Publish a certificate
TODO: publishing/generating with WKD and DANE is still changing.
Publishing a certificate is a bit more hands-on than retrieving them. sq can directly publish to keyservers, for other methods of dissemination sq can generate the necessary data.
The simplest way to publish to keyservers is:
$ sq network keyserver publish --cert EE99C48D11A4BE940569C4B3919EA6F609043A04
or more general
$ sq network keyserver publish $QUERY
sq searches inside the cert store for certificates matching $QUERY and publishes all results. $QUERY can be
- A fingerprint:
--cert $FINGERPRINT - A User ID:
--userid "Alice Example" - An email address:
--email alice@example.com - A file:
--file $FILE
This example publishes the certificate to the default keyservers (keys.openpgp.org, mail-api.proton.me, keys.mailvelope.com, keyserver.ubuntu.com, sks.pod01.fleetstreetops.com). This list can be customized by adding --server to the command:
$ sq network keyserver publish --server hkps://keys.openpgp.org --server hkps://some.other.keyserver.tld --email alice@example.com
Please note, that --server expects the parameter to specify the protocol (eg hkps://).
Generating and publishing files for WKD
Web Key Directory (WKD) is another way of distributing certificates. It defines a scheme which translates an email address into a URL (actually there are 2 schemes). That corresponds to an accordingly configured webserver which delivers the certificates upon request.
This requires the generation of files and directories complying with the scheme. sq can help by generating the required structure.
$ sq network wkd publish --create advanced --domain example.com --file certs.cert /tmp/foo
This will create all files and directories under /tmp/foo, starting with the subdirectory .well-known. From the keyring certs.cert only certificates with User IDs in domain example.com are included.
The above command will generate a directory structure according to the 'advanced method', to be used as content for https://openpgpkey.example.com/.well-known/openpgp/.... If you need the 'direct method' (https://example.com/.well-known/openpgp/...), use --create direct at the command line.
$ sq network wkd publish --create direct --domain example.com --file certs.cert /tmp/foo
If there is already a directory structure present, using --create will return an error.
Error: Cannot create WKD because /tmp/foo already contains one
Instead of pulling the certificates from a file, you can fetch the certificates from the cert store:
--cert $FINGERPRINTto use a certificate by that fingerprint--userid $USER_IDany certificates matching$USER_ID--email $EMAILany certificates matching$EMAIL
$ sq network wkd publish --domain example.com --email alice@example.com /tmp/foo
or even all certificates for a domain which can be found inside the cert store by skipping a filtering query.
$ sq network wkd publish --domain example.com /tmp/foo
If supplied with --rsync, sq invokes a local copy of rsync passing the destination as-is.
$ sq network wkd publish --rysnc --domain example.com alice@myserver:/tmp/foo
More on hosting a WKD: https://wiki.gnupg.org/WKDHosting
Generating records for DANE
For publishing certificates via DNS (aka DANE), a TXT record has to be added to the zone file of the mail domain.
The record can be generated like this:
$ sq network dane generate --domain example.con --email alice@example.com
The result will be printed to STDOUT.
This example will generate a TXT record in OPENPGPKEY format. If your DNS server cannot handle this type of record, you can generate a generic record by adding --type generic.
$ sq network dane generate --type generic --domain example.com --email alice@example.com
A more compact form of an OPENPGPKEY record can be generated by adding a size limit. sq will try to match that limit as best as it can.
$ sq network dane generate --size-limit 1024 sequoia-pgp.org certs.cert
More on DANE can be found here: https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/12/