wks for sign-only keys
Erich Eckner
gnupg at eckner.net
Wed Jan 9 11:55:12 CET 2019
Hi,
I'm currently setting up wkd and wks on my server. This works great for
keys which can encrypt and sign. However, when I try to publish a
sign-only key, I get:
> /usr/lib/gnupg/gpg-wks-client -vvv --create
5FDCA472AB93292BC678FD59255A76DB9A12601A arch-packages at eckner.net
gpg-wks-client: gpg: writing to stdout
gpg-wks-client: submitting request to 'key-submission at szilassi.eckner.net'
gpg-wks-client: gpg: Total number processed: 1
gpg-wks-client: submitting key with user id 'Erich Eckner (just to sign
arch packages) <arch-packages at eckner.net>'
gpg-wks-client: gpg: 5FDCA472AB93292BC678FD59255A76DB9A12601A: skipped:
Unusable public key
gpg-wks-client: gpg: [stdin]: encryption failed: Unusable public key
gpg-wks-client: error running '/usr/bin/gpg': exit status 2
gpg-wks-client: encryption failed: Unusable public key
gpg-wks-client: creating request failed: Unusable public key
I understand, that the wks server sends back an encrypted email - which
it can't with the sign-only key. However, would it be possible to fall
back to an unencrypted email for keys which are not suited for
encrypting? In the end, the content will still be signed, thus authentic.
My understanding is, that the encrypted email from wks to the client
ensures:
a) client has the private key (unnecessary, as it already signed
something - or can be verified again by signing some given content)
b) client actually wants to publish its key (for that, no encryption is
needed, just a valid signature from the wks and from the client for the
answer)
Am i right?
regards,
Erich
More information about the Gnupg-devel
mailing list