase32, parsing the gnupg human readable output.

I would probably do it by exporting the reduced keys first, then import them with a different homedir, parse the output of a keylisting there to pair up uid with the sha1/zbase hash then finally do an export using these pairs.

It's possible in cmd.exe and powershell for sure but my powershell/cmd skill is definetely not up to that :-)

werner added a comment.Tue, Dec 4, 4:36 PM

With master we can now do:

gpg  --list-options show-only-fpr-mbox  -K | ./gpg-wks-client -v --install-key

to install all the own public keys in directories below openpgpkey (or one set with -C). You can even run this on your entire keyring by using -k or selecing certain keys. The sub directories are created as needed.

aheinecke changed the task status from Open to Testing.Wed, Dec 5, 12:00 PM

Sounds good! I give it to me for testing / documenting this.