WKD exporter

Exports an OpenPGP keyring into the Web Key Directory directory path.

Install it using your package manager or via cargo:

cargo install --locked wkd-exporter

For bigger deployments, using the advanced variant with a domain filter is recommended:

$ DIR=$(mktemp -d)
$ gpg --export | wkd-exporter --append --domain archlinux.org $DIR
$ tree $DIR | head
/tmp/tmp.ZaHdlAQGRw
└── openpgpkey
    └── archlinux.org
        ├── hu
        │   ├── 46yqwra65to1p94e9ebafpucymkwsi7f
        │   ├── 9drt4xorn699rkbj5xyq7ykoc1z5nnof
        │   ├── 9hy3wi4ewwiicomnjmhewifn6d1gi87i
        │   ├── 9sh859e31bn46hmfxyftn3ymop5ewdkz
        │   ├── b9qi357oeysqibkxmmh3hanrppd6nj9p
        │   ├── btfkn1ht1kzda3e9495fe4sjznkygui4

For smaller deployments, direct variant may be more appropriate:

$ DIR=$(mktemp -d)
$ gpg --export | wkd-exporter --append --direct metacode.biz $DIR
$ tree $DIR | head
/tmp/tmp.cxEBeXnwdv
└── openpgpkey
    ├── hu
    │   └── gebusffkx9g581i6ch4t3ewgwd6dctmp
    └── policy

Logging can be enabled using RUST_LOG environment variable (e.g. RUST_LOG=wkd_exporter=debug enables debug-level logging). Errors are always logged, regardless of the log level, and the exit status indicates the type of the error.

See Key Discovery for differences between these two modes. Advanced variant is served from the openpgpkey subdomain (e.g. openpgpkey.example.com) while the direct variant is served from the root domain (e.g. example.com).

This project can also be used as a library:

use wkd_exporter::{export, Options};

export(
     std::fs::File::open("tests/test-cases-default/simple.pgp").expect("file to exist"),
    "/tmp/well-known",
    &Options::default().set_append(true),
).expect("exporting to succeed");

Note that by default the CLI feature is enabled so to minimize the number of dependencies it is advisable to disable default features when importing as a library:

cargo add wkd-exporter --no-default-features

Multiple certificates

The --append flag causes all certificates sharing the same local part (user in user@example.com) to be exported in the same location. By default the exporter leaves only the last certificate. Appending allows exporting several certificates, for example when a certificate has been rotated (one is revoked and one is current). Other workflows may also require multiple certificates, e.g. a code-signing certificate which is different from a regular one.

Note that if the same directory is used for export and --append flag has been enabled it will cause multiple copies of the same certificate to be present in the target directory. For that reason it is advisable to use a fresh directory when using --append. That is one of the reasons why this flag is not enabled by default (even though it is recommended).

An alternative solution: certificate merging, is being implemented. If you're interested in this feature, please reach out and help stabilizing this feature by testing it in your setup.

Packaging the CLI

To generate manpages for the wkd-exporter command-line program in the target/manpages directory use the the following task:

$ cargo xtask generate manpages target

The manpage can be read via man --local-file target/manpages/wkd-exporter.1

Generating shell completions to target/shell_completions uses this task:

$ cargo xtask generate shell_completions target

Tags are signed using SSH keys. The signature can be verified against the official list of signing keys (.config/git_allowed_signers file) via:

$ git -c gpg.ssh.allowedSignersFile=.config/git_allowed_signers verify-tag v0.2.0

License

This project is licensed under either of:

• Apache License, Version 2.0,
• MIT license.

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.