Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Web Key Directory

WKD is a protocol to ship PGP keys to users. GnuPG implements it as of at least 2019.

See WKD for details from upstream.

Torproject only implements key retrieval, which works using HTTPS GET requests, and not any of the update mechanisms.

The directory is populated from the tor account-keyring. When updates are pushed to the repo on alberti, a hook will rebuild the keyring, rebuild the wkd directory tree, and push updates to the static mirrors. Note that only keys with @torproject.org UIDs are included.

To build the tree, we currently use Debian's update-keyrings script.

Key retrivals can be tested using gpg's wks client:

weasel@orinoco:~$ systemctl --user stop dirmngr.service
Warning: Stopping dirmngr.service, but it can still be activated by:
  dirmngr.socket
weasel@orinoco:~$ /usr/lib/gnupg/gpg-wks-client --check al@torproject.org && echo yay || echo boo
yay

Note that we're evaluating alternatives to our homegrown system, see issue 29671.

There's a linter that got phased out in May 2024, but the source code is still available.

Note that OpenPGP.org provides WKD as a service provided that (a) we would accept trusting them with it and (b) we want like to get rid of this service.