Re: WKD for GitHub pages
On Fri, Jan 8, 2021 at 11:27 PM André Colomb wrote: > > Hi Stefan, > > your key seems to work fine over that WKD setup. > > > Now Wiktor's WKD checker gives the proper > > results in the first part, not sure why not in the > > second part. > > You don't need the "Advanced" method if the direct one already works. > They basically exist to provide flexibility for server admins to decide > whether they want to issue a TLS certificate for the whole domain > matching the e-mail address, or just serve the WKD stuff through a > dedicated "openpgpkey" subdomain. The latter could be easier if the WKD > webserver should be isolated from other things on the domain. > > In your setup, the valid TLS certificate for sac001.github.io is the > only one you'll get, so the "Direct" method fits perfectly. > > Nice idea actually, but you'd have to check if GitHub actually allows > such use for "arbitrary" data distribution. > > Good night. > André Hi Andre, as onbe could see from my previous reply, it does not work with gpg4win and I tested it also under my Debian subsystem, which didn't worked either. :-( But (sorry to say this here on the GnuPG ML) good news is I just tested it with an older version of sequoia-pgp and guess what it works for me. :-) sq wkd get ste...@sac001.github.io -BEGIN PGP PUBLIC KEY BLOCK- Comment: 3731 D9F8 1352 A24D F7E5 F33A 0885 70FC E611 8FD8 Comment: Stefan Claas xjMEX/dLDhYJKwYBBAHaRw8BAQdAvkbNdsFggQBabk4URQN/Fha+qsyFsCt4Tsti hShJKlvNJlN0ZWZhbiBDbGFhcyA8c3RlZmFuQHNhYzAwMS5naXRodWIuaW8+wpAE ExYIADgWIQQ3Mdn4E1KiTffl8zoIhXD85hGP2AUCX/dLDgIbAwULCQgHAgYVCgkI CwIEFgIDAQIeAQIXgAAKCRAIhXD85hGP2HTyAQDCXANVu9GtjOV+u/Wn8Y7Ad/iR mVLo34AOrMuU6dxRIQEAjqs8nMbLJHi6DNuizrMEU1lhcV67hyV9+pzn/VCPuQHO OARf90sOEgorBgEEAZdVAQUBAQdAVOixEkd6S9j0tYAcCEIDwS5/M7XbeLjgA8Zm dJIGqygDAQgHwngEGBYIACAWIQQ3Mdn4E1KiTffl8zoIhXD85hGP2AUCX/dLDgIb DAAKCRAIhXD85hGP2Ks7AP98+j9JNC+TyfDcoYQMS+ZY85XOx7IQTg0G1JPJCrIc CAD/SnccgwcFIjW83RHjIgtTomYdIoq/l8lwEzPfKHigLQg= =wPCo -END PGP PUBLIC KEY BLOCK- Regards and Good Night Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD for GitHub pages
Hi Stefan, your key seems to work fine over that WKD setup. > Now Wiktor's WKD checker gives the proper > results in the first part, not sure why not in the > second part. You don't need the "Advanced" method if the direct one already works. They basically exist to provide flexibility for server admins to decide whether they want to issue a TLS certificate for the whole domain matching the e-mail address, or just serve the WKD stuff through a dedicated "openpgpkey" subdomain. The latter could be easier if the WKD webserver should be isolated from other things on the domain. In your setup, the valid TLS certificate for sac001.github.io is the only one you'll get, so the "Direct" method fits perfectly. Nice idea actually, but you'd have to check if GitHub actually allows such use for "arbitrary" data distribution. Good night. André -- Greetings... From: André Colomb signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD for GitHub pages
On Fri, Jan 8, 2021 at 10:21 PM Stefan Claas wrote: > I guess the only way to fix it (for many people) would be > that, as of my understanding (now) the WKD check > and SSL cert check would be a bit more flexible, either > in allowing subdomains, like the github.io ones in form > of a fix in the code or as setting in GnuPG' config file. > > I could be totally wrong of course, so let's see what > Werner says. Well, I guess I am right, just did a gpg --debug-level guru under cmd.exe: gpg --debug-level guru --locate-key ste...@sac001.github.io gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: [not enabled in the source] keydb_new gpg: DBG: [not enabled in the source] keydb_search enter gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: SUBSTR: 'ste...@sac001.github.io' gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF gpg: DBG: [not enabled in the source] keydb_search leave (not found) gpg: DBG: chan_0x0254 <- # Home: C:/Users/Nutzer/AppData/Roaming/gnupg gpg: DBG: chan_0x0254 <- # Config: C:/Users/Nutzer/AppData/Roaming/gnupg/dirmngr.conf gpg: DBG: chan_0x0254 <- OK Dirmngr 2.2.25 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_0x0254 -> GETINFO version gpg: DBG: chan_0x0254 <- D 2.2.25 gpg: DBG: chan_0x0254 <- OK gpg: DBG: chan_0x0254 -> KEYSERVER --clear hkps://keyserver.ubuntu.com gpg: DBG: chan_0x0254 <- OK gpg: DBG: chan_0x0254 -> KEYSERVER gpg: DBG: chan_0x0254 <- S KEYSERVER hkps://keyserver.ubuntu.com gpg: DBG: chan_0x0254 <- OK gpg: DBG: chan_0x0254 -> KEYSERVER --clear hkps://keyserver.ubuntu.com gpg: DBG: chan_0x0254 <- OK gpg: DBG: chan_0x0254 -> KS_GET -- =ste...@sac001.github.io gpg: DBG: chan_0x0254 <- S PROGRESS tick ? 0 0 gpg: DBG: chan_0x0254 <- S SOURCE https://162.213.33.8:443 gpg: DBG: chan_0x0254 <- ERR 167772218 Keine Daten gpg: Fehler beim automatischen holen von `ste...@sac001.github.io' über `keyserver': Keine Daten gpg: DBG: chan_0x0254 -> KEYSERVER --clear hkps://keyserver.ubuntu.com gpg: DBG: chan_0x0254 <- OK gpg: DBG: chan_0x0254 -> DNS_CERT --dane ste...@sac001.github.io gpg: DBG: chan_0x0254 <- ERR 167772187 Nicht gefunden gpg: Fehler beim automatischen holen von `ste...@sac001.github.io' über `DANE': Nicht gefunden gpg: DBG: chan_0x0254 -> DNS_CERT * stefan.sac001.github.io gpg: DBG: chan_0x0254 <- ERR 167772187 Nicht gefunden gpg: Fehler beim automatischen holen von `ste...@sac001.github.io' über `DNS CERT': Nicht gefunden gpg: DBG: chan_0x0254 -> DNS_CERT --pka -- ste...@sac001.github.io gpg: DBG: chan_0x0254 <- ERR 167772187 Nicht gefunden gpg: Fehler beim automatischen holen von `ste...@sac001.github.io' über `PKA': Nicht gefunden gpg: DBG: chan_0x0254 -> WKD_GET -- ste...@sac001.github.io gpg: DBG: chan_0x0254 <- S SOURCE https://openpgpkey.sac001.github.io gpg: DBG: chan_0x0254 <- S NOTE tls_cert_error 285212985 bad cert for 'openpgpkey.sac001.github.io': Hostname does not match the certificate gpg: Hinweis: Der Server benutzt eine ungültiges Zertifikat gpg: DBG: chan_0x0254 <- ERR 285212985 Falscher Name gpg: Fehler beim automatischen holen von `ste...@sac001.github.io' über `WKD': Falscher Name gpg: Fehler beim automatischen holen von `ste...@sac001.github.io' über `LDAP': Nich implementiert gpg: error reading key: Nich implementiert gpg: DBG: chan_0x0254 -> BYE gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=1 locks=0 parse=0 get=0 gpg:build=0 update=0 insert=0 delete=0 gpg:reset=0 found=0 not=1 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x calls=0 bytes=0 gpg: secmem usage: 0/32768 bytes in 0 blocks Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD for GitHub pages
On Fri, Jan 8, 2021 at 10:07 PM André Colomb wrote: > > Hi Stefan, > > > I just started to set-up a github-page and have also verified > > the page via Brave. I tried to set-up WKD for the page, like > > I did in the past for my 300baud.de Domain, but fetching > > the key with GnuPG does not work for me. :-( > > You could try the online WKD checker here: > https://metacode.biz/openpgp/web-key-directory Hi Andre, I used Wiktor's WKD checker which you link to. :-) > > It reports that the policy file is missing, which I think is a hard > requirement, no? > > Also make sure that the MIME content type and > Access-Control-Allow-Origin headers are set correctly. I guess I have created a new use case, regarding WKD usage for GitHub pages and how Werner implemented WKD. I guess the only way to fix it (for many people) would be that, as of my understanding (now) the WKD check and SSL cert check would be a bit more flexible, either in allowing subdomains, like the github.io ones in form of a fix in the code or as setting in GnuPG' config file. I could be totally wrong of course, so let's see what Werner says. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD for GitHub pages
Hi Stefan, > I just started to set-up a github-page and have also verified > the page via Brave. I tried to set-up WKD for the page, like > I did in the past for my 300baud.de Domain, but fetching > the key with GnuPG does not work for me. :-( You could try the online WKD checker here: https://metacode.biz/openpgp/web-key-directory It reports that the policy file is missing, which I think is a hard requirement, no? Also make sure that the MIME content type and Access-Control-Allow-Origin headers are set correctly. Kind regards, André -- Greetings... From: André Colomb signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD for GitHub pages
On Fri, Jan 8, 2021 at 7:36 PM Stefan Claas wrote: > > Ok, had a typo in the openpgpkey folder, ouch. > > Now Wiktor's WKD checker gives the proper > results in the first part, not sure why not in the > second part. > > Need to try to fetch my pub key. Does not work, 'wrong name' I guess I could put a CNAME file into my GitHub folder, pointing to a Domain which I own and upload a new key with that Domain, but this is *not* what I want to do, because of the opportunity it would give Windows users to follow my set-up without an own server and own domain and because GitHub is globally probably not blocked and a trusted Domain for millions of programmers. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD for GitHub pages
Ok, had a typo in the openpgpkey folder, ouch. Now Wiktor's WKD checker gives the proper results in the first part, not sure why not in the second part. Need to try to fetch my pub key. Regards Stefan On Fri, Jan 8, 2021 at 6:42 PM Stefan Claas wrote: > > Hi all, > > I just started to set-up a github-page and have also verified > the page via Brave. I tried to set-up WKD for the page, like > I did in the past for my 300baud.de Domain, but fetching > the key with GnuPG does not work for me. :-( > > My key UID there is 'ste...@sac001.github.io' > > It would be really nice if a kind soul can help me to fix > the issue. > > The idea here is the following: > > 1. A github.io pub key can IHMO serve as a multi-purpose usage > key, thus not revealing the email address. > > 2. GitHub should be more protected against DDOS, compared > to a website, hosted on an own VPS server, IMHO. > > 3. One already has an SSL cert. > > 4. GitHub allows creating rich-content static web pages. > > 5. Brave verification, so that in case one Brave user like > to give a tip, it is possible too. > > 6. If this would work properly, Windows users, for example, > would have an easy way to use WKD as well, without having > an own server, Domain, etc. > > Hope you like the idea! > > Here's is my URL, which leads to the GitHub project, > containing the .well-known folder. > > https://sac001.github.io > > Any help would greatly appreciated! > > Regards > Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD for GitHub pages
Hi all, I just started to set-up a github-page and have also verified the page via Brave. I tried to set-up WKD for the page, like I did in the past for my 300baud.de Domain, but fetching the key with GnuPG does not work for me. :-( My key UID there is 'ste...@sac001.github.io' It would be really nice if a kind soul can help me to fix the issue. The idea here is the following: 1. A github.io pub key can IHMO serve as a multi-purpose usage key, thus not revealing the email address. 2. GitHub should be more protected against DDOS, compared to a website, hosted on an own VPS server, IMHO. 3. One already has an SSL cert. 4. GitHub allows creating rich-content static web pages. 5. Brave verification, so that in case one Brave user like to give a tip, it is possible too. 6. If this would work properly, Windows users, for example, would have an easy way to use WKD as well, without having an own server, Domain, etc. Hope you like the idea! Here's is my URL, which leads to the GitHub project, containing the .well-known folder. https://sac001.github.io Any help would greatly appreciated! Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users