Publish a certificate
Publishing a certificate is a bit more hands-on than retrieving them. sq can directly publish to keyservers, for other methods of dissemination sq can generate the necessary data.
The simplest way to publish to keyservers is:
$ sq network keyserver publish --cert EE99C48D11A4BE940569C4B3919EA6F609043A04
or more general
$ sq network keyserver publish $QUERY
sq searches inside the cert store for certificates matching $QUERY and publishes all results. $QUERY can be
- a fingerprint:
--cert $FINGERPRINT - a User ID:
--userid "Alice Example" - an email address:
--email alice@example.com - a file:
--file $FILE
This example publishes the certificate to the default keyservers (keys.openpgp.org, mail-api.proton.me, keys.mailvelope.com, keyserver.ubuntu.com, sks.pod01.fleetstreetops.com). This list can be customized by adding --server to the command:
$ sq network keyserver publish --server hkps://keys.openpgp.org --server hkps://some.other.keyserver.tld --email alice@example.com
If --server is used, the default servers are ignored.
Please note that --server expects the parameter to specify the protocol (e.g. hkps://).
Generating and publishing files for WKD
Web Key Directory (WKD) is another way of distributing certificates. It defines a scheme which translates an email address into a URL (actually there are two schemes). That corresponds to an accordingly configured webserver which delivers the certificates upon request.
This requires the generation of files and directories complying with the scheme. sq can help by generating the required structure.
$ sq network wkd publish --create --domain example.com /tmp/foo
This will create all files and directories under /tmp/foo, starting with the subdirectory .well-known. From the cert store only certificates with User IDs in domain example.com are included.
The above command will generate a directory structure according to the 'advanced method', to be used as content for https://openpgpkey.example.com/.well-known/openpgp/.... If you need the 'direct method' (https://example.com/.well-known/openpgp/...), add --method direct to the command.
$ sq network wkd publish --create --method direct --domain example.com /tmp/foo
If there is already a directory structure present, using --create will return an error:
Error: Cannot create WKD because /tmp/foo already contains one
The certificates to include into the WKD directory structure can be selected using the following designators:
--cert $FINGERPRINTto use a certificate by that fingerprint--userid $USER_IDany certificates matching$USER_ID--email $EMAILany certificates matching$EMAIL
Instead of using the cert store, certificates can also be taken from a keyring using --cert-file $FILE
$ sq network wkd publish --cert-file /path/to/some/keyring.pgp --domain example.com --email alice@example.com /tmp/foo
or even all certificates for a domain which can be found inside the cert store by skipping a filtering query.
$ sq network wkd publish --domain example.com /tmp/foo --all
If supplied with --rsync, sq invokes a local copy of rsync passing the destination as-is.
$ sq network wkd publish --rysnc --domain example.com alice@myserver:/var/www/html --all
More on hosting a WKD: https://wiki.gnupg.org/WKDHosting
Generating records for DANE
For publishing certificates via DNS (aka DANE), a TXT record has to be added to the zone file of the mail domain.
The record can be generated like this:
$ sq network dane generate --domain example.com --cert-email alice@example.com
The result will be printed to STDOUT.
This example will generate a TXT record in OPENPGPKEY format. If your DNS server cannot handle this type of record, you can generate a generic record by adding --type generic.
Instead of specifying the certificates to publish (by --cert-email, --cert-userid or via fingerprint with --cert), you can choose --all.
$ sq network dane generate --type generic --domain example.com --cert-email alice@example.com
A more compact form of an OPENPGPKEY record can be generated by adding a size limit. sq will try to match that limit as best as it can.
$ sq network dane generate --size-limit 1024 --domain example.com --all
More on DANE can be found here: https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/12/